Vendors Say Data Protection Software Too Complicated To Use 153
jfruhlinger writes "With a series of major data breaches over the past few months, you'd think more and more companies would be investing in data protection software, which can help keep data secure even on systems that have been compromised. Unfortunately, even organizations that have paid good money for this software often don't use it, because, as one of the vendors admits, it's often too complicated to use."
Hire better people? (Score:5, Insightful)
Am I the only one who read this as: It's too complicated for the entry level IT guys we hire to use....
Re: (Score:3, Interesting)
Absolutely. Too hard for monkeys to randomly press things and get things set up perfectly. Solution: Hire more monkeys...
They don't realise that paying a bit more for a few Good people would save them money in the long run, instead of flooding the ranks with monkeys.
Re: (Score:3)
Bingo. Companies are less willing to pay what a job is worth, so they end up with people who don't have the skills or experience to do the job properly. Of course, sometimes they are paying well but the company just has a crappy culture of doing things half-assed. I can think of at least one tech giant that meets that description...
Re:Hire better people? (Score:4, Insightful)
Back in the late 90s, these companies actually trained their employees and gave raises that matched performance.
It was really amazing. Nowadays companies don't train their employees, and it shows.
It's funny to read the article and not think about training budgets being a thing of the past. It's the software's fault, not managements for sucking away the training dollars.
Re: (Score:2)
Re: (Score:3)
Re: (Score:2)
Re: (Score:2)
Yes, because you are only successful in life by beating everyone else. And yes, there are many hungry people from other societies. What makes you so entitled to success over them?
And people wonder why America has such a large wealth disparity.
Re: (Score:3, Insightful)
Re: (Score:2)
>>At some point, someone will have to determine what's costlier: a little extra money up front to recruit knowledgeable and capable people to safeguard the company's and customers' valuable information ... or a public relations disaster such as Sony is experiencing.
That was my thought on the matter. How expensive would it have been to have hired one of these data protection firm's people to work for Sony part-time? Or, hell, full time?
How much money did Sony lose from not only getting hacked, having t
Re:Hire better people? (Score:5, Informative)
They did not store the passwords in cleartext, from the PSN Blog:
"One other point to clarify is from this weekend’s press conference. While the passwords that were stored were not “encrypted,” they were transformed using a cryptographic hash function. There is a difference between these two types of security measures which is why we said the passwords had not been encrypted. But I want to be very clear that the passwords were not stored in our database in cleartext form. For a description of the difference between encryption and hashing, follow this link."
http://blog.us.playstation.com/2011/05/02/playstation-network-security-update/ [playstation.com]
Re: (Score:3)
Hmm, well that makes me feel vaguely better about the whole thing. Do you know if the passwords stolen were easily guessed ones, or if PSN used a weak hashing algorithm which allowed recovery of the passwords? I heard reports that people's WoW accounts were being hacked via their PSN passwords.
Re: (Score:2)
I heard reports that people's WoW accounts were being hacked via their PSN passwords.
And why would it be Sony's fault that its customers used the same easily guessed password for other accounts too?
Re: (Score:2)
They did not store the passwords in cleartext, from the PSN Blog:
"One other point to clarify is from this weekend’s press conference. While the passwords that were stored were not “encrypted,” they were transformed using a cryptographic hash function. There is a difference between these two types of security measures which is why we said the passwords had not been encrypted. But I want to be very clear that the passwords were not stored in our database in cleartext form. For a description of the difference between encryption and hashing, follow this link."
http://blog.us.playstation.com/2011/05/02/playstation-network-security-update/ [playstation.com]
From the link in the blog you linked:
Hash - a special form of encryption often used for passwords, that uses a one-way algorithm that when provided with a variable length unique input (message) will always provide a unique fixed length unique output called hash, or message digest.
So they're saying the passwords weren't encrypted, they were stored as hashes. And to explain the difference they link a page that defines a hash as a form of encryption...
Re: (Score:2)
What hash algorithm, specifically?
