01 October 2009

Hatred is not a viable network security mechanism

Twitter was one of the topics at the recent Forrester Security Forum. As related by Rob Whiteley, Twitter was roundly condemned by the security luminaries present, including Marcus Ranum and Hord Tipton (former CIO of the Dept of the Interior):
 "On day one, there was loud, thunderous applause when Marcus mentioned that he is adamantly against Twitter. This was repeated on day two when Hord mentioned he, too, didn’t see the value in Twitter." 
 I understand where Marcus and Hord are coming from. Twitter is new potential threat vector and a new potential data leakage point. What are these gentlemen to do -- say they are in favor of threats and data leakage? They really have no choice but to proclaim they don't like Twitter from a security point of view.

But come now. Robert Westervelt frames the issue clearly when he writes:  "standing in the way of innovation is not the goal of security". Twitter (it seems almost shocking to say) is nothing new. Twitter is the web. Twitter is text messages. Twitter is the telephone. Sure, the under-the-hood details are different. That's tractable with current security technologies. In the long run, it may not be Twitter itself that's successful. It may be Facebook, it may be Nixle, it may be something else altogether. Successful and useful applications come along, people start using them, then along the way they become mainstream applications.

CISOs need to decide for themselves what's acceptable and what's not. Surely they can choose to block applications like Twitter if they are compelled to. They do need to consider a couple questions along the way:

1) Where along the spectrum between total lockdown and total employee freedom are you? Unless you're in certain specialized industries, total lockdown is a choice that brings down employee satisfaction. Employee dissatisfaction can lead to security breaches too!

2) Can you really block these things? The security perimeter is rapidly vanishing, and in fact is flickering in and out of existence.  You probably can't block these things on the network --- and with ubiquitous personally-owned mobile devices, you can't even block these things on the client.

So don't hate on Twitter and its siblings. If you can instead learn to embrace them in a managed and manageable way, your company might stay innovative and your employees might stay happy.