Are You Secure?

I was commenting on the seeming madness and complexity of our work firewall design recently:

We just drew a network diagram on the wall of just our firewalls, 12’ wide, 6’ tall… at the end, I jumped up and yelled “THE ARISTOCRATS”. Seemed required.

And someone asked “are you secure?”. Now, I could go with what we tell management - that we’re as secure as budgets allow - or a variety of other answers. This time, full objective honesty seemed to rule.

*yaleman*: nope, but we have a lot of firewalls
*yaleman*: "secure" would be turn it all off and then burn it, then put it in concrete, and fire it into the sun
*yaleman*: anything less than that, we do what we can to save people from themselves, and from the outside world.
*classicsnail* aliens might intercept it on the way and you wouldn't know
*yaleman*: perzactly, there's people and things made by people

Because to be honest, putting a bow on it and calling something secure ignores the fact that the hardware, software and the people that use them are all imperfect. Large systems are insecure due to their physical layout, and a host of other reasons.

When you realise that, you either go mad, or you accept that you can only do what you can with what you have.

Tags: security work