I’ve been away on vacation and was on a road trip of sorts through the USA. I’ve been to New York city and visited the west coast after that. Final stop during our trip was a visit to Las Vegas.
Now, everyone has probably heard of Vegas, and those people that haven’t actually been there probably have an image in their minds of what Vegas looks like. For me that image was what most people know from movies like Oceans Eleven or series like Las Vegas. You will think about good looking men and woman, loads of money, warm winds, large casinos and security everywhere that will probably try to tackle you for even looking the wrong way.
Those that have actually been there will probably agree with me in saying that this image is only partially true.
The simplest explanation is probably that something is not secure by simply putting a “Security” label on it.
I mean, what good is it if your security guard is actually sleeping? Or an example I’ve seen for myself was a security guard on a Segway. Sure, it seemed quite funny, but what good will a Segway actually be when the hotel or casino is actually full of people and you can’t use the speed of a Segway any way?
This question is valid in Las Vegas, but it is also valid elsewhere, or in a different area as a matter of fact. Software engineering, solution providers, industry standards and much more is being sold as “secure” these days. And you will see a lot of people reading the headlines and not even asking a simple question. A question that is absolutely critical if you want to talk about security.
How secure is it?
Ask yourself this question each time you see someone talking about their security or the security of their product/service. Ask yourself questions like:
- How secure is it?
- What makes it secure?
- What would make it inscure?
- What scope is actually secure?
- Would it still be secure in my environment?
Questions like this are key in trying to understand something that is being sold as “secure”. EMC’s Chuck Hollis wrote a blog post on security and multi-tenancy and shows some of these questions being asked when he’s looking at a new product that is introduced by a competitor. But this should also be done by you.
If you are looking for a new solution. If you are implementing a new internal development. If you talk to your security officers. If someone mentions it’s secure. Go ahead, ask yourself and ask the other these kind of questions.
The worst thing what you can do when it comes to security is just seeing the word and taking it for granted, or even just trusting it is actually secure just because they say so. Most people seem to have a different opinion on what security starts with, but for me security starts with asking questions. The trick is (as always) about asking the right questions, and when you do ask your questions use an old principle and keep your questions as simple as possible.
BasRaayman's Technical Take 