I will continue with my posts on securing VMware ESX servers tomorrow, but wanted to give some attention to the recent comments made by Alan Paller of SANS on the need to overhaul how government assesses security - starting with FISMA.
Paller offers two broad fixes for the security challenge facing government. The first is to stop blaming the user for problems, and require that vendors ship well-designed products that are securely configured by default. He also called for using "attack-based" metrics in measuring security compliance.
Overall, I agree with Alan's approach. Certainly, the poor grades federal agencies have received the last few years on their FISMA report cards make it clear something needs to change. It is refreshing to see his recognition that configuration settings play in security. I do have to take some issue with the idea of "products securely configured by default."
The reason for configuration settings, by their very nature, is because "one size fits all" doesn't work when it comes to how IT environments operate in different organizations. It is simply impossible to expect any product to come "securely configured out of the box." It's automating controls around configurations and the ongoing changes to them that is critical to improving security and, in the case of the federal government, compliance audit results.
Comments