| |||||||||||||
Quotes of the weekQuotes of the weekPosted Oct 7, 2007 1:22 UTC (Sun) by jschrod (subscriber, #1646)In reply to: Quotes of the week by nix Parent article: Quotes of the week
Actually, working 12+ years as a security professional (as an example, I designed the security policy for the external network interfaces of the European Central Bank), I think Ted is completely right. Security is a process, and he is partly right to cite threat models.
For my work at many financial institutions, MAC models are needed, and SELinux is a nice tool there to formulate resource access policies as needed. But in many (actually, more) cases, MAC is overshoot, and - likewise - formulation and maintenance of fine-grained SELinux policies cost too much to yield appropriate return in terms of risk mitigation. And that's what IT security policies are concerned with, risk mitigation, not threat prevention.
IT security is about money, and not about some abstract program behaviour. And if security costs too much, it's not worth it. (Actually, that's a general statement, beyond IT security, its truth demonstrated by the last few years of US foreign and interior policy.) IT security is a mean, not an end in itself. This is forgotten much too often.
(Log in to post comments)
Quotes of the week Posted Oct 8, 2007 19:55 UTC (Mon) by nix (subscriber, #2304) [Link] Of course I agree. (I didn't think I'd have to wave a sarcasm flag here.)
Quotes of the week Posted Oct 8, 2007 23:40 UTC (Mon) by jschrod (subscriber, #1646) [Link] Well, at least I misread your statement. You might want to keep in mind that many readers here are not native speakers. If you express sarcasm with subtle hints, it might not be understood by us. A smiley here and then works wonder. ;-)
Cheers, Joachim
|
|||||||||||||