compliance

Today, John Sheesley amused me with his attempt to use Windows 3.1 (actually 3.11 Windows for Workgroups) as a workstation of 2008. Those of us who remembers WFW, may wonder why on earth he would do that for, but I leave it to that.

One should think that using a software that was designed only 15 - 20 years ago should be quite possible today. After all, a PC is still a PC, right?

Not so. A PC of today (2008) is based upon the same principles as back in the early 1990's, but the technology has reach a maturity point where backwards compatibility hardly exists.

Yes, you may get WfW to actually work, if you like many others keep an old 486, or even a P1/P2 in a closet nearby. The challenge will be to render it useful, as John realises:


And IE 5 is not 15 years ago - it is more like 5.

Now, why should you, a security minded reader, care about the fact that John failed this project?

Several reasons comes to mind:

• From a continuency point of view - if you rely on some old hard-/software, make sure you have the tools and systems available in case of a failure.

It is not enough to dust off the old software boxes, you need to set up a system in parallel and see that you have all the bits it takes. I even suggest you make this a routine thing - once every year, month or week - depending on the criticallity. I also suggest you start plan to change the old system for something a bit more modern.

• From a data storage point of view - if a software can become totally obsolete in less than 5 years, you need to make very sure that your backup systems; long-time storage; and other data you may require access to in the future; uses technology you are able to access.
  

If you have a bundle of old tapes from a streamer that got replaced some time back - will you be able to access that data? Also consider the long-time effect light, magnetizm and dust has on equipment. CDs and DVDs are not safe for more than 10 years storing - but even that is no guarrantee. (Opposed to the advertisments in the midle of the 1990's, claiming CDs to be the best long-term datastorage available...could last for a houndred years, they claimed...)

• From a compliance point of view - if you are obligued to store information for a periode of time - 3, 5, 7 or 10 years - you are also obligued to be able to access the same data in the future. It is your responsibility, and it is usually a good idea to plan the technology at the same time you plan what and where to store your data.

I find one of the comments to the article particularly nice:



Yes, XP, 2000 and many others will be out of date. 2000 actually did this summer, when MS pulled the support for it. Anyone remember OS/2? DOS I guess most still remember, but only hardcore, old-guys still uses it to some extent. The world (and the technology with it) moves on.

To keep up with changes, you need to keep track on what is going on, as well as on your own requirements. You are required to update once in a while, but you do not need to jump on the latest versions of everything - unless you have special requirements. It is simply a matter of balancing your needs.

One of my favorite bloggers, Rob Newby has been ranting about business, technology and compliance the past few days.
He is making one major point - NAC and Firewalls will not last forever.

Although I am certain that his posting will uproar some of the vendors, and some of the technical readers as well, I happen to agree with Rob.

Technology evolves. It changes. It adopts.
Most importantly, it must change. It should adopt. If it did not, we would still be riding rock carts like the Flintstones.

And I must admit I prefer heated, leather coated, soft seats, where I can listen to an V8 roar at my willing. Knowing that some years down the line, the V8 will be replaced by an electric engine.

With IT, it is the same thing. As it is with security. The thing on your lap is not an ENIAC, mind you!

If you take a look at the firewall, it is easy to understand as well. The port controlling (stateless) FW from the 80s is still in place in today firewalls, but is only a small part of the package. Add statefull inspection, AV&AS, webfiltering, VPN and a coffee machine, and you have the UTM of today.

With NAC, the same thing will happen. It will end up as a part of the internal security systems only. And some years down the line you no longer realize that what was key technology in 2007, happens to be only one of many technologies that takes care of your ICT systems.

The challenge of all times in a commercial world is to be able to look beyond the buzzwords. To use your own business targets, goals and challenges when you choose your strategy.

Only when you take control yourself will you be able to control your world. If you leave the decision making to vendors and buzzwords, you will find yourself a hostage of insecurity - you will never know if you are adequately secured. And that is the point of forcing compliance and governance - to put you in control, to enable you to drive your modern, secure and up-to-date car. 

So that you do not have to keep dinosaurs as pets and kicking about in your rock cart.