Summersault Blog

As we’ve built Summersault’s web hosting infrastructure over the years, I’ve had a great time learning all about the security and privacy issues that come with managing a complex network of computer servers connected to the Internet. Of course, it didn’t begin there - part of being a good geek has always meant showing curiosity in how things work and what’s going on behind the scenes, and I can’t remember a time I haven’t enjoyed testing the boundaries of how secure various systems are. Perhaps that’s why I very much enjoyed Bruce Schneier’s book Secrets & Lies, a formalized (but accessible) look at of a lot of the security concepts and practices I’ve encountered over the years.

I don’t typically have the patience for a 400-page book about any particular technical or scientific topic unless it’s really engaging, and Schneier generally rises to the occasion. He covers a wide swath of security concepts, trends, approaches, and history, all interspersed with relevant and fascinating anecdotes of security done especially well or especially poorly. If I ever teach a course on security, it’s sure to be required reading, and its excellent structure makes it almost read like a textbook anyway. Schneier covers the nature of the landscape of computer security (what the threats are, who is doing the attacking, what real security means), the tools and technologies that are in play (cryptography, authentication, networking, software, hardware, human factors), and the strategies used in seeking security (threat modeling, risk assessment, security policies, testing). All of this is done with language and examples that is generally very accessible to the lay-person, although he does occasionally dive into the world of mathematics or even just technology culture in ways that someone looking for a higher-level overview might not find interesting.

In his afterward, Schneier does admit that the book is somewhat self-serving as an extended pitch for the services that his company, BT Counterpane Managed Security Services, provides to its clients, but he by no means interjects advertisements in the text itself. The observation is noteworthy, however, because of an epiphany that Schneier notes having in 1999, when he realized that security is not just the mathematics that go into making computers and networks secure through encryption and other mechanized means, but that it is a process of working with threat and risk assessment, the factors that go into prevent, detection and response, and the people who are responsible for enacting or observing a security policy. And throughout the book, Schneier lambastes the people or vendors who sell products that claim to let you buy security - “Hacker-Proof” or “100% Unbreakable Encryption”, etc. Because the tools and resources available to attack any given security protocol will always be improving, he focuses on implementing security strategies that are appropriate to the threats and risks actually faced, and this feels like a great approach to me.

Schneier also has enough of a global context to disclaim that “this book is about security from the point of view of the industrialized world, not the world torn apart by war, suppressed by secret police, or controlled by criminal syndicates. This book is about the relatively minor threats in a society where the major threats have been dealt with.” I appreciate that perspective; it’s important to me that specialists in such technical topics as computer security remember how the discipline fits into the bigger picture of what’s going on the world, even if we don’t immediately address that larger context (and Schneier does not in this publication).

I can recommend Secrets & Lies to anyone who is interested in understanding even a little more about the issues at play when we think about security and privacy in our highly digitized world. Even if you don’t administer a computer server or build websites, it can be useful or interesting to know what processes and philosophies are at work in keeping “your data” secure. And certainly, for anyone who works in the world of securing networks or computers, this book will be a great structured tour through the practices and thought-processes you should be using every day.

This entry was posted on Saturday, August 25th, 2007 at 10:07 pm and is filed under Software Development, Sysadmin / Hosting, Internet / Networking. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.