August 24, 1998
Who's responsible for computer security?
By Bob O'Donnell
With increasingly frequent news reports on holes being discovered and/or exploited in
today's most popular operating systems and Internet-based applications (and even
programming languages), computer security is fast becoming one of the most controversial
topics facing IT managers today. Any conversation on the subject is bound to get pretty
animated.
Not surprisingly then, last week's
column on the Back Orifice threat generated quite a bit of discussion, particularly in
the forum linked to the
column. Many individuals feel quite strongly about the subject and posted numerous
thought-provoking comments and critiques on issues related to computer security in
general. (For more on the real threat of BO, see this week's "Security
Watch" column, which includes the InfoWorld Test Center's analysis of the
program.)
While the specific content of the postings covered a fairly wide range, many were quite
critical of Microsoft for providing so little security for Windows 95/98 users that a
program like Back Orifice could easily exploit intentionally available APIs. The
underlying presumption among many of the messages was that Microsoft was responsible for
ensuring a secure computing environment.
On the surface, of course, that seems like an entirely reasonable presumption. After
all, it's their product and one would think they ought to make sure that anyone who uses
it is safe. But in today's increasingly hostile and dangerous computing climate, is that
an appropriate presumption to make? Can you really depend on one vendor to ensure that you
have an appropriately secure environment? More importantly, if the company never said it
was a secure operating system -- and to the best of my knowledge, Microsoft has never
claimed Windows 95/98 to be secure -- is it justifiable to demand this of them? (Part of
this goes back to the question of whether Windows 98 is really a consumer OS or a
corporate OS -- a topic I covered in another previous
column.)
Many forum participants felt that maintaining security for their computers and their
networks was something for which only they could be responsible. As a result, their
solution to the problem is to avoid OSes such as Windows 95/98 (and even NT, according to
some) that aren't secure and deploy operating systems and other supporting tools they
consider secure, such as Linux. Only then could they feel confident they had a secure
system.
But even that isn't a perfect choice. As many benefits as Linux and open source-based
solutions have going for them, they are still saddled with some important limitations. For
example, many people believe Linux is too difficult to install and configure, and, more
importantly, while the situation is improving, it still lacks a critical mass of
applications for many businesses to justify the move.
In spite of its detractors, many individuals feel that NT's increased (though still not
perfect) security makes it a reasonable choice. But NT 4.0 still has a number of
limitations that keep it from taking advantage of recent hardware developments (among
other things). Plus, with the release of NT 5.0 seemingly pushed further into the future,
NT as a platform is far from an ideal choice either.
In an ideal world, we could and should be able to rely on vendors to provide us with a
robust, secure, easy-to-use platform that is well supported by application vendors. The
current and near-future reality is far from ideal, however, which means that IT managers
are going to be forced to deal with compromises in either security or application support
no matter which route they take.
©
Copyright 1998, by InfoWorld Publishing Corp., a
subsidiary of IDG Communications, Inc. Reprinted from InfoWorld,
155 Bovet Road, San Mateo, CA 94402. Further reproduction is prohibited.
