Forgot your password?
typodupeerror
Privacy Security Your Rights Online

Vendors Say Data Protection Software Too Complicated To Use 153

Posted by samzenpus
from the being-safe-is-hard dept.
jfruhlinger writes "With a series of major data breaches over the past few months, you'd think more and more companies would be investing in data protection software, which can help keep data secure even on systems that have been compromised. Unfortunately, even organizations that have paid good money for this software often don't use it, because, as one of the vendors admits, it's often too complicated to use."
This discussion has been archived. No new comments can be posted.

Vendors Say Data Protection Software Too Complicated To Use

Comments Filter:
  • by 24-bit Voxel (672674) on Wednesday May 04, 2011 @07:18PM (#36030242) Journal

    Am I the only one who read this as: It's too complicated for the entry level IT guys we hire to use....

    • Re: (Score:3, Interesting)

      by dwarfsoft (461760)

      Absolutely. Too hard for monkeys to randomly press things and get things set up perfectly. Solution: Hire more monkeys...

      They don't realise that paying a bit more for a few Good people would save them money in the long run, instead of flooding the ranks with monkeys.

      • They don't realise that paying a bit more for a few Good people would save them money in the long run, instead of flooding the ranks with monkeys.

        Bingo. Companies are less willing to pay what a job is worth, so they end up with people who don't have the skills or experience to do the job properly. Of course, sometimes they are paying well but the company just has a crappy culture of doing things half-assed. I can think of at least one tech giant that meets that description...

        • by 24-bit Voxel (672674) on Wednesday May 04, 2011 @09:05PM (#36031032) Journal

          Back in the late 90s, these companies actually trained their employees and gave raises that matched performance.

          It was really amazing. Nowadays companies don't train their employees, and it shows.

          It's funny to read the article and not think about training budgets being a thing of the past. It's the software's fault, not managements for sucking away the training dollars.

          • Its really sad to read this type of article, in fact companies have now completely commoditized the human element of the business. Get the economy in such a dire strait allowing companies and the people they 'employ' to gladly accept the Orwellian aspects of today's employment options. Its a win win win. Government loves it because the average intelligence level of employment is dwindling, less intelligence where daily (yes, meant this way, a job is just a day away from being unemployment checks), employ
            • If you are so convinced that your business ideas are right and everyone else is doing it wrong, why not prove that by getting out there, founding a company and making a mint? Try your hand at being an entrepreneur or starting your own company before criticizing businesses for giving employees a raw deal. Anyone can be an employee after all, but it takes hard work, courage, skill and yes even a bit of luck to be an entrepreneur who creates new jobs and new wealth. Always remember that fortune favors the bold
    • Re: (Score:3, Insightful)

      by olsmeister (1488789)
      At some point, someone will have to determine what's costlier: a little extra money up front to recruit knowledgeable and capable people to safeguard the company's and customers' valuable information ... or a public relations disaster such as Sony is experiencing.
      • by ShakaUVM (157947)

        >>At some point, someone will have to determine what's costlier: a little extra money up front to recruit knowledgeable and capable people to safeguard the company's and customers' valuable information ... or a public relations disaster such as Sony is experiencing.

        That was my thought on the matter. How expensive would it have been to have hired one of these data protection firm's people to work for Sony part-time? Or, hell, full time?

        How much money did Sony lose from not only getting hacked, having t

        • by BoogeyOfTheMan (1256002) on Wednesday May 04, 2011 @08:00PM (#36030590)

          They did not store the passwords in cleartext, from the PSN Blog:

          "One other point to clarify is from this weekend’s press conference. While the passwords that were stored were not “encrypted,” they were transformed using a cryptographic hash function. There is a difference between these two types of security measures which is why we said the passwords had not been encrypted. But I want to be very clear that the passwords were not stored in our database in cleartext form. For a description of the difference between encryption and hashing, follow this link."

          http://blog.us.playstation.com/2011/05/02/playstation-network-security-update/ [playstation.com]

          • by ShakaUVM (157947)

            Hmm, well that makes me feel vaguely better about the whole thing. Do you know if the passwords stolen were easily guessed ones, or if PSN used a weak hashing algorithm which allowed recovery of the passwords? I heard reports that people's WoW accounts were being hacked via their PSN passwords.

            • by tehcyder (746570)

              I heard reports that people's WoW accounts were being hacked via their PSN passwords.

              And why would it be Sony's fault that its customers used the same easily guessed password for other accounts too?