Using something like MD5 is very common...and very dumb. It might as well be cleartext for all the real world protection it offers. You can brute force tens of thousands of password attempts a second on modest hardware, and that's before we even talk about reverse lookup databases.
Re: (Score:2)
The particular manager who's buget would have taken the hit for doing data protection right for Sony is probably unknown to the managers who will shoulder the blame for the problems - especially as he's likely already moved on to a better position after demonstrating his ability to run a cheap shop.
Re: (Score:2)
Re:Hire better people? (Score:4, Interesting)
At some point, someone will have to determine what's costlier: a little extra money up front to recruit knowledgeable and capable people to safeguard the company's and customers' valuable information ... or a public relations disaster such as Sony is experiencing.
You're assuming that massive data theft is a disaster to the company. If experience is any guide [imagicity.com], that's not true:
Re: (Score:3, Insightful)
Re: (Score:2)
Actually I read it as:
I think you're right. You can have very capable IT people, but real security requires more than just IT. A lot of people have to be trained, processes have to be set up, etc., so if management doesn't "get it", it doesn't actually happen.
The attitude that IT will do all the work to make stuff secure, and all everyone else has to do is memorize a few passwords is pretty poisonous.
Re: (Score:2)
In my experience there's usually 1 or 2 people at a company that has a clue when it comes to the network. Their time is spent almost exclusively doing things that contribute to profitable projects. Protecting the network is an expense. If you spend your time doing things that are considered expenses rather than doing things that are considered profitable, you will soon find yoursel
Re: (Score:2, Informative)
This sort of data simple should not have been available to anyone outside Sony's corporate headquarters and the only people with access to it there should have been developers.
This is false. Developers should not have access to production data, especially not highly-sensitive production data! Only system operators should remotely have access to this kind of data. I do not understand how Sony never got audited for this kind of thing. Normally, investors want some kind of insurance from an audit that stuff is at least partially secure. Most password change restrictions come from this kind of audit.
Re: (Score:2)
What is considered an expense and what is profit has little to do with the value of various functions. The people who actually make a product are called an "expense", but ales and management are regarded as "profit". They argue that sales brings money in, so it's profit. Management attracts investment, so it's profit. Never mind that without a product there's nothing to sell and the investors will go away.
What really costs is having blinkered idiots for management, but for some reason management keeps overl
Re: (Score:3)
Whether they're acting on their own initiative, or on the advice of technical management - who are themselves often more informed by marketing materials than knowledge of security principles - I'm not surprised to see money being spent on security products without much or any attention to security processes. It's been that way for a long time, though folks like Bruce Schneier will
Re: (Score:2)
Am I the only one who read this as: It's too complicated for the entry level IT guys we hire to use....
Probably not, but at least you're not the only one who is wrong.
The end users are not quoted in this article. The security vendors are the ones who are quoted about the entire process being to complicated for companies to actually implement it.
DLP is the "most disappointing" portion of the security market primarily because of the amount of time it takes companies to identify the data they want to protect, create profiles and taxonomies to categorize it and put in place the software that will protect it, John Vecchi, head of global product marketing for security vendor Check Point told a Register reporter at the company's annual conference today. ...
That "boil the ocean" approach doesn't deliver much benefit until all the pieces are in place, which makes even companies enthusiastic about automating their data protection shy away from the work of actually doing it.
That's a problem for companies like his that develop the software, CheckPoint CEO Gil Schwed said in his keynote.
It sounds like you know better than all those drooling morons though, so there's your niche where you can make your millions.
Re: (Score:2)
But even reading the article it's not that it's "complicated" per se, it's that it's expensive. Companies do complicated stuff all the time. It's just that normally if they perceive something complicated as important they will devote resources to getting it done. Such as hiring experts who understand the complexity, replacing project managers who aren't making any traction, etc. Nothing in the article claims that there's a shortage of qualified or trainable people.
Re: (Score:2)
I wonder which employees find the process to be "to complicated" ...
I wonder which employees need to identify the data, create profiles and taxonomies, and put software into place...
