Don't do the crime if you can't do the time

By Joel Snyder
Network World on Groupware and Messaging, 03/03/99

Things have been slow on the e-mail front lately, so I'll dive into a closely related topic: security. Don't despair, the lessons apply to e-mail as well!

I was having lunch with a fellow consultant the other day, and I was bemoaning the experience I'm having with a current client. They need an Internet firewall, but they don't know how to pick the right firewall. The first pass by the client's IT staff looks like a laundry list, something out of a Network World Buyer's Guide: does it proxy Gopher? Can it roll the logs? Will it turn handstands if requested? Filling out such a list is the worst sort of busy-work because it focuses the mind on features rather than on whether the firewall is right for the client.

The laundry list has over 100 items on it, and they want you to fill it out for 8 different firewalls. If they were as thorough as a Network World review, that would mean at least 60 hours dumped into the exercise of filling out a big spreadsheet. Unfortunately, that's busy-work, and largely irrelevant to the process of selecting a firewall---unless it turns out that there is some vital aspect to corporate security, which actually does require a full-featured Gopher proxy. More importantly, it ignores all quality issues: yes, all firewalls have a graphical user interface (GUI). But is the GUI well designed?

In the case of the laundry list, it is likely that the answer to 90% of the items will be "yes" for all 8 firewalls---since the vendors have long since learned that magazines love laundry lists and having more check-boxes is always better. So it's only important, from the laundry list point of view, whether the firewall can "log all access, successful or not." However, from the network manager point of view, it's vitally important whether those logs are easy to read and scan, and if they contain useful information or just a bunch of chaff.

Of course, the only way you'll learn that is by actually using the firewall, day in and day out, for a long period of time. How well a firewall works is not determined by the laundry list at all, but by how well it matches the organization's needs and resources.

And that brought me back to our standard methodology. First, write a security policy, then match the requirements of the policy, the style of the organization, the staff, the resources and the local market to what is available. Finally, in the last stage, take 2 or 3 finalists and make sure that each can implement the security policy of the organization (a short version of the laundry list).

So this brings me back to my older and wiser friend. When he heard this story of woe, he asked a simple question: How many firewall selections had I done where the client had actually followed the recommended methodology of starting with a security policy? I had to think about it for a bit, and was surprised at my own answer: none. He nodded. "Not unusual." And then he launched into his own story, with the same plot, but with all the names changed to protect the guilty.

The problem is that writing a security policy is hard, while filling out a laundry list, although time consuming, is not. Security policies actually require people throughout the organization to agree on things, and that rarely happens. Security policies also have non-IT repercussions, so they require the IT staff to explain the issues and consequences to folks such as Human Resources and Corporate Counsel. And here's where the client is stuck; busy work over hard work, short cuts over doing it right. I'm not sure whether we'll be able to steer them right, although I'm sure going to try.

Next time we'll stray even further afield from messaging with my own resource kit for writing a security policy.

(For those of you who are still confused about seeing this in the messaging and groupware newsletter, just substitute "e-mail system" for "firewall" and "system requirements definition" for "security policy" everywhere and you'll see the picture more clearly).