Of late, Ive found myself commenting quite frequently on
issues surrounding on-line security. Well-publicised problems surrounding The Halifax,
Prudential and of course, The Conservative Partys own bank account, have all played
their own part in encouraging the media to speculate as to whether the world is entirely
ready to leap on board the e-commerce roller-coaster.
Recently, I announced that at long last I was confident enough with the systems security
to go on-line with my own account at a leading bank. This optimism lasted less than a day.
I was called a few hours later by the Producer and asked if I had heard the news.
Apparently account details of a particular High Street banks customers were visible
to other customers, in a systems glitch that closely resembled the HotMail fiasco of the
autumn. Now I havent a clue what Operating System software lay behind the Web
browser in this case and, for a change, its not really that important. The problem,
it seems, with this example and several others doesnt lie with systems being
compromised by hackers. Rather, its a consequence of an overall level of complexity,
where a minor procedural change to one part of the system has the result of opening a door
Such dangers are supposedly addressed by strong testing and change management policies but
a glance at twelve months worth of news stories, rather leaves me with the
conviction that even at the highest and most highly paid levels, getting it right is more
of an art form than an exact science.
You may remember the PC Week Linux Vs Windows NT Security challenge, that Linux lost, much
to the outrage of the Linux camp and the delight of Microsoft. Linux lost because PC Week
failed to set the server up properly and Microsofts own challenge administrator is
on record as saying that he hadnt realised how difficult it was to secure an NT
Server in such a hostile environment. That said, and with all credit to his skills, as far
as Im aware, the beleaguered NT Server is still running safely at the end of its IP
Security is very big business and from what I can see, it faces a number of very real
problems. Its such a delicate subject, that when I met Amazons CEO, Jeff
Bezos, he refused, point-blank, to discuss the subject with me at all.
The .com transition
The industry that we all swim in is a relatively young one and today, many companies are
focused on what their futures will be if they fail to make the overnight e-business
transition into a .com. As a consequence, CEOs everywhere, are instructing IT Directors to
open up internal networks to the intrusive gaze of the Internet. As the responsibility, or
should I say liability, moves downstream, it invariably lands on the desk of an
unfortunate soul who suddenly becomes responsible for the tangle of connected services and
Operating Systems that lie behind the corporate firewall.
I ask you, if the United States Department of Defence has concluded that through the
relative immaturity of systems software, it cant adequately protect itself from the
open nature of the Internet, expecting business to have solved the problem is a tall
Software and the technology that drives it, is anything less than static. As a result, one
doesnt have the luxury of years or even months to study a particular environment.
Certainly, no time to become a Jedi Master in between cups of hastily snatched coffee.
Vendors, driven by the short-term demands of their shareholders insist on treating their
customers as guinea pigs. As every new Service Pack rolls out of the door, it brings with
it the risk of unwelcome and undocumented surprises. If you happen to be A Lotus Domino
administrator, then SP 6.0 is a great illustration of what I mean. Much the same could be
said of migration to Windows 2000 or indeed, any new piece of software. I know its
better, bigger, faster, has a flashy box and will make me more attractive to women but
whos to say that I wont be handing the front door keys of my business to three
hundred million people the moment I go live on the upgrade?
Will the vendors offer any guarantees over security or accept any liability if some gaping
security hole is revealed in a critical piece of software? Of course not! That all right
then and goes some way to explaining why lemmings leap off cliffs