If Security is All Around Us, Why Isn’t It Working?
Security is all around us. We have firewalls, VPN’s, encryption and policies. Yet still it seems that millions, and in some cases billions of records, (our information, our documents, our money and our private details) are stolen from so called secure systems.
I believe that the reason for this is very simple. Security has become a buzz word. “Yes of course our systems are secure;” “We use the latest security systems;” “We employ the most up to date security systems and policies” …
In these cases, the word security has been used as an excuse not to go in to details or to throw off blame and recrimination. Yahoo sent this sentence to its users after its breach announcements, “We continuously enhance our safeguards and systems that detect and prevent unauthorized access to user accounts.” What does it mean? “We continuously …”
So there is continuous monitoring, yet still it would seem up to 1 billion records seem to have been stolen?
It is time for a change. Security needs to be taken seriously. Not used as a funding mechanism, or a word that corporations can use to try and shift responsibility to someone else when a theft of data happens. Yes, theft of data. Let’s stop talking about hacks and hackers. This word in my lifetime has had different meaning, from a general reporter, a kid in his bedroom having fun, to statewide intrusions into systems. Let’s start talking about these attacks as theft. Theft of our data, our money and our privacy.
Security systems need to come up to scratch. Firewalls help but they are poor defenses for theft that has arisen from an internal source. Database encryption is only as good as the administrators of the database and password hashing let it just stop being used. In today’s climate, we need systems in place that are more dynamic in nature. These systems need to change automatically with each call, they need to be able to react to situations, much like an immunization against TB can react when the real TB bacteria enters the body. An immunization against a disease is not there to stop a bacterium entering your body, but when it is in, it renders it useless without disrupting the body’s ability to carry on. It is up to you to try and stop the disease in the first place. That is where Firewalls and policies have a role. But today we also need the immunization program, one that creates systems that can protect our data from within. A system that does not hinder the role of the system even under an attack and one that renders the information useless to all but those who are authorized to view it.
Security needs to become more dynamic in its role within the enterprise. We in the industry need to start redefining how security is seen, and more importantly, how security WORKS.
What does this have to do with SAP (and any of the tags specifically) and why did you decide to post this on SCN? Or at all? Your answer to "why" is basically "because everyone just talks about security but does not take it seriously". But how did you arrive at this conclusion? There is no evidence of any kind mentioned to support your point of view and no personal experience shared.
"Security needs...". OK, but how? Do you want to tell us about some new trends or developments in the security technologies? This is nothing more than "more intensity, more cowbell" proclamation.
There are many blogs on SCN with guidance on how to write better blogs. You might want to look them up. This is just not good at all, sorry.
Let me see if I can answer these questions.
Why on SCN? because our software runs on HCP. Where needed with HANA in the background. As an SAP partner selling and integrating into SAP products where better?
How did I arrive at the conclusion? By looking at the responses of organizations when they have had an attack and also at organizations prior to them being attacked. Security is in my opinion (Yes it is an opinion) placed very low down on peoples to do lists.
I am sorry this blog was not up to your standards, maybe my next one will be.
Google "build better blog site:sap.com". Your previous blogs have no likes or comments, so it's likely not just "my standards".