Slashdot Mirror

← Back to Stories (view on slashdot.org)

Vendors Say Data Protection Software Too Complicated To Use

Posted by samzenpus on from the being-safe-is-hard dept.

jfruhlinger writes "With a series of major data breaches over the past few months, you'd think more and more companies would be investing in data protection software, which can help keep data secure even on systems that have been compromised. Unfortunately, even organizations that have paid good money for this software often don't use it, because, as one of the vendors admits, it's often too complicated to use."

18 of 153 comments (clear)

  1. Hire better people? by 24-bit+Voxel · · Score: 4, Insightful

    Am I the only one who read this as: It's too complicated for the entry level IT guys we hire to use....

    1. Re:Hire better people? by dwarfsoft · · Score: 3, Interesting

      Absolutely. Too hard for monkeys to randomly press things and get things set up perfectly. Solution: Hire more monkeys...

      They don't realise that paying a bit more for a few Good people would save them money in the long run, instead of flooding the ranks with monkeys.

      --
      Cheers, Chris
    2. Re:Hire better people? by olsmeister · · Score: 3, Insightful

      At some point, someone will have to determine what's costlier: a little extra money up front to recruit knowledgeable and capable people to safeguard the company's and customers' valuable information ... or a public relations disaster such as Sony is experiencing.

    3. Re:Hire better people? by pkinetics · · Score: 3, Insightful
      Actually I read it as:
      • Little buy in from upper management. Without this getting people to meet and discuss and prioritize is futile.
      • No return on investment. Securing data is not glorious until after you've been compromised.
      • Risk versus reward.
      • Software setup is not overly hard. Integration with existing systems is.
    4. Re:Hire better people? by BoogeyOfTheMan · · Score: 4, Informative

      They did not store the passwords in cleartext, from the PSN Blog:

      "One other point to clarify is from this weekend’s press conference. While the passwords that were stored were not “encrypted,” they were transformed using a cryptographic hash function. There is a difference between these two types of security measures which is why we said the passwords had not been encrypted. But I want to be very clear that the passwords were not stored in our database in cleartext form. For a description of the difference between encryption and hashing, follow this link."

      http://blog.us.playstation.com/2011/05/02/playstation-network-security-update/

    5. Re:Hire better people? by 24-bit+Voxel · · Score: 3, Insightful

      Back in the late 90s, these companies actually trained their employees and gave raises that matched performance.

      It was really amazing. Nowadays companies don't train their employees, and it shows.

      It's funny to read the article and not think about training budgets being a thing of the past. It's the software's fault, not managements for sucking away the training dollars.

    6. Re:Hire better people? by grcumb · · Score: 3, Interesting

      At some point, someone will have to determine what's costlier: a little extra money up front to recruit knowledgeable and capable people to safeguard the company's and customers' valuable information ... or a public relations disaster such as Sony is experiencing.

      You're assuming that massive data theft is a disaster to the company. If experience is any guide, that's not true:

      It seems that in the esoteric world of noughts and ones, belief matters far more than empirical truth, making a true Data Disaster literally inconceivable.

      There can’t be a Data Disaster today, because we can’t imagine what one would look like. Likewise, there won’t be a Data Disaster until we become capable of realising that they’re all around us, happening every day.

      --
      Crumb's Corollary: Never bring a knife to a bun fight.
  2. It's another security buzzword product by MrEricSir · · Score: 4, Insightful

    These things come and go in the security market faster than you can believe. The problem isn't the lack of need, it's that the security software market is a "me too" market filled with companies cranking out software that has the latest buzzwords. In the security industry, everyone just copies everyone's fad else instead of innovating and trying to find a more elegant solution to the underlying problem.

    But it doesn't matter anyway, since these companies all target the suits instead of the IT folks. The suits will just buy whatever product sounds nice without consulting the people who will use or administer it. There's effectively no interaction between the vendors and their user-base. /rant

    --
    There's no -1 for "I don't get it."
  3. Re:Alot of Enterprise Software is "too complicated by Fluffeh · · Score: 3, Insightful

    No, what it means is that a lot of responsibility that IT managers (and higher) are given, such as ensuring that confidential data is kept confidential, is either too hard for them, takes too much time or they are simply incompetent to fulful that role. I don't mean technically - it isn't just an IT managers role to tick the right boxes in a menu, I mean if THEIR managers are unwilling to spend the time, money and effort on their own, then it falls to the person to convince them of the need to do so.

    --
    Moved to http://soylentnews.org/. You are invited to join us too!
  4. Can't protect broken systems by scdeimos · · Score: 4, Insightful

    You can't just pile software on top of a broken system/design and magically have everything secure.

    What surprises me in all this is that the banks are *not* jumping all over these companies for exposing consumer credit card information - whatever happened to PCI Compliance?

