次の方法で共有

Good Enough Security

  • [アーティクル]

At some point about six weeks ago I once again was hit with arguments that pointed to people considering security as black and white; you are either secure or you are not. Security is not now, nor has it ever been, a binary decision. There are a lot of factors we need to consider, all of which should be rooted in what you need to accomplish with the systems, the threats they are subject to, and whether the mitigation is less palatable than the risk itself. Having the incredible luxury to do so, I wrote a column on it. The column is entitled Microsoft Small Business Server and Security: It's All About Risk Management! and just came out in the Microsoft Security Newsletter today. While I use Small Business Server as the example, as the title says, it is all about risk management!

Enjoy!

Comments

  • Anonymous
    December 14, 2005
    Hello Jesper,

    i totally agree that security is all about risk management. However I dont think it is valid to say, that you have to trade security against costs in the case of SMB. The fact that you can install all the Software modules of SMB only on a single system is a pretty artificial restrictions by MS. If MS decides to offer small busiensses the same features with increased security, it would be no problem to allow a Installation including a public faced host (ISA, IIS) and a private one (SQL, Files), or even a 3 System configuration.

    Ths might not be a option for a small shop with 3 PCs, but it is for sure no problem in a 20 seat office.

    That said, I am big in favor of a heterogenous approach to layered security (i.e. non-microsoft firewall mixed with microsoft backends, or vice versa). With the boom of appliances, this is not a big deal, anyway.

    Gruss
    Bernd
  • Anonymous
    December 15, 2005
    Bernd, that is exactly what I am saying though. If you disregard the artificial licensing restriction on breaking apart SBS, doing so would require more computers (costs extra money), additional management processes (adds complexity and cost), and additional people resources (more cost). Right there is your cost v. security v. usefulness tradeoff.
  • Anonymous
    December 15, 2005
    Jesper,

    I just recently found your blog. I watched your TechEd Austrailia presentation that is in the listening room on the website for your book. I have not read the book (yet). I want to commend you for your message!

    Until just recently, I worked for a small Microsoft Partner that served mostly small businesses. I co-founded the company and worked with our clients daily for the last 7 years. The points you make in this article concerning SBS are very relevant. It is sooo refreshing to hear a common sense approach to security (especially from MS). Over the years, I have had to implement many "trade-offs" for small companies simply because the cost of a "highly secure" solution was simply too much. I often felt an odd sense of guilt about this because of all the hype. Your information has given me a new confidence in how I look at security.

    In September, I started a new position with a local insurance agency. Good insurance agencies help their clients manage risk so, the concepts you talk about are very familiar to the business. However, as I talk with others in this industry, I have seen evidence that they too have gotten deceived by all the security rhetoric going on in the technical community. I hope I can bring a balanced approach to my new organization.

    Again, I just want to say that it is so great to hear an intelligent and thoughtful approach. One that balances security with usefulness and cost. We certainly don't want to blindly go down the road believing we are secure when we are not, but we also need to realize it is impossible to be 100% secure and still have a productive network. As you stated, the key is intelligent risk management.

    Thanks for your work!

    Jeff
  • Anonymous
    December 17, 2005
    Jeff, THANKS!
    <blush>
  • Anonymous
    December 18, 2005
    The comment has been removed
  • Anonymous
    December 19, 2005
    That's sobering data Jonathan. It really is.

    I still stand by the statement, if you consider a slight explanation. They are not targeting a specific small business they way they would target, say, Microsoft, or the Pentagon. The attackers are opportunistic; they will take over what they can, steal what seems useful, and then move on. That is a different type of attack than what you see on very large, very tempting networks.

    The data is clear though. We all need to be vigilant, and we need to protect our assets in ways that make sense depending on the assets.