« Next casualty: Your Data | Main | Don't Cede the Cloud »



Regrettably, I have to disagree with your chart. I think that somewhere around 2005 or so the case could be made (oh, wait, PCI states it) for data encryption as a standard control. I think the need for field, column, or row level encryption by 2007 should have been considered SOP, despite the relative immaturity of key management solutions. I don't think that firewalls or SSL accomplish what good quality data encryption can accomplish, but then maybe I'm just too big of a fan. fwiw.


@Ben here is a list of 261 million people who disagree


its not a matter of whether there are better controls its a matter of them being sine qua non

Jon Passki


I challenge you to retire your chart above. I find it ironic that the purpose of the chart is to highlight the lack of progress in security over the last decade or so. It has been used in 25% (5/20) of your posts from April and May, showing a staleness in your messages. Or, compromise, and just use it once a quarter :-) But, please, stop emphasizing its usage so much...


Ah, so your chart is what is in place, not what /should/ be in place? I guess I can't disagree with that. My point - which you absolutely prove - is that firewall+SSL is not anywhere near adequate any more, and hasn't been for a few years. People seem to fear encryption.


@Jon - I am looking forward to retiring the chart. I was hoping to retire it because infosec invented and deployed something rather than because people got tired of hearing about infosec's multi-decade track record of non-innovation.

Bruce Schneier

I don't want to trust the cloud, either. Unfortunately, we won't have any choice.


@Gunnar - It's OK to hammer in a point, especially if the audience is dull. But, I'm guessing we're more on your side than against and the message is stale. Eventually, if you keep on saying something is broken, then you'll be the one expected to fix it :)

So, what technology will you add to the 2nd column?

John Cowan

Business most certainly is based on trust. Imagine a world in which, when you sign a contract with a supplier, you know there's a 75% chance he won't deliver unless you go to court. And the court order isn't worth the paper it's written on unless it's enforced by, er, enforcers. And what's more, your own partners and subordinates are looking every minute of every day to fit you out with cement overshoes so they can take over.

Trust is the foundation of business. All the other stuff you mention is barely noise-level compared to the huge majority of commercial transactions that go through just as everybody trusts that they will.


@Bruce Schneier-
I think tusted/untrusted is completely the wrong question to ask. I will address this in the next post

@Jon - how about SAML, Information Cards, Input Validation, and Output Encoding for a start?


@Gunnar. OK, well, then update the graphic! Don't tell me; tell your readers :-p (I was being a bit rhetorical)

Pedro Felix

Reading your post reminded me of a very interesting presentation by D. Gollmann about the role of trust in security: Why Trust is Bad for Security

The comments to this entry are closed.