North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: The view from the other side of the fence

  • From: batz
  • Date: Wed Mar 13 15:10:13 2002

On Wed, 13 Mar 2002, Sean Donelan wrote:

:With convergence, do you think we will get the best security practices
:from both worlds, or the worst?

Most organizations security policies have grown organically, or by 
precedent, as opposed to being 'architected'. 

When convergence occurs, the company with the most existing security 
infrastructure 'wins'. By this I mean their practices are adopted 
by the less organized one. 

Also, I have seen some very elaborate, enterprise wide free software security
solutions that were technically elegant, and very robust, but they were 
swept aside because the owners of these systems could not adequately
communicate their business value.   

It has been my observation that convergence doesn't relate so much to the 
integration of technologies to provide new services, as it does the 
rationaliztion of differing business models into new ones. 

>From a big picture security perspective, the security challenges of 
a convergence between a telco and a satellite tv company aren't as much 
about integrating the various networking technologies and exposing 
ground station computers to the Internet, as they would be about 
DRM, fraud mitigation, subscriber privacy and infrastructure protection. 

The reason I'm mentioning this is because I have heard some security people
talking about the problems with IP gateways to the PSTN, which is 
legitimately frightening to many, but the issue isn't about what will
happen when some PBX manufacturer puts an IP stack and an ethernet card
in their product without doing security QA testing. 

It is about whether the traditional telcom security models that look alot 
like corporate IT, where network people don't touch servers, and vice versa, 
will work when the line blurs between the network and the application. 

In corporate IT, I am one of those "Internet guys" that thinks he
can manage systems _and_ networks, which is like saying to me that I 
play both kinds of music, country _and_ western. 

Worst case scenario, we get kafka'esque bureacracy with no standards or 
procedures. Best case, we get a hybrid of strong, auditable and enforcable
policy, with an understanding of the systems and networks as a single
service as presented to the customer.  

So, as for whether we will see better or worse security policy, 
I can garuntee we will see the most cost effective solutions, 
meeting the minimum legal requirements, which serve customers needs, 
and improve overall ROI for stakeholders. 

In other words, not much will change by virtue of convergence alone. 
It will take education, possibly regulation, and market incentives to
create better security policy, and I think these things are independant 
of the features of new technologies.