Am I going too fast for you? Are we not making the connection here?
I never said I knew better than these drooling morons, but now I'm saying I know better than you.
Re: (Score:2)
good specialized people cost a lot
as long as they dont have a breahc they dont wanna afford it (of course, affording ONE of these guys would be cheaper over 50 years than ONE single breach but hey!)
Alternative reading (Score:2)
It takes thirty hours of training to use the product, and our IT guys are simply too busy putting out fires to get the training.
Re: (Score:2)
That's what I read into it.
And it's not a question of hiring "better" people -- sure, there are plenty of shops carrying a certain amount of dead weight, but I don't think that spending the same money for fewer, better people will necessarily be the solution.
I think you need a combination of more people and a way to improve your better people by providing access to more training.
Where I work, we're constantly bombarded with requests to obtain certifications or "get up to speed" on products yet no manager E
Re: (Score:2)
This is a sign of HUGE problems. Even if you're not experiencing them yet. If your IT guys are running around putting out fires then there are not enough fire suppression systems in place.
The problem is, that the people with the purse strings aren't in the IT department, don't care about IT, unless it affects them directly. In which case, you let the fires burn.
Good IT takes money, skill and guts. Money to get the products that work, skill to implement it, and the guts to tell people to mind their own busin
Re: (Score:2)
Re: (Score:2)
yes, and/or equally like "we don't want to do what would be a best practice, we'd rather make good short term decisions than long term ones".
Re: (Score:2)
it's complicated, because if the data is accessible at all it can be compromised, and usually the data could just as well be in a safe if it doesn't need to be accessed at all.
Re: (Score:2)
With that last one, you hit quite another nail on the head, albeit tangentially. The question is: why one da
It's another security buzzword product (Score:5, Insightful)
These things come and go in the security market faster than you can believe. The problem isn't the lack of need, it's that the security software market is a "me too" market filled with companies cranking out software that has the latest buzzwords. In the security industry, everyone just copies everyone's fad else instead of innovating and trying to find a more elegant solution to the underlying problem.
But it doesn't matter anyway, since these companies all target the suits instead of the IT folks. The suits will just buy whatever product sounds nice without consulting the people who will use or administer it. There's effectively no interaction between the vendors and their user-base. /rant
Re: (Score:2)
But it doesn't matter anyway, since these companies all target the suits instead of the IT folks. The suits will just buy whatever product sounds nice without consulting the people who will use or administer it. There's effectively no interaction between the vendors and their user-base. /rant
Yeah, I had to evaluate a security product, and the marketing material was definitely not meant for consumption by anyone with a remotely technical background. The hype was unbelievable, everything it did was totally game changing, and their acceleration hardware made things 60 times or 700 times or even 3500 times faster. They even claimed that their stuff was somehow better for the environment! After I started digging into it, they actually had a fairly promising product. But the hype made me think they w
Average IT person is too simple (Score:3)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
It's not just IT. I've watched my company gut every department except legal and accounting over the last few years. When I started here, a significant number of employees had been here for 10 years or more. At least a third of the staff. Some over 20 years. I was genuinely shocked to see that in this day and age. Not any more. I'm now considered an old-timer because I've been here longer than at least 80% of the employees.
Re: (Score:2)
Is this taken from a SAT/GMAT question? If so, the answer is "impossible to say".
Without knowing how long you've been there, "I've been here longer than at least 80% of the employees." is pretty meaningless.
Re: (Score:3)
And the new trend from above seems to be shifting from Design, Test, Deploy to Imagine, Deploy, Damage Control.
Re:Average IT person is too simple (Score:4, Insightful)
And the new trend from above seems to be shifting from Design, Test, Deploy to Imagine, Deploy, Damage Control.
Imagine? Hardly. More like Purchase design, Outsource development, Purchase damage control.
Also, there is a shift away from understanding to knowing, and in this industry, knowledge is worthless. There's a man page for that. Understanding what really happens and why is what you need. Someone who knows why SElinux won't allow you to do something, and not just how to (far too common) turn off SElinux or (taking slightly more skills but no more brains) create rules to allow every complaint SElinux has.
