Thursday, April 10, 2008

Catching them early ... build security in to the psyche

I have been thinking about this for quite a while, and had written to a management institute in Mumbai (India) to propose an addition to the curriculum, and establish thought leadership in IT education in the country.

Since I had been a guest lecturer for two semesters for the IT Audit elective in the IT Management curriculum, I wrote to them, as they were the only institution I was familiar with someone in the management. I have not got a response from them yet, and I shall look at some means to connect with other institutions in India and elsewhere.

And today I read Mary Ann Davidson's blog ... she has obviously spent a lot of on this as compared to my stumbling on a thought while rambling away. And she would, since it is straight off something which has clearly been an issue at her organization and more.

There are a lot of things which are right in what she says but then the American psyche is to think University and a formal regulated education system. My thinking about the subject was more grassroot level, where the problem begins.... and being from India, I tend to think neighborhood before going mainstream.

My thoughts go to the zillions of tiny, mid-sized and large institutes that dot the Indian countryside and cities - teaching Oracle, Java, .NET, C and what have you. Costs may start as low as $100 and students are usually new graduates from school or university. They are looking at learning 'computers' to get a break in IT and make a good salary. Many are guided by word of mouth or by a counselor that a certain course is 'hot' in the market and that it the motivation to join the course - he / she will finish the course in 4 - 8 weeks and try to join the developer mainstream. These students may or may not be engineering or science graduates. The instructor may usually be an ex-student paying off his / her discount from the course fee for a stipend, teaching by rote from the book which he / she learned from a few weeks earlier.

These students are hired by companies large and small, put through the in-house training, if in a large organization else he/she learns on the job, deployed on development projects for overseas customers.

This is the bulk of the workforce which grows in their roles, the smart ones pick up certifications and skills and grow. Others take time, but they grow too since they keep learning better practices.

So how does one control the millions of students who are half-baked in terms of their understanding of the processes underlying the systems they are going to program for, and are unaware of the expectations these systems and industry have from them !

This is where the solution has to be found... yes the large organized and funded universities and institutions will teach security as part of their programs and the Ivy league member will come out of the education system properly ordained into the culture of security and best practices, but the bulk of the workforce still remains to be addressed.

I don't believe DHS, or the Universities can do anything here, as this solution has to come from industry leaders like in software, hardware, databases like Microsoft, Oracle, Sun, Apple, Intel, AMD and others. The underlying systems have to be tuned NOT to accept calls under normal computing commands.

If I am designated as a common database user why do I need to look at the structure or permissions or settings. My application interface is built to carry out my read/write and report functions. In such a scenario, a default database installation may be configured to accept calls ONLY from applications X, y and Z and only and forces a change of the Administration login / password on installation. The argument will be that this can be taken care of by an Identity Management System, but how many IdM installations do we find in mid and small sized companies. Or, large companies for that matter.

Underlying systems have to demand secure access and practices from the application layer and the GUI. This will force the industry to ensure that secure practices starts getting the same level of importance as syntax. Sit in a class, and you will know that the only thing taught is syntax and compilation, debugging and rollout. Testing is a different profession !

Another example can be to have a feature for secure documentation. Or term it secure editing. If I coin an industry word it will be secure word processing. As MS-Word is the most commonly installed word processor, why does Microsoft not have an add-on which will provide a secure documentation feature. This can be a common feature in the application which will encrypt the document as it is saved. The application will use the owner's private key and challenge questions which will have been stored in the user profile. This can be an enterprise feature too, and will help save countless idiotic incidents where data is lost by banks, corporations and government agencies.

Security and Privacy are necessary to be safeguarded and the psyche has to be tuned to accept this as a way of life. Education has an important role to play and must start as early as possible. Going back into school and early years when the child is exposed to computers and computer games it will be nice to provide the knowledge to him / her that the machine is highly versatile and will help do all sorts of work and will entertain too, however, while enjoying the fruits of computing power there is a certain way of life which has to be followed (online and offline) and that is the path of secure and safe computing.