Cyber Eye: Take a tip on unobtrusive security
As I checked out of the hotel after a security conference last month in Las Vegas, the clerk noted my address and remarked what a nice city Washington is.
'Yes,' I said, 'but it's good to get away from the security there for a few days.'
That was a strange thing to say in Vegas, whose casinos are among the most security-conscious places in the country. I've watched enough TV to know what goes on behind the scenes. Beefy guys sit at monitors fed by cameras that cover every square foot of the casinos and'for all I know'the hotel rooms. Facial-recognition software picks up suspected sharpsters at the door, and anyone who wins too regularly is likely to meet the beefy guys.
'Security isn't so intrusive here,' I told the clerk. There are no security checkpoints and no flak-jacketed troopers carrying machine guns. The few armed guards look like retirees supplementing their pensions.
True, the casinos are as confusing to navigate as a Microsoft Corp. Web site, and it can be just as tough to find an exit as it is to find the latest Windows security patch you need to download. That's intentional.
To hazard a metaphor, Vegas casinos are a good example of the way cybersecurity ought to be done. Security there does not interfere with functionality, it is incorpoated into the functionality'built in from the first day of design. Faux marble and volcanoes can be added later, but security comes first.
It's true that a casino is something of a limited-use system, more like a mainframe than the client-server architecture with which most administrators must work. But the lesson still applies. If security is built in at the start and configuration carefully managed, it does not interfere.
The government has begun to recognize this, requiring security plans in all new systems designs. Software developers and application vendors are beginning to understand, too, and are integrating security more tightly into their products. But the trend is far from universal. There's no agreement on just what level of security is needed for a given product, or how to distinguish between a vulnerability and a feature.
Of course, it's easier when you start with a clean slate, but most administrators and security officers inherit heterogeneous systems with legacy elements built out as needed and no master plan.
Users seldom follow the rules as meekly as gamblers kept happy with complimentary alcohol. Someone who would never think of taking his own dice or deck of cards into a casino might think nothing of installing his own modem or wireless access point on an agency network.
But the Vegas casinos do prove that unobtrusive security is possible. Maybe it would help if our desktop clients paid off every once in a while.