There's also a management belief that security is a product you can implement after the fact. That's as futile as buying a kevlar vest to protect yourself from heart attack. To turn existing insecure infrastructure secure takes months or years of hard and continuous work - sometimes more than redesigning from scratch would do.
Re: (Score:3)
I think thats a big part of the problem. The initial barriers to get an IT job are lower than they used to be because things are easier. But now we have all these people that have no idea whats going on under the hood.
Re: (Score:2)
That's not a problem.
The problem is when people don't realize (or don't care) that entry level IT is often going to get you entry-level capability. A little server that does nothing but NAT, you can probably hire that teenager one of your co-workers knows and be fine. Low-level help desk stuff, no problem. Simplistic networking, sure. But if you're, say, Sony with tens of millions of users and tens of millions of credit cards stored on your system, you had damn well better find people much more qualif
Clippy (Score:2)
Mature market? (Score:2)
"can take two years to fully implement, he said."
"It's a mature market - please turn it on." John Vecchi
Well if it's mature already, maybe it just sucks?
Two years to implement a system that is 100% overhead, no services rendered! Fuck, that, shit. You're doing it wrong.
When will it catch on with software publishers & independent developers, that no matter how narrow your niche, there are very few excuses for utterly ignoring ease of use.
Free? : No.
Expensive? : No.
Really Expensive! : What are you smoking?
It's just hard work? : DUH, that's why you set out to make a tool for it right, it doesn't have to be
Re: (Score:3)
I have never seen enterprise software that is easy to use. Almost all of it requires consultants of professional services to get it set up. That's because every corporation is unique with unique requirements and the software requires customization and integration.
Re: (Score:2)
That process of customization and integration? Yeah, that's what software is supposed to make easy for you. But it costs a software vedore money to provide usability, and they make money on professional services, so as long as the customers keep bending over for it, nothing will change.
Can't protect broken systems (Score:5, Insightful)
You can't just pile software on top of a broken system/design and magically have everything secure.
What surprises me in all this is that the banks are *not* jumping all over these companies for exposing consumer credit card information - whatever happened to PCI Compliance?
Re: (Score:2)
whatever happened to PCI Compliance
"Will you be compromised in the next twelve months?" is not part of a PCI audit.
Besides, PCI-DSS is 99.9% common sense - codified. It's not a magic barrier.
Re: (Score:3)
Split control/dual knowledge is pretty decent protection,,, if it's actually implemented properly, that is. If PCI has a problem, is that, with the right auditor, you can bypass this by adding compensating controls that really don't compensate for anything.
If your own people can't get the encryption key, and your decryption services flash in pretty colors when unexpected levels of usage happen, PCI is better than a kick in the teeth.
Contrary to the headline, it's "vendor", singular (Score:4, Informative)
The article is about a quote from a marketing mouth from a single vendor, Check Point, who made a sound bite about how hard DLP is to use. And, just by coincidence, they're announcing a security product that is easy to use!
Re:Contrary to the headline, it's "vendor", singul (Score:5, Funny)
in other news (Score:2)
There are still stupid site operators.... (Score:2)
Until site operators decide to properly secure the back-end data on their sites, no amount of front-end security will stop the insecurity designed into their sites.
Whoosh! (Score:2)
Don't blame IT staff for this one, blame reality. Big surprise, they are unable to configure the magic beans to intelligently and proactively read and understand all outbound data and decide if it should or should not go out based on best practices and corporate policy! All without accidentally telling the CEO no even if he's sending porn to his golf buddies.
Since AI doesn't work that well on this type of problem yet, especially in real-time, we just expect them to work out every scenario in advance so it c
Dealing with a breach is even more complicated. (Score:5, Informative)
Read "What To Do if Compromised" [visa.com], the official instructions for merchants who accept VISA cards. Sony is clearly doing some of the things VISA requires: "Do not access or alter compromised systems, i.e. don't log on at all to the compromised systems. ... Do not turn systems off. Isolate compromised systems from the network ..." Then they have to call the VISA Incident Response Manager, and the full list of compromised cards has to go to VISA, which parcels it out to the issuing banks for card cancellations and reissues.