          • They did not store the passwords in cleartext, from the PSN Blog:

            "One other point to clarify is from this weekend’s press conference. While the passwords that were stored were not “encrypted,” they were transformed using a cryptographic hash function. There is a difference between these two types of security measures which is why we said the passwords had not been encrypted. But I want to be very clear that the passwords were not stored in our database in cleartext form. For a description of the difference between encryption and hashing, follow this link."

            http://blog.us.playstation.com/2011/05/02/playstation-network-security-update/ [playstation.com]

            From the link in the blog you linked:

            Hash - a special form of encryption often used for passwords, that uses a one-way algorithm that when provided with a variable length unique input (message) will always provide a unique fixed length unique output called hash, or message digest.

            So they're saying the passwords weren't encrypted, they were stored as hashes. And to explain the difference they link a page that defines a hash as a form of encryption...

          • by Zenin (266666)

            What hash algorithm, specifically?

            Using something like MD5 is very common...and very dumb. It might as well be cleartext for all the real world protection it offers. You can brute force tens of thousands of password attempts a second on modest hardware, and that's before we even talk about reverse lookup databases.

        • by lgw (121541)

          The particular manager who's buget would have taken the hit for doing data protection right for Sony is probably unknown to the managers who will shoulder the blame for the problems - especially as he's likely already moved on to a better position after demonstrating his ability to run a cheap shop.

        • by donaldm (919619)
          As for the Sony crackers (lets get this right) would only get passwords in encrypted format and these would only be stolen from the database information not from the OS such as /etc/passwd and /etc/shadow or from a Linux/Unix trusted database (TCB) which would only show encrypted passwords anyway. Even if you had root privileges I would be surprised if users had their information in standard login files. Even in MS Windows you need to be the "administrator" to get the encrypted passwords and one would hope
      • by grcumb (781340) on Wednesday May 04, 2011 @11:38PM (#36031772) Homepage Journal

        At some point, someone will have to determine what's costlier: a little extra money up front to recruit knowledgeable and capable people to safeguard the company's and customers' valuable information ... or a public relations disaster such as Sony is experiencing.

        You're assuming that massive data theft is a disaster to the company. If experience is any guide [imagicity.com], that's not true:

        It seems that in the esoteric world of noughts and ones, belief matters far more than empirical truth, making a true Data Disaster literally inconceivable.

        There can’t be a Data Disaster today, because we can’t imagine what one would look like. Likewise, there won’t be a Data Disaster until we become capable of realising that they’re all around us, happening every day.

    • Re: (Score:3, Insightful)

      by pkinetics (549289)
      Actually I read it as:
      • Little buy in from upper management. Without this getting people to meet and discuss and prioritize is futile.
      • No return on investment. Securing data is not glorious until after you've been compromised.
      • Risk versus reward.
      • Software setup is not overly hard. Integration with existing systems is.
      • by sco08y (615665)

        Actually I read it as:

        • Little buy in from upper management. Without this getting people to meet and discuss and prioritize is futile.
        • No return on investment. Securing data is not glorious until after you've been compromised.
        • Risk versus reward.
        • Software setup is not overly hard. Integration with existing systems is.

        I think you're right. You can have very capable IT people, but real security requires more than just IT. A lot of people have to be trained, processes have to be set up, etc., so if management doesn't "get it", it doesn't actually happen.

        The attitude that IT will do all the work to make stuff secure, and all everyone else has to do is memorize a few passwords is pretty poisonous.

    • I think you mean: "Too complicated for the customer service reps we promoted to IT positions with absolutely no training to use"

      In my experience there's usually 1 or 2 people at a company that has a clue when it comes to the network. Their time is spent almost exclusively doing things that contribute to profitable projects. Protecting the network is an expense. If you spend your time doing things that are considered expenses rather than doing things that are considered profitable, you will soon find yoursel
      • Re: (Score:2, Informative)

        by Anonymous Coward

        This sort of data simple should not have been available to anyone outside Sony's corporate headquarters and the only people with access to it there should have been developers.

        This is false. Developers should not have access to production data, especially not highly-sensitive production data! Only system operators should remotely have access to this kind of data. I do not understand how Sony never got audited for this kind of thing. Normally, investors want some kind of insurance from an audit that stuff is at least partially secure. Most password change restrictions come from this kind of audit.

