Slashdot Mirror
Vendors Say Data Protection Software Too Complicated To Use
jfruhlinger writes "With a series of major data breaches over the past few months, you'd think more and more companies would be investing in data protection software, which can help keep data secure even on systems that have been compromised. Unfortunately, even organizations that have paid good money for this software often don't use it, because, as one of the vendors admits, it's often too complicated to use."
Am I the only one who read this as: It's too complicated for the entry level IT guys we hire to use....
These things come and go in the security market faster than you can believe. The problem isn't the lack of need, it's that the security software market is a "me too" market filled with companies cranking out software that has the latest buzzwords. In the security industry, everyone just copies everyone's fad else instead of innovating and trying to find a more elegant solution to the underlying problem.
But it doesn't matter anyway, since these companies all target the suits instead of the IT folks. The suits will just buy whatever product sounds nice without consulting the people who will use or administer it. There's effectively no interaction between the vendors and their user-base. /rant
There's no -1 for "I don't get it."
The quality of IT people I have worked with over the last 12 years has slowly degraded over time. We are at the point now where "sysadmins" have the skills that a helpdesk person had 10 years ago. I think there is just so much demand that you have to pay more than companies are willing to spend to get a quality sysadmin or network admin type of IT guy.
Well designed software is easy to use.
Did you RTFA? This isn't Donkey Kong Jr. we're talking about here. DLP software, while extremely sophisticated, isn't that hard to use - What's difficult is the requirement for a company to create business policies that define what data is critical and what isn't. If you turn the alerts up too high, end-users and IT security are bombarded by noise and warnings, making the system useless. If you turn the alerts down too low, then you run the risk of data leakage.
Hello, I see that you are trying to encrypt and backup your customer data....
No, what it means is that a lot of responsibility that IT managers (and higher) are given, such as ensuring that confidential data is kept confidential, is either too hard for them, takes too much time or they are simply incompetent to fulful that role. I don't mean technically - it isn't just an IT managers role to tick the right boxes in a menu, I mean if THEIR managers are unwilling to spend the time, money and effort on their own, then it falls to the person to convince them of the need to do so.
Moved to http://soylentnews.org/. You are invited to join us too!
You can't just pile software on top of a broken system/design and magically have everything secure.
What surprises me in all this is that the banks are *not* jumping all over these companies for exposing consumer credit card information - whatever happened to PCI Compliance?
Did you RTFA? This isn't Donkey Kong Jr. we're talking about here. DLP software, while extremely sophisticated, isn't that hard to use - What's difficult is the requirement for a company to create business policies that define what data is critical and what isn't. If you turn the alerts up too high, end-users and IT security are bombarded by noise and warnings, making the system useless. If you turn the alerts down too low, then you run the risk of data leakage.
WOW, that's funny how it suddenly becomes a business problem when this software shows up! A sane person would reason, if the software invented this problem, the software should fix it!
Christ, we're supposed to be SOLVING problems with computers!
This reminds me of enterprise backup implementations and shaking down non-IT organizations for data retention policies. Like it's their job to analyze the risks of [not] having snapshots of their data from arbitrary points in time other than YESTERDAY.
These both clearly map to the real world and are not entirely an invention of IT folks right??
In other words, alot of enterprise software is poorly designed.
Well designed software is easy to use.
I would't call ERP software (like SAP or Oracle financials) poorly designed, however setting up an installation up also takes years.
Looking into the specific differences between an ERP and DLP system may offer some explanation how come configuring an ERP is budgeted/paid for by the company while a DLP isn't.
1. Without an ERP, the guys that have the final say in approving a budget cannot work (CFO is blind): the impact is immediate and obvious. Without DLP, not so.
2. Even more, a ill-configured DLP (or even a well-configured one) is restrictive for all the users - sociopathic managers included - do I need to say more?.
3. Moreover, even if both of the system are in the "support for the process" category (not inherently on the direct line that gets income to the company), the ERP is "operational cost" (need it every day) while a DLP is a "risk prevention cost" (money someone will pay for "just in case").
Risk management is more specialized, more complicated and requiring more imagination than financial management: the difference between "how and what can go wrong in various and possibly obscure points of my business? Who would benefit of something going wrong for me; who's the possible attacker?" and "How much was spend and what revenue you think you'll get in the next FQ or FY from this-and-that well-known market segments"?
One on top of the other, the CEO/CFO and the minions will need to leave their mental-warm-and-comfy-place to understand the need for a well-configured DLP and approve/pay-for a 1-2 years contract with a specialized team of contractors to set the security systems (DLP included) in place. Its akin requesting an accountant to show imagination - an almost oxymoronic concept.
That until something extremely bad happens (think Sony)...
Questions raise, answers kill. Raise questions to stay alive.
The article is about a quote from a marketing mouth from a single vendor, Check Point, who made a sound bite about how hard DLP is to use. And, just by coincidence, they're announcing a security product that is easy to use!
I have never seen enterprise software that is easy to use. Almost all of it requires consultants of professional services to get it set up. That's because every corporation is unique with unique requirements and the software requires customization and integration.
fucking idiots. And the worst part is they reproduce.
I know what you mean. Then they eventually browse their way to /. and make comments as an AC.
It's weird that this article shows up - I've got the "Ads Disabled" option checked...
It's not that enterprise users are dumb, it's that they care about their actual job, not some crappy software (OK, some of them are also dumb).
Socialism: a lie told by totalitarians and believed by fools.
The main emphasis in big business is to climb the corporate ladder, buy stuff from vendors you get kickbacks from,
So which vendors are these? I'm apparently doing it wrong....
that wasn't the point. the point is the gp was acting all smug like running linux instantly makes him more secure/suprior.
In the past decade i've dealt with many hacked machines, and they haven't all been windows. An idiotic enough user will result in any system being compromised. Which was the GP's point.