VISA has the contractual right to send in a forensics team. VISA will assess fines up to $500,000 if VISA's security requirements haven't been met. If compromised data includes PIN numbers for debit cards, or CVV2 data for credit cards, which merchants aren't supposed to store at all, VISA sends in a Qualified Security Assessor. They check that the systems are no longer storing that data, and that all historical data of that type has been erased, before they go back on line.
Now it's clear why Sony is off line. Their actions look like what happens when a major debit card breach occurs and VISA sends in the forensics and security teams.
So there's your answer when management doesn't want to have proper security on credit card data. VISA can and will shut temporarily down your ability to accept payments. You'll have law enforcement, forensic auditors, and security experts questioning your management. Your company may have to pay sizable fines to VISA. Your CEO may have to explain the screwup to reporters.
And that's the good case. The bad case is when VISA decides you don't get to accept credit or debit cards any more, permanently. This happens routinely to screwed-up small businesses.
Re: (Score:2)
How do recurring payments work without PINs or CVV2s? Is there some type of continuing authorization which assumes that the price does not change?
All software is way too complicated. (Score:2)
Enterprisey software is specially bad, but the Unix principles [cat-v.org] of KISS and "do one thing and do it well" have long been forgotten by the software industry (or corrupted into "lets treat the lusers as if they are completely retarded, and lets hide all complexity under the carpet, where it can ferment until it explodes in a mass of bloated detritus and bugs").
Yawn. Here we go again. (Score:2)
Let me see if I get this right. You can save it as a template.
1 - problems occur with Data Loss
2 - every vendor jumps on it with a "solution" product
3 - execs buy such product to make it appear they have done something
4 - nobody bothers to look at the actual problem, processes and possible alternative approaches
5 - the software doesn't deliver, a discovery made after spending a fortune on consulting to fit an essentially square peg in a hole that was actually round to start with (but nobody bothered to che
Re: (Score:3)
Well designed software is easy to use.
Did you RTFA? This isn't Donkey Kong Jr. we're talking about here. DLP software, while extremely sophisticated, isn't that hard to use - What's difficult is the requirement for a company to create business policies that define what data is critical and what isn't. If you turn the alerts up too high, end-users and IT security are bombarded by noise and warnings, making the system useless. If you turn the alerts down too low, then you run the risk of data leakage.
Re: (Score:3)
Did you RTFA? This isn't Donkey Kong Jr. we're talking about here. DLP software, while extremely sophisticated, isn't that hard to use - What's difficult is the requirement for a company to create business policies that define what data is critical and what isn't. If you turn the alerts up too high, end-users and IT security are bombarded by noise and warnings, making the system useless. If you turn the alerts down too low, then you run the risk of data leakage.
WOW, that's funny how it suddenly becomes a business problem when this software shows up! A sane person would reason, if the software invented this problem, the software should fix it!
Christ, we're supposed to be SOLVING problems with computers!
This reminds me of enterprise backup implementations and shaking down non-IT organizations for data retention policies. Like it's their job to analyze the risks of [not] having snapshots of their data from arbitrary points in time other than YESTERDAY.
These both cl
Re: (Score:2)
The problem is that you have IT managers that are trained to manage not understand IT, IT admins that are trained in only MS software, and users who aren't trained at all on how to use software effectively.
I've seen this happen a lot in business, the bigger they are, the less emphasis there is on positive IT policies or employing IT professionals who actually know what they are doing. The main emphasis in big business is to climb the corporate ladder, buy stuff from vendors you get kickbacks from, and emplo
Re: (Score:2, Funny)
The main emphasis in big business is to climb the corporate ladder, buy stuff from vendors you get kickbacks from,
So which vendors are these? I'm apparently doing it wrong....