      • by sjames (1099)

        What is considered an expense and what is profit has little to do with the value of various functions. The people who actually make a product are called an "expense", but ales and management are regarded as "profit". They argue that sales brings money in, so it's profit. Management attracts investment, so it's profit. Never mind that without a product there's nothing to sell and the investors will go away.

        What really costs is having blinkered idiots for management, but for some reason management keeps overl

    • Could be. But it's also because the senior people (eg CIO, CSO) are often operating at a vague, sloppy level of abstraction.

      Whether they're acting on their own initiative, or on the advice of technical management - who are themselves often more informed by marketing materials than knowledge of security principles - I'm not surprised to see money being spent on security products without much or any attention to security processes. It's been that way for a long time, though folks like Bruce Schneier will
    • Am I the only one who read this as: It's too complicated for the entry level IT guys we hire to use....

      Probably not, but at least you're not the only one who is wrong.

      The end users are not quoted in this article. The security vendors are the ones who are quoted about the entire process being to complicated for companies to actually implement it.

      DLP is the "most disappointing" portion of the security market primarily because of the amount of time it takes companies to identify the data they want to protect, create profiles and taxonomies to categorize it and put in place the software that will protect it, John Vecchi, head of global product marketing for security vendor Check Point told a Register reporter at the company's annual conference today. ...

      That "boil the ocean" approach doesn't deliver much benefit until all the pieces are in place, which makes even companies enthusiastic about automating their data protection shy away from the work of actually doing it.

      That's a problem for companies like his that develop the software, CheckPoint CEO Gil Schwed said in his keynote.

      It sounds like you know better than all those drooling morons though, so there's your niche where you can make your millions.

      • by Darinbob (1142669)

        But even reading the article it's not that it's "complicated" per se, it's that it's expensive. Companies do complicated stuff all the time. It's just that normally if they perceive something complicated as important they will devote resources to getting it done. Such as hiring experts who understand the complexity, replacing project managers who aren't making any traction, etc. Nothing in the article claims that there's a shortage of qualified or trainable people.

      • I wonder which employees find the process to be "to complicated" ...

        I wonder which employees need to identify the data, create profiles and taxonomies, and put software into place...

        Am I going too fast for you? Are we not making the connection here?

        I never said I knew better than these drooling morons, but now I'm saying I know better than you.

    • good specialized people cost a lot
      as long as they dont have a breahc they dont wanna afford it (of course, affording ONE of these guys would be cheaper over 50 years than ONE single breach but hey!)

    • It takes thirty hours of training to use the product, and our IT guys are simply too busy putting out fires to get the training.

      • by swb (14022)

        That's what I read into it.

        And it's not a question of hiring "better" people -- sure, there are plenty of shops carrying a certain amount of dead weight, but I don't think that spending the same money for fewer, better people will necessarily be the solution.

        I think you need a combination of more people and a way to improve your better people by providing access to more training.

        Where I work, we're constantly bombarded with requests to obtain certifications or "get up to speed" on products yet no manager E

      • This is a sign of HUGE problems. Even if you're not experiencing them yet. If your IT guys are running around putting out fires then there are not enough fire suppression systems in place.

        The problem is, that the people with the purse strings aren't in the IT department, don't care about IT, unless it affects them directly. In which case, you let the fires burn.

        Good IT takes money, skill and guts. Money to get the products that work, skill to implement it, and the guts to tell people to mind their own busin

    • by jvillain (546827)
      That and companies only want generalists. When the job add asks for some one that knows DOS, Window, Exchange, AD, IIS, MSSQL, Linux, Apache, Solaris, Oracle, VMS, IRIX, AIX,Mac, Cisco, Juniper, EMC, Netapp and can program in PHP, Java, C++, .NET and assembler you know the only skill the applicant really has is the ability to hit the speed dial button for the vendor. Pay now or pay later. It's the age old question, and I bet Sony is wishing they had picked the other option about now.
    • by poetmatt (793785)

      yes, and/or equally like "we don't want to do what would be a best practice, we'd rather make good short term decisions than long term ones".

    • by gl4ss (559668)

      it's complicated, because if the data is accessible at all it can be compromised, and usually the data could just as well be in a safe if it doesn't need to be accessed at all.

  • by MrEricSir (398214) on Wednesday May 04, 2011 @07:21PM (#36030272) Homepage

    These things come and go in the security market faster than you can believe. The problem isn't the lack of need, it's that the security software market is a "me too" market filled with companies cranking out software that has the latest buzzwords. In the security industry, everyone just copies everyone's fad else instead of innovating and trying to find a more elegant solution to the underlying problem.

