Quotes of the week
Posted Oct 7, 2007 1:22 UTC (Sun) by jschrod
In reply to: Quotes of the week
Parent article: Quotes of the week
Actually, working 12+ years as a security professional (as an example, I designed the security policy for the external network interfaces of the European Central Bank), I think Ted is completely right. Security is a process, and he is partly right to cite threat models.
For my work at many financial institutions, MAC models are needed, and SELinux is a nice tool there to formulate resource access policies as needed. But in many (actually, more) cases, MAC is overshoot, and - likewise - formulation and maintenance of fine-grained SELinux policies cost too much to yield appropriate return in terms of risk mitigation. And that's what IT security policies are concerned with, risk mitigation, not threat prevention.
IT security is about money, and not about some abstract program behaviour. And if security costs too much, it's not worth it. (Actually, that's a general statement, beyond IT security, its truth demonstrated by the last few years of US foreign and interior policy.) IT security is a mean, not an end in itself. This is forgotten much too often.
to post comments)