Re: (Score:2)
Re: (Score:2)
Trying to reconcile the IT data handling requirements with the business data requirements can be difficult. Just like the parent in this thread said it can be a fine line between securing data while also providing access.
There should be little, if any, push back from IT to well defined business requirements. What I find is the "fine line" where IT recognizes bad business requirements and those in charge of defining business requirements don't (such as giving every administrative assistant in the company full permissions to every file because their bosses can't be bothered to actually do their jobs and the admin assistants back each other up so when one is out sick, any of the others in the entire company may be taking thei
Re: (Score:2)
...the bigger they are, the less emphasis there is on positive IT policies or employing IT professionals who actually know what they are doing.
Wait, I thought the bigger they are, the more likely it is they work in IT? I kid, I kid...
To be fair to the IT guys, this is true throughout the entire organization. Granted IT guys' personal, err, shall we say, quirks, only amplify the problem.
Re:Alot of Enterprise Software is "too complicated (Score:5, Insightful)
It's like having recipe software which you put recipes in, along with cooking instructions, and a robot makes the item. Then, once you have all the ingredients in, you realize you didn't have any cooking instructions. So you complain that the software doesn't have default cooking instructions programmed in that would just magically make cookies or cupcakes without you having to do all that extra work.
The problem isn't the software. It couldn't be any more user friendly. Just tell it what you want, and poof, it will pop right out. The problem is that the users can't be bothered figuring out what they want, so the software is at fault.
Re: (Score:3, Insightful)
say it, mean it and give em a lot of shit when they balk at the end result. Next time, they find time for the non coding parts of the SDLC.
Re: (Score:2)
"If you don't give me a spec, whatever I give you meets spec."
Yeah, let's skip the whole, maybe-I-should-ask-the-customer-what-it-is-they-want business and just jump right in!
say it, mean it and give em a lot of shit when they balk at the end result. Next time, they find time for the non coding parts of the SDLC.
Next time they hire somebody else.
Re: (Score:2)
Yes, I see. Your lack of people skills is what is prohibiting my comprehension, evidently. Care to elaborate on my reading skills further?
You said, without specs, you'll just go off and make whatever you want and then the customer has to accept that, which is a horrible practice, and not at all how business works between a supplier and the customer. You should never start a single line of code until the requirements are hammered out, in place and agreed upon by all parties. Best case you might provide some
Re: (Score:2)
The problem I often face is similar. Except that I like digging in to such software, making it work. The problem is that companies want dumbed down programs, so that my job is easier to fill should I up and leave. I completely understand their position. But it is very limiting, especially considering I work in mixed win/osx/nix environment, so the job won't be filled by some guy off the street anyways.
Re: (Score:2)
So you complain that the software doesn't have default cooking instructions programmed in that would just magically make cookies or cupcakes without you having to do all that extra work.
Yah actually, that is what I'm complaining about. I want a cupcake, I'll settle for the recipe, but just the ingredients? Thanks for nothing.
Example: LDAP, Kerberos, DNS vs.
Active Directory
Sure, you _could_ use the above technologies to accomplish what AD does, with a ton of time, and still not get to the point where ISVs can even dream of integrating with it. There are an infinite number of ways to implement an authentication/delegation/identity/system management/configuration management/service adver
Re: (Score:2)
Yah actually, that is what I'm complaining about. I want a cupcake, I'll settle for the recipe, but just the ingredients? Thanks for nothing.
All you have to do is tell it the recipe (ingredients plus instructions) and it will give you a cupcake. But the users want to just say "cupcake" and have one magically appear. Sure, they could have defaulted the software to make everything a cupcake, but then the guy that wants banana bread will complain that he got a cupcake instead. He could have checked the box for "bread" rather than accept the defaults and complain about them, but that's what he did.
What you are proposing isn't a development proje
Re: (Score:2)
Did you RTFA?
This is slashdot, right?
