这是2011年5月2日在network world上发表的一篇文章,讲到了现在企业部署的安全产品之间相互割裂的现实。正如我之前提出的“当前安全建设过度沉迷于‘安全的解构’而忽略了原本的目标”一样,我认为现在的安全更重要的是要关注“安全的整合”,该文作者称为“interoperability",“glue”。

作者给出了他的几个建议:
Never buy a single-purpose tool(永远不要买一个单一目标的工具【注:我认为单一目标不等于单一功能】). Inspired by Alton Brown, who advises not to buy kitchen tools that are "uni-taskers" (e.g. a cherry pitter). Instead, make sure every tool or appliance you buy can be applied to different types of risk and attack. Widely applicable tools that are not specific to one threat will make a more effective toolbox and will provide deeper defenses and more overlapping layers of defense. Evaluate whether the tool or security solution covers:
•External and insider attacks

•Malicious and inadvertent incidents

•Know and unknown threats

•Automated and targeted attacks

• Heterogeneous OS and platforms (including mobile)

Avoid management feature overlap(避免管理功能的重叠【注:有很多管理类功能都是可以平台化的、属于共享安全基础设施】). You don't need another reporting engine for compliance. You need the tool to integrate with your existing reporting engine.

For each of the following areas you should think about building a multi-vendor, open-standards based, shared infrastructure.
You should avoid replicating these functions in every tool:

•Logging and auditing

•User, group and role directory

•Policy management

• Alerting and notification

Focus on assets, not threats(关注资产,而不是威胁【注:其实就是要关注保护目标对象,而非针对目标的***和行为】). A tool that protects any asset against one specific type of threat (e.g. guns, but not box cutters) is not as useful as a tool that protects one asset against any threat (e.g. reinforced flight-deck door). If attackers can simply switch attack vectors, they will. If they have to switch targets you have disadvantaged them.


Mortar, not bricks. (关注砂浆,而非砖头【注:也就是要关注security silos的整合】)The part that makes a wall strong is themortar, not the bricks. Disconnected bricks fall down with a slight nudge. Buy "glue" software and security solutions that tie together various controls, monitoring systems, notification systems, etc. A well-integrated system with fewer controls is  better than lots of disparate controls  with no glue.

Empower people(加强人员培养【注:安全还远未达到自动化,需要安全技术人员的参与。上安全设备和系统的目标不是取代人,而是让人更高效】). Security cannot be automated as much as you'd like. Human adversaries will always be smarter than automated tools and will leverage human ingenuity to skirt around your protections. You can't replace well-trained security professionals exercising judgment with computers. So empower the people by giving them tools that multiply their impact and productivity, instead of trying to replace them.


 

Standards, standards, standards(标准很重要【注:尤其是在整合的时候更显得重要,否则就是用沙子砌墙】). Interoperability and "glue"
infrastructure requires open APIs, open protocols, open formats and open
standards. How do you know it's really open and not just a committee endorsement of pseudo-standards? Look at how many different, potentially competing companies can interoperate using the standard. Ask the vendor: "Which of your competitors uses this?" If the answer is "none," then it's not a standard.

作者最后说到:If all security buyers make slightly different choices, the industry will shift, dramatically and rapidly. There has never been a greater need for change in our industry.