    But it doesn't matter anyway, since these companies all target the suits instead of the IT folks. The suits will just buy whatever product sounds nice without consulting the people who will use or administer it. There's effectively no interaction between the vendors and their user-base. /rant

    • by sco08y (615665)

      But it doesn't matter anyway, since these companies all target the suits instead of the IT folks. The suits will just buy whatever product sounds nice without consulting the people who will use or administer it. There's effectively no interaction between the vendors and their user-base. /rant

      Yeah, I had to evaluate a security product, and the marketing material was definitely not meant for consumption by anyone with a remotely technical background. The hype was unbelievable, everything it did was totally game changing, and their acceleration hardware made things 60 times or 700 times or even 3500 times faster. They even claimed that their stuff was somehow better for the environment! After I started digging into it, they actually had a fairly promising product. But the hype made me think they w

  • by sdguero (1112795) on Wednesday May 04, 2011 @07:23PM (#36030302)
    The quality of IT people I have worked with over the last 12 years has slowly degraded over time. We are at the point now where "sysadmins" have the skills that a helpdesk person had 10 years ago. I think there is just so much demand that you have to pay more than companies are willing to spend to get a quality sysadmin or network admin type of IT guy.
    • That's half the problem. The other half is installing software and having it either break, or being too open ended of a solution. I'm speaking specifically of backup software and security (Backup Exec and McAfee come to mind). No, I'm not here to debug your shit. As an IT admin in a not-so-unreasonable world, my job is *supposed* to be about finding the right business solution and implementing it with technology to better serve said business. Yes, routine maintenance and checking backups is part of the role

    • Here is a theory: Economic times get tough. The best and most experienced (longest time in) IT people you have are paid the most. The suits decide that they need to trim the bottom line since business is down. They get rid of all those high priced IT guys and keep the low priced guys. Surprise IT is more complicated than the suits think and even though they are bright and well intentioned, the less experienced guys end up having to reinvent the wheel all the time since the bosses got rid of the wheel makers
      • It's not just IT. I've watched my company gut every department except legal and accounting over the last few years. When I started here, a significant number of employees had been here for 10 years or more. At least a third of the staff. Some over 20 years. I was genuinely shocked to see that in this day and age. Not any more. I'm now considered an old-timer because I've been here longer than at least 80% of the employees.

        • Is this taken from a SAT/GMAT question? If so, the answer is "impossible to say".

          Without knowing how long you've been there, "I've been here longer than at least 80% of the employees." is pretty meaningless.

    • And the new trend from above seems to be shifting from Design, Test, Deploy to Imagine, Deploy, Damage Control.

      • by arth1 (260657) on Wednesday May 04, 2011 @08:16PM (#36030702) Homepage Journal

        And the new trend from above seems to be shifting from Design, Test, Deploy to Imagine, Deploy, Damage Control.

        Imagine? Hardly. More like Purchase design, Outsource development, Purchase damage control.

        Also, there is a shift away from understanding to knowing, and in this industry, knowledge is worthless. There's a man page for that. Understanding what really happens and why is what you need. Someone who knows why SElinux won't allow you to do something, and not just how to (far too common) turn off SElinux or (taking slightly more skills but no more brains) create rules to allow every complaint SElinux has.

        There's also a management belief that security is a product you can implement after the fact. That's as futile as buying a kevlar vest to protect yourself from heart attack. To turn existing insecure infrastructure secure takes months or years of hard and continuous work - sometimes more than redesigning from scratch would do.

  • Hello, I see that you are trying to encrypt and backup your customer data....
  • "can take two years to fully implement, he said."

    "It's a mature market - please turn it on." John Vecchi

    Well if it's mature already, maybe it just sucks?
    Two years to implement a system that is 100% overhead, no services rendered! Fuck, that, shit. You're doing it wrong.

    When will it catch on with software publishers & independent developers, that no matter how narrow your niche, there are very few excuses for utterly ignoring ease of use.

    Free? : No.
    Expensive? : No.
    Really Expensive! : What are you smoking?
    It's just hard work? : DUH, that's why you set out to make a tool for it right, it doesn't have to be

    • by Darinbob (1142669)

      I have never seen enterprise software that is easy to use. Almost all of it requires consultants of professional services to get it set up. That's because every corporation is unique with unique requirements and the software requires customization and integration.

