At some point about six weeks ago I once again was hit with arguments that pointed to people considering security as black and white; you are either secure or you are not. Security is not now, nor has it ever been, a binary decision. There are a lot of factors we need to consider, all of which should be rooted in what you need to accomplish with the systems, the threats they are subject to, and whether the mitigation is less palatable than the risk itself. Having the incredible luxury to do so, I wrote a column on it. The column is entitled Microsoft Small Business Server and Security: It's All About Risk Management! and just came out in the Microsoft Security Newsletter today. While I use Small Business Server as the example, as the title says, it is all about risk management!
i totally agree that security is all about risk management. However I dont think it is valid to say, that you have to trade security against costs in the case of SMB. The fact that you can install all the Software modules of SMB only on a single system is a pretty artificial restrictions by MS. If MS decides to offer small busiensses the same features with increased security, it would be no problem to allow a Installation including a public faced host (ISA, IIS) and a private one (SQL, Files), or even a 3 System configuration.
Ths might not be a option for a small shop with 3 PCs, but it is for sure no problem in a 20 seat office.
That said, I am big in favor of a heterogenous approach to layered security (i.e. non-microsoft firewall mixed with microsoft backends, or vice versa). With the boom of appliances, this is not a big deal, anyway.
Bernd, that is exactly what I am saying though. If you disregard the artificial licensing restriction on breaking apart SBS, doing so would require more computers (costs extra money), additional management processes (adds complexity and cost), and additional people resources (more cost). Right there is your cost v. security v. usefulness tradeoff.
I just recently found your blog. I watched your TechEd Austrailia presentation that is in the listening room on the website for your book. I have not read the book (yet). I want to commend you for your message!
Until just recently, I worked for a small Microsoft Partner that served mostly small businesses. I co-founded the company and worked with our clients daily for the last 7 years. The points you make in this article concerning SBS are very relevant. It is sooo refreshing to hear a common sense approach to security (especially from MS). Over the years, I have had to implement many "trade-offs" for small companies simply because the cost of a "highly secure" solution was simply too much. I often felt an odd sense of guilt about this because of all the hype. Your information has given me a new confidence in how I look at security.
In September, I started a new position with a local insurance agency. Good insurance agencies help their clients manage risk so, the concepts you talk about are very familiar to the business. However, as I talk with others in this industry, I have seen evidence that they too have gotten deceived by all the security rhetoric going on in the technical community. I hope I can bring a balanced approach to my new organization.
Again, I just want to say that it is so great to hear an intelligent and thoughtful approach. One that balances security with usefulness and cost. We certainly don't want to blindly go down the road believing we are secure when we are not, but we also need to realize it is impossible to be 100% secure and still have a productive network. As you stated, the key is intelligent risk management.
Thanks for your work!
At one time, your perspective on small businesses not being a target for hackers would have been accurate. Not so any longer.
According to the Dept. of Justice, the mysterious Chinese hacker group the DOJ has labeled Titan Rain is not discriminating. While they do have certain specific targets, they also attempt to break into any computer they see... yours, mine, your dentist, etc.
They're in and they're out within 20 minutes. They'll take whatever's there and let someone else determine its value. So, the invention you're working on? Keep it on a removable disc, not your HDD. Otherwise, it could hit the market, via China, before you've negotiated a deal with your supplier.
In addition, now that stolen identities have a market value of @$400 each, organized crime has stepped in for their piece of the pie. At some point, some physician's system is going to have been hacked by a 16 year old cracker. The cracker'll get caught having stolen 2000 patient record IDs, because his parents will wonder how their child can afford to buy a Corvette on an allowance. ;-)
Today, Good Enough Security means, if you really don't want anyone else to be able to steal your data via the Internet, you need to be serious, consistent and vigilant with your cyber security. Fortunately, there are many common sense practices and affordable solutions that, when layered, can provide a formidable defense. I'm pleased SBS and XP SP2 can be reliable segments of that approach.
That's sobering data Jonathan. It really is.
I still stand by the statement, if you consider a slight explanation. They are not targeting a specific small business they way they would target, say, Microsoft, or the Pentagon. The attackers are opportunistic; they will take over what they can, steal what seems useful, and then move on. That is a different type of attack than what you see on very large, very tempting networks.
The data is clear though. We all need to be vigilant, and we need to protect our assets in ways that make sense depending on the assets.