  5. Re:Average IT person is too simple by arth1 · · Score: 3, Insightful

    And the new trend from above seems to be shifting from Design, Test, Deploy to Imagine, Deploy, Damage Control.

    Imagine? Hardly. More like Purchase design, Outsource development, Purchase damage control.

    Also, there is a shift away from understanding to knowing, and in this industry, knowledge is worthless. There's a man page for that. Understanding what really happens and why is what you need. Someone who knows why SElinux won't allow you to do something, and not just how to (far too common) turn off SElinux or (taking slightly more skills but no more brains) create rules to allow every complaint SElinux has.

    There's also a management belief that security is a product you can implement after the fact. That's as futile as buying a kevlar vest to protect yourself from heart attack. To turn existing insecure infrastructure secure takes months or years of hard and continuous work - sometimes more than redesigning from scratch would do.

  6. Contrary to the headline, it's "vendor", singular by joeflies · · Score: 4, Informative

    The article is about a quote from a marketing mouth from a single vendor, Check Point, who made a sound bite about how hard DLP is to use. And, just by coincidence, they're announcing a security product that is easy to use!

  7. Re:idiots by Noodlenoggin · · Score: 3, Funny

    fucking idiots. And the worst part is they reproduce.

    I know what you mean. Then they eventually browse their way to /. and make comments as an AC.

  8. Re:Contrary to the headline, it's "vendor", singul by Toam · · Score: 5, Funny

    It's weird that this article shows up - I've got the "Ads Disabled" option checked...

  9. Re:Alot of Enterprise Software is "too complicated by AK+Marc · · Score: 5, Insightful

    We just finished royally screwing up a database project. The database is mostly worthless because it assumes a set of non-existent processes. The business unit demanding the new database wanted better processes in place. But wouldn't define them. So the programmers had to put something in, and programmers who don't know what our business is have now defined our business processes (and poorly, of course) because the people demanding the magical database be built that fixes all their problems couldn't even be arsed to define what their problems were.

    It's like having recipe software which you put recipes in, along with cooking instructions, and a robot makes the item. Then, once you have all the ingredients in, you realize you didn't have any cooking instructions. So you complain that the software doesn't have default cooking instructions programmed in that would just magically make cookies or cupcakes without you having to do all that extra work.

    The problem isn't the software. It couldn't be any more user friendly. Just tell it what you want, and poof, it will pop right out. The problem is that the users can't be bothered figuring out what they want, so the software is at fault.

    --
    Learn to love Alaska
  10. Re:Alot of Enterprise Software is "too complicated by donaldm · · Score: 3, Interesting

    And enterprise users are dumb. It's a bad combination.

    No, many users only do what they are told and in the majority of cases the blame rests firmly with the managers. In the enterprise managers like to "de-skill" users (Management 101) by placing them into restricted rolls. Some Managers hate professional people since these people are usually multi-skilled and leave if they are forced down a narrow skill path. The consequence of de-skilling is you end up with people who are poorly trained, but of course Management covers itself by stating that the users are not skilled enough and more training is needed so after that training those people who are a little smarter leave for better pay and conditions and so the circle repeats itself.

    --
    There ain't no such thing as proprietary standards only proprietary formats. Standards are by definition open.
  11. Re:Alot of Enterprise Software is "too complicated by d6 · · Score: 3, Insightful

    "If you don't give me a spec, whatever I give you meets spec."

    say it, mean it and give em a lot of shit when they balk at the end result. Next time, they find time for the non coding parts of the SDLC.

  12. Dealing with a breach is even more complicated. by Animats · · Score: 5, Informative

    Read "What To Do if Compromised", the official instructions for merchants who accept VISA cards. Sony is clearly doing some of the things VISA requires: "Do not access or alter compromised systems, i.e. don't log on at all to the compromised systems. ... Do not turn systems off. Isolate compromised systems from the network ..." Then they have to call the VISA Incident Response Manager, and the full list of compromised cards has to go to VISA, which parcels it out to the issuing banks for card cancellations and reissues.

    VISA has the contractual right to send in a forensics team. VISA will assess fines up to $500,000 if VISA's security requirements haven't been met. If compromised data includes PIN numbers for debit cards, or CVV2 data for credit cards, which merchants aren't supposed to store at all, VISA sends in a Qualified Security Assessor. They check that the systems are no longer storing that data, and that all historical data of that type has been erased, before they go back on line.

    Now it's clear why Sony is off line. Their actions look like what happens when a major debit card breach occurs and VISA sends in the forensics and security teams.

    So there's your answer when management doesn't want to have proper security on credit card data. VISA can and will shut temporarily down your ability to accept payments. You'll have law enforcement, forensic auditors, and security experts questioning your management. Your company may have to pay sizable fines to VISA. Your CEO may have to explain the screwup to reporters.

    And that's the good case. The bad case is when VISA decides you don't get to accept credit or debit cards any more, permanently. This happens routinely to screwed-up small businesses.