      • by lgw (121541)

        That process of customization and integration? Yeah, that's what software is supposed to make easy for you. But it costs a software vedore money to provide usability, and they make money on professional services, so as long as the customers keep bending over for it, nothing will change.

  • by scdeimos (632778) on Wednesday May 04, 2011 @08:02PM (#36030610)

    You can't just pile software on top of a broken system/design and magically have everything secure.

    What surprises me in all this is that the banks are *not* jumping all over these companies for exposing consumer credit card information - whatever happened to PCI Compliance?

    • whatever happened to PCI Compliance

      "Will you be compromised in the next twelve months?" is not part of a PCI audit.

      Besides, PCI-DSS is 99.9% common sense - codified. It's not a magic barrier.

  • by joeflies (529536) on Wednesday May 04, 2011 @08:28PM (#36030802)

    The article is about a quote from a marketing mouth from a single vendor, Check Point, who made a sound bite about how hard DLP is to use. And, just by coincidence, they're announcing a security product that is easy to use!

  • ... my job is hard, i don't want to do it. but pay me any way. cheers.
  • ... for example a major site, dslreports.com, recently had an intrusion. Its customers' info was stolen [dslreports.com], yet the admins of the site try to pass off the intrusion as something that just happens. Never mind that the admins have chosen (and still seem to not realize the problems with) two-way password 'encryption'..

    Until site operators decide to properly secure the back-end data on their sites, no amount of front-end security will stop the insecurity designed into their sites.

  • by sjames (1099)

    Don't blame IT staff for this one, blame reality. Big surprise, they are unable to configure the magic beans to intelligently and proactively read and understand all outbound data and decide if it should or should not go out based on best practices and corporate policy! All without accidentally telling the CEO no even if he's sending porn to his golf buddies.

    Since AI doesn't work that well on this type of problem yet, especially in real-time, we just expect them to work out every scenario in advance so it c

  • by Animats (122034) on Thursday May 05, 2011 @02:22AM (#36032510) Homepage

    Read "What To Do if Compromised" [visa.com], the official instructions for merchants who accept VISA cards. Sony is clearly doing some of the things VISA requires: "Do not access or alter compromised systems, i.e. don't log on at all to the compromised systems. ... Do not turn systems off. Isolate compromised systems from the network ..." Then they have to call the VISA Incident Response Manager, and the full list of compromised cards has to go to VISA, which parcels it out to the issuing banks for card cancellations and reissues.

    VISA has the contractual right to send in a forensics team. VISA will assess fines up to $500,000 if VISA's security requirements haven't been met. If compromised data includes PIN numbers for debit cards, or CVV2 data for credit cards, which merchants aren't supposed to store at all, VISA sends in a Qualified Security Assessor. They check that the systems are no longer storing that data, and that all historical data of that type has been erased, before they go back on line.

    Now it's clear why Sony is off line. Their actions look like what happens when a major debit card breach occurs and VISA sends in the forensics and security teams.

    So there's your answer when management doesn't want to have proper security on credit card data. VISA can and will shut temporarily down your ability to accept payments. You'll have law enforcement, forensic auditors, and security experts questioning your management. Your company may have to pay sizable fines to VISA. Your CEO may have to explain the screwup to reporters.

    And that's the good case. The bad case is when VISA decides you don't get to accept credit or debit cards any more, permanently. This happens routinely to screwed-up small businesses.

    • by Agripa (139780)

      If compromised data includes PIN numbers for debit cards, or CVV2 data for credit cards, which merchants aren't supposed to store at all, VISA sends in a Qualified Security Assessor.

      How do recurring payments work without PINs or CVV2s? Is there some type of continuing authorization which assumes that the price does not change?

  • Enterprisey software is specially bad, but the Unix principles [cat-v.org] of KISS and "do one thing and do it well" have long been forgotten by the software industry (or corrupted into "lets treat the lusers as if they are completely retarded, and lets hide all complexity under the carpet, where it can ferment until it explodes in a mass of bloated detritus and bugs").

  • Let me see if I get this right. You can save it as a template.

    1 - problems occur with Data Loss
    2 - every vendor jumps on it with a "solution" product
    3 - execs buy such product to make it appear they have done something
    4 - nobody bothers to look at the actual problem, processes and possible alternative approaches
    5 - the software doesn't deliver, a discovery made after spending a fortune on consulting to fit an essentially square peg in a hole that was actually round to start with (but nobody bothered to che

Uncompensated overtime? Just Say No.

Working...