Found another interesting post by Chad Perrin regarding security. In his post at http://blogs.techrepublic.com.com/security/?p=456&tag=nl.e036 he notes that at the recent Interop conference in Las Vegas that Joshua Corman (mentioned in an earlier post in my blog) mentioned that security had gone past the point where you can do it yourself.
As a Microsoft security consultant, I was certainly happy to hear that. Since security apparently has progressed past the point where customers can manage it themselves, they will, of course, need me to take care of installing, configuring, managing and monitoring their security infrastructure. I can hear the "cha-ching"! going off in my head just thinking about the prospects.
However, I have a conscience and I also don't like to do my customers a disservice. The fact is that while they can bring me in as a security consultant, my job is to teach them how to do their own security. This is for them, not for me. What if I were hit by a car? What if I were being blackmailed by a terrorist who wanted me to compromise my customer's network? What if I developed a gambling problem and needed some extra cash to pay the bookies?
The fact is that each customer has to be responsible for his own security. When they bring me in, I make them aware of the security issues in the environment, show them where things are set up incorrectly, and show them how to fix them. Most importantly, I try to educate my customers on each of the issues I discover, so that they will be able to find them on their own in the future and to not make the same mistakes in the future. They are always welcome to invite me back for more advise and consent, but I will not take responsibility for their security, not because I don't want the money, but because they expose their attack surface by turning over that responsibility to me.
Security is hard, but so is everything else until you know how to do it. That's what the education is all about. And there are also new tools that help make security easier for everyone. For companies who are serious about security, but want it to be approachable and relatively easy to configure, manage and monitor, you can't do much better than the Microsoft Forefront family of security products. Using Forefront family products, they can secure:
- The edge of the network, using the ISA firewall and next year, using the Forefront TMG firewall
- The Exchange mail servers, using Forefront Security for Exchange
- The SharePoint servers, using Forefront Security for SharePoint
- The clients and servers, using the enterprise anti-malware product, Forefront Client Security
- Remote access connections to all servers and services, using the Forefront Intelligent Application Gateway (IAG) and next year, the Forefront Unified Access Gateway (Forefront UAG)
- Integrating security and creating a dynamic security response policy using the upcoming Forefront "Stirling" product
This collection of products makes it easy for businesses of all sizes to manage their remote access, edge, client and server security. And while Forefront isn't all there is to securing a network, it does make the task a lot easier, and make it realistic that the customer can manage his own security, without being wholly dependent on a security consultant or firm to manage the security infrastructure.
Thomas W Shinder, M.D.
GET THE NEW BOOK! Go to http://tinyurl.com/2gpoo8
Email: [email protected]
MVP - Microsoft Firewalls (ISA)