I assumed GP was going for a +11 funny
Re:Alot of Enterprise Software is "too complicated (Score:4, Insightful)
No, what it means is that a lot of responsibility that IT managers (and higher) are given, such as ensuring that confidential data is kept confidential, is either too hard for them, takes too much time or they are simply incompetent to fulful that role. I don't mean technically - it isn't just an IT managers role to tick the right boxes in a menu, I mean if THEIR managers are unwilling to spend the time, money and effort on their own, then it falls to the person to convince them of the need to do so.
Re: (Score:3)
On of the problems with setting up a reliable IT disaster recovery solution (I will stick to backup and recovery here) is for management to decide on the requirements. The most commo
Re: (Score:3)
Saying software is "Too complicated" is usually a cop-out by the users and the managers that are involved in purchase and/or use of that software.
Yeah, god forbid you'd ever want to take the end-user's opinion into account. Or wait, maybe that's the cause of bad software--devs write to what they want and not what the users want.
I'm a software trainer. We spend probably 25% of our time collectively laughing at bad software practices and wondering out loud who on Earth thought that widgetX was a good idea. The cop-out is on the developer's side, not the user. If something doesn't work well or is overly cumbersome and there's a better way to do it, the
Re: (Score:2)
I'm a software trainer. We spend probably 25% of our time collectively laughing at bad software practices and wondering out loud who on Earth thought that widgetX was a good idea.
So...I take it you get a lot of business from companies who insist on forcing their employees to use Bloatus Goats, er, I mean Lotus Notes?
Yet another example where the devs are big fans because 'it can do so much more than just email!', but the actual user is left in a mess of pain trying to use the end result for what they need it to do...which is, 90% of the time, just frigging email...
Re: (Score:2)
I used to work for a company that built the absolute #1 MVS security product. It was great because through it and its very flexible rules specification you could ensure that users only had access to files and resources they were actually supposed to have access to. Sounds wonderful, right?
Except for one little problem. It was incredibly difficult to set up. Let's take your average medium-size company. How many individual files do you think there might be on on-line media? Millions is probably not an ex
Re: (Score:2)
I don't mean technically - it isn't just an IT managers role to tick the right boxes in a menu, I mean if THEIR managers are unwilling to spend the time, money and effort on their own, then it falls to the person to convince them of the need to do so.
You know, there used to be these things called ethics (mostly honesty, trust and integrity) that all the good workers brought to the office every day. But that was way back in a time when companies actually invested in their staff, looked after them for the better part of their career and in return expected them to protect the company's interests.
This good conduct was policed with a degree of strictness and care by managers, who were held responsible for the materials under their control.
Now, however, we ha
Re: (Score:2)
And enterprise users are dumb. It's a bad combination.
Re: (Score:3)
It's not that enterprise users are dumb, it's that they care about their actual job, not some crappy software (OK, some of them are also dumb).
Re: (Score:2)
If part of their job involves working with sensitive data, protecting that data IS part of their job. Understanding how to use the tools necessary to provide that protection IS part of their job. But many people think that learning such things is beneath them and that it's IT's job to figure out how to design a system that doesn't require thought or comprehension.
Re:Alot of Enterprise Software is "too complicated (Score:4, Interesting)
And enterprise users are dumb. It's a bad combination.
No, many users only do what they are told and in the majority of cases the blame rests firmly with the managers. In the enterprise managers like to "de-skill" users (Management 101) by placing them into restricted rolls. Some Managers hate professional people since these people are usually multi-skilled and leave if they are forced down a narrow skill path. The consequence of de-skilling is you end up with people who are poorly trained, but of course Management covers itself by stating that the users are not skilled enough and more training is needed so after that training those people who are a little smarter leave for better pay and conditions and so the circle repeats itself.
Also, (Score:2)
a lot of people think "alot" is a word.
Re: (Score:3)
http://hyperboleandahalf.blogspot.com/2010/04/alot-is-better-than-you-at-everything.html [blogspot.com]
Re: (Score:3)
In other words, alot of enterprise software is poorly designed.