I run: Windows, OS X, Linux, FreeBSD. Just because you have a hammer, doesn't mean everything is a nail.
Over the past 23 years I have also seen how large corporations manage their IT departments and I have seen quite a few competent IT managers that have actual development experience in their backgrounds. I have also not seen any evidence of kickbacks from vendors being SOP as you stated. Contrary to popular belief there are some corporations that do support and manage their IT departments policy, intelligent hiring practices, and well thought out procedures. Trying to reconcile the IT data handling requirements with the business data requirements can be difficult. Just like the parent in this thread said it can be a fine line between securing data while also providing access.
Saying software is "Too complicated" is usually a cop-out by the users and the managers that are involved in purchase and/or use of that software. Most backup software while sophisticated is fairly user friendly however many managers don't really know (or care?) what is really required to set-up a backup and recovery solution.
On of the problems with setting up a reliable IT disaster recovery solution (I will stick to backup and recovery here) is for management to decide on the requirements. The most common solutions are basic spot and full recovery which could include multi petabytes of data and what could called base metal recovery in that only the basic OS is recovered after a system disk failure. Yes many companies still don't mirror their system disks although system disk or even data disk mirroring does not prevent deliberate or accidental corruption. Both of these backup and recovery techniques may require different software and this needs to be taken into account.
Another aspect of backup and recovery is on-site, near-site and off-site storage of backup media with costs varying from a few hundred dollars to millions of dollars.
Even after careful backup and recovery design you still need to test the recovery otherwise the company may be extremely embarrassed when a failure occurs. I have actually seen backup software that was configured to back up all the database infrastructure but failed to actually backup the database so that when the hard disk containing the data failed the company lost all its database which proved to be very costly. The person concerned with implementing the backup never tested a recovery which would have immediately shown that he had failed to include the database data in his backup software. I am quite sure many people here can come up with more horror stories of this nature.
There ain't no such thing as proprietary standards only proprietary formats. Standards are by definition open.
http://hyperboleandahalf.blogspot.com/2010/04/alot-is-better-than-you-at-everything.html
Dilbert RSS feed
We just finished royally screwing up a database project. The database is mostly worthless because it assumes a set of non-existent processes. The business unit demanding the new database wanted better processes in place. But wouldn't define them. So the programmers had to put something in, and programmers who don't know what our business is have now defined our business processes (and poorly, of course) because the people demanding the magical database be built that fixes all their problems couldn't even be arsed to define what their problems were.
It's like having recipe software which you put recipes in, along with cooking instructions, and a robot makes the item. Then, once you have all the ingredients in, you realize you didn't have any cooking instructions. So you complain that the software doesn't have default cooking instructions programmed in that would just magically make cookies or cupcakes without you having to do all that extra work.
The problem isn't the software. It couldn't be any more user friendly. Just tell it what you want, and poof, it will pop right out. The problem is that the users can't be bothered figuring out what they want, so the software is at fault.
Learn to love Alaska
And enterprise users are dumb. It's a bad combination.
No, many users only do what they are told and in the majority of cases the blame rests firmly with the managers. In the enterprise managers like to "de-skill" users (Management 101) by placing them into restricted rolls. Some Managers hate professional people since these people are usually multi-skilled and leave if they are forced down a narrow skill path. The consequence of de-skilling is you end up with people who are poorly trained, but of course Management covers itself by stating that the users are not skilled enough and more training is needed so after that training those people who are a little smarter leave for better pay and conditions and so the circle repeats itself.
There ain't no such thing as proprietary standards only proprietary formats. Standards are by definition open.
"If you don't give me a spec, whatever I give you meets spec."
say it, mean it and give em a lot of shit when they balk at the end result. Next time, they find time for the non coding parts of the SDLC.
Read "What To Do if Compromised", the official instructions for merchants who accept VISA cards. Sony is clearly doing some of the things VISA requires: "Do not access or alter compromised systems, i.e. don't log on at all to the compromised systems. ... Do not turn systems off. Isolate compromised systems from the network ..." Then they have to call the VISA Incident Response Manager, and the full list of compromised cards has to go to VISA, which parcels it out to the issuing banks for card cancellations and reissues.
VISA has the contractual right to send in a forensics team. VISA will assess fines up to $500,000 if VISA's security requirements haven't been met. If compromised data includes PIN numbers for debit cards, or CVV2 data for credit cards, which merchants aren't supposed to store at all, VISA sends in a Qualified Security Assessor. They check that the systems are no longer storing that data, and that all historical data of that type has been erased, before they go back on line.
Now it's clear why Sony is off line. Their actions look like what happens when a major debit card breach occurs and VISA sends in the forensics and security teams.
So there's your answer when management doesn't want to have proper security on credit card data. VISA can and will shut temporarily down your ability to accept payments. You'll have law enforcement, forensic auditors, and security experts questioning your management. Your company may have to pay sizable fines to VISA. Your CEO may have to explain the screwup to reporters.
And that's the good case. The bad case is when VISA decides you don't get to accept credit or debit cards any more, permanently. This happens routinely to screwed-up small businesses.
Saying software is "Too complicated" is usually a cop-out by the users and the managers that are involved in purchase and/or use of that software.
Yeah, god forbid you'd ever want to take the end-user's opinion into account. Or wait, maybe that's the cause of bad software--devs write to what they want and not what the users want.
I'm a software trainer. We spend probably 25% of our time collectively laughing at bad software practices and wondering out loud who on Earth thought that widgetX was a good idea. The cop-out is on the developer's side, not the user. If something doesn't work well or is overly cumbersome and there's a better way to do it, the user isn't copping out, the developer (or the Program Manager, or the SE, or whoever made the decision not to make the software better) copped out.