Wayne Frazee.com
Login
The Vista Security Wobbles Begin
  • Home
  • Scribblings
  • Avanade
  • The first shaky news bites about Vista.

Originally posted at my corporate blog at http://blog.avanadeadvisors.com/blogs/waynea

Vista has not yet been released and already Symantec is out recommending that customers not upgrade, as there may be some issues with the new security model in Vista based on a few vulnerabilities that thier researchers have discovered in beta versions of the software.  I just wanted to take a moment this evening to say: "Well,  Duh."

Forgive the short and facetious remark however the not-so-elegantly-stated truth here is that this is another round of the same dance the industry goes through every single upgrade cycle.

Please understand that I am not bashing Symantec here, Symantec did what it is supposed to do: advised specific security clients that it would not recommend making the upgrade at this time based on the information availible to Symantec in current releases.  It is rather the hullaballo that Symantec's recommendation (or reservation, depending on your point of view) has generated in terms of both press and commentary that I find difficult to understand.  First the overblown "Internet Explorer 7" vulnerability, now blatant misunderstandings of the Symantec client advice on vista.  Let us together review some of the basic tenents of security.

Security Model Shifts Beget Short Term Risk

The simple fact of the matter is that any time you make a significant reconfiguration of ANY security model, whether it be a software architecture, firewall ruleset, RRA hierarchy, routing infrastructure rebuild, anything really.... Any time you make a major re-construction of a given security-impacting environment you are accepting the possibility of greater short term risk in order to gain the [sometimes percieved] long term benefits.  It is a principle of security auditing, for gosh' sake.

This risk stems from the fact that one of the inherent consequences of a new configuration is that all of the ramifications on the handling of both legitimate and illicit transaction requests are not completely known.  This information only becomes availible with extensive testcasing, much of which is not executed until real world security audit and compromise attempts (after all the programmers cannot think of every possible recombination of data processing scenario).  Like with most upgrades / migrations, the prospective enterprise will look at different strategies for mitigation depending on availible resource and the position of the company business relative to the needs and use of the new technology.

Mitigation Through Risk Assessment

The cornerstone of preparing for and gauging the effect of any new change on an environment is the Risk Assessment.  Depending on the change underway, this could be as simple as an informal review done by in-line staff in the process of planning a small-scope server change but in the context of an upgrade to Vista, this will be a more protracted process (probably led by senior IT staff or the CIO's office) with formalized risk documentation and mitigation or acceptance planning.  In other words, most enterprises are going to have staff bill some hours overseen by senior computer folks taking a hard look at Vista, identifying where a Vista upgrade will create a potential security risk in the given infrastructure, and then figuring out how they want to proceed for each identified risk.  Hence comes Symantec. 

What Symantec was doing with this announcement was really saying "We have taken a look at Vista, the new software, the new security model, and looked at the different business verticals that we provide consulting services to.  Right now the vulnerabilities we are seeing would create financial risk that outweight any potential benefits that we can tell would be directly provided by moving to the software right now, based on the builds that our team looked at.  If we had to give a go / no-go call for whether we would recommend our clients making upgrade plans immediately, we would have to say that its probably not a good idea until we know more about the release versions of the software."

Back to our hypothetical discussion on risk assessments.  The advice that Symantec is giving is very generalized.  It's, "hey, by and large we would not advise moving forward just yet."  On an enterprise-by-enterprise basis, this same assessment will be done, with varying levels of different results.  Each enterprise is going to have to take into consideration the industry vertical in which they work and the drivers behind the business units in the organization.  Based on this there are several ways which a risk assessment can provide specific issues information (as well as identifying and quantifying how big the issue is for the business unit or enterprise as a whole) that will allow the organization to make plans for addressing the security issue and move forward (or not) with any migration plans.

Mitigation Through Application of Knowledge

Post-Assessment mitigation starts with the application of knowledge.  Any path that an organization might take to address individual risks is seated in an understanding of the software, the risk, the enterprise, and how these vectors interrelate.  This is why organizational-level migrations are often handled by consulting firms.  These firms (Avanade!) employ highly qualified resources who specialize in dealing with the issues presented by a certain category of migration and should be able to rapidly identify issues, fixes, and potential mitigation paths based on organizational experience.  You employ consultants who know the product, have experience with the product, and have already identified particular best practice paths to mitigating the risks for your particular organization as part of any migration assessment stage.

Baaaah...

There are about 100 other points and subpoints to how a mitigation is handled but theses are the main points I wanted to make: 

1) Symantec's announcement is not a big deal.  Its Symantec's corporate line to thier own clients based on a highly generalized risk assessment.  It covers what we already know: early upgrades do take a risk based on the unknown in any change. 

2) Each organization is best served by a formal risk and migration project assessment.  Only by taking into account the needs, drivers, and factors at play in a given organization can advice accurately be given on whether to make an upgrade or not. 

3) External consulting organizations have people whose time is practically dedicated to dealing with the technologies and problems that your organization's staff is going to be seeing for the first time during the assessment.  They can help with the assessment and forming mitigation strategy based on a deep experience with securing the migration product.

Not every security announcement that has "Microsoft" or "Vista" in the headline is worth getting excited about.  News sites and "Citizen Journalists" would be best served by being able to identify the real news from the expected.

All content and materials Copyright ©2004 by Wayne S. Frazee. All Rights Reserved.

Please note that the postings on this site, including news, scribblings, past writings, posted files, and other material, are my own and don't necessarily represent neither Avanade's nor Avanade's Customers' positions, strategies or opinions nor that of any organization I have previously worked with or represented.