Well designed software is easy to use.
I would't call ERP software (like SAP or Oracle financials) poorly designed, however setting up an installation up also takes years.
Looking into the specific differences between an ERP and DLP system may offer some explanation how come configuring an ERP is budgeted/paid for by the company while a DLP isn't.
1. Without an ERP, the guys that have the final say in approving a budget cannot work (CFO is blind): the impact is immediate and obvious. Without DLP, not so.
2. Even more, a ill-configured DLP (or even
Re: (Score:2)
I would't call ERP software (like SAP or Oracle financials) poorly designed, however setting up an installation up also takes years.
So, they're well designed as a jobs program for consultants, but they're pretty damn craptastic at being ERP software.
Re: (Score:2)
I would't call ERP software (like SAP or Oracle financials) poorly designed, however setting up an installation up also takes years.
The software you mentioned only includes backup methods to backup software. By themselves any backups are crude.
Setting up a backup solution for SAP or Oracle Financials should at the most take a few days although that is assuming your backup hardware and software is inplace. Even a recovery should if you have the appropriate backup hardware take a few hours in a worst case scenario. I won't de-nigh that the set-up of an enterprise database with appropriate computers, storage, backup hardware and softwar
Re: (Score:2)
I would't call ERP software (like SAP or Oracle financials) poorly designed, however setting up an installation up also takes years.
... can take a while (a few months) but a few years? I would love to be on that type of project I could do with an extra mansion :) With SAP we have a 2, 5, 7 proportion that being "2" for the hardware, "5" for the software and "7" for the consulting and we will tell you when you can close your cheque book
As TFA says: installing and configuring a DLP is not very hard in itself, but
DLP is the "most disappointing" portion of the security market primarily because of the amount of time it takes companies to identify the data they want to protect, create profiles and taxonomies to categorize it .
I imagine that is where most of the time (and consulting paychecks) go into.
Re: (Score:2)
while a DLP is a "risk prevention cost" (money someone will pay for "just in case").
Risk management is more specialized, more complicated and requiring more imagination than financial management: the difference between "how and what can go wrong in various and possibly obscure points of my business? Who would benefit of something going wrong for me; who's the possible attacker?" and "How much was spend and what revenue you think you'll get in the next FQ or FY from this-and-that well-known market segments"?
I think that in general the banking crisis has shown us that even companies that should be experts at risk assessment often mess it up. I think that's where the general problem lies:
Managing and calculating risks is a hard thing. People tend to downplay or ignore risks, especially less obvious ones, even in nuclear plants or New Orleans.
One of the reasons of course is, that it's planning for the unknown. Often you don't have all the information and know all the threats.
Re: (Score:2)
Re: (Score:2)
Well said. I think most users' frustration comes from the fact that most (anecdotal) companies err too far on the side of security. Example being my current prime contractor requires us to send emails encrypted, even the most mundane, yet seemingly every other day somebody's cert is out of date, incompatible, broken, whatever. It makes it impossible to do work. Instead, I pick up my unencrypted telephone and talk to the person.
Another anecdote would be the ridiculous 15 character, two upper, two lower, two
Re: (Score:3, Funny)
fucking idiots. And the worst part is they reproduce.
I know what you mean. Then they eventually browse their way to /. and make comments as an AC.
Re: (Score:2)
Re: (Score:3)
that wasn't the point. the point is the gp was acting all smug like running linux instantly makes him more secure/suprior.
In the past decade i've dealt with many hacked machines, and they haven't all been windows. An idiotic enough user will result in any system being compromised. Which was the GP's point.
Re: (Score:2)
Ever wonder why armed robbers only rob convenience store clerks and not CEOs? Like to see the what convenience store corporations are doing to protect their CEOs from being ordered at gunpoint to empty the register while allowing its clerks to assaulted and robbed. Notice how it's only clerks that are robbed at gunpoint, not the directors. Guess companies can figure it out when it really matters.
It's down to roles and exposure. There's less of a need to expose certain types of data, such as payroll and exec