I can’t tell you how often I see the newest in “trends” in the various different technology areas. Over the decades, I’ve seen the “year of ATM”, the “year of PKI”, the “year of technology”, and the “year of virtual reality”. In the end, these were all technologies that were either over hyped (in the case of ATM, it was superseded by SONNET) or technologies that took much longer to catch on (which happened with PKI). At the end of the day, much of the hype pointed to technologies that weren’t worth buying.
So, for today’s blog, I thought I’d write about a few technologies that I think aren’t worth purchasing. I would recommend to you either to put your money towards other technologies or to find other solutions that these technologies pretend to make easier. Not saying that there isn’t value with some of these technologies but, at the end of the day, the value they bring just isn’t there.
Data Loss Prevention (DLP)
To me, DLP is probably at the top of the list. When DLP first started coming out, everyone was hot to jump onto it. So, for me, the first thing that I do for a client that is interested in a technology isn’t to just read about the technology but to talk to people that have implemented it in order to find out what the lessons learned are. And, boy, did I learn a bunch.
The vast majority of the organizations that I talked to just couldn’t get it in place and, when they did, it wasn’t used. The core problem with DLP is that it’s highly dependent on making use of information classification. But when was the last time you saw a company that was doing information classification at all, much less had classified all it’s information and was consistent with classifying information as the information was created?
Save your money and look at other methods of controlling the flow of information in and out of the organization.
Role Based Access Control (RBAC)
I love the concept of RBAC. It allows for a consistent application of security rights and permissions across the organization. But, unfortunately, RBAC projects turn into white elephants. Too many solutions have been put into place in an organic manner and, as a result, RBAC projects mean having to go back into legacy solutions and redesigning them with specific roles.
A better solution is to ensure that you have properly defined roles in the first place for your solutions. Most projects don’t have well defined roles so learn to actually define roles and control who has those roles. If your organization shows the maturity to consistently create roles across all projects, then look at RBAC. But I would bet that you won’t find that happening.
Okay, this will be one that I’ll get push back from alot of people. But, to me, there are better solutions that using Smart Cards to allow access onto computers. Physical access into rooms? Sure. But using them for 2 Factor authentication into computers isn’t the best solution. You have the physical components in a laptop that have to work and you have the actual management of the physical product.
A better solution would be to use a 2 Factor solution like the RSA SecureID software token. You put the application on your cell phone and all of a sudden, you don’t have to have a physical device (and the distribution network associated with a physical product). It’s software based so it’s easy to deal with issues remotely whereas a physical card reader will require a person to come to your desk.
At the end of the day, make sure that there are actually solutions available that you can leverage that will stand the test of time. What security technologies do you view as not having been worth their expense? There are some things that become standards of the trade. Do you see your choice becoming an industry standard? If not, don’t jump into it.
Hope that helps…