On Wed, 13 Mar 2002, Sean Donelan wrote: :With convergence, do you think we will get the best security practices :from both worlds, or the worst? Most organizations security policies have grown organically, or by precedent, as opposed to being 'architected'. When convergence occurs, the company with the most existing security infrastructure 'wins'. By this I mean their practices are adopted by the less organized one. Also, I have seen some very elaborate, enterprise wide free software security solutions that were technically elegant, and very robust, but they were swept aside because the owners of these systems could not adequately communicate their business value. It has been my observation that convergence doesn't relate so much to the integration of technologies to provide new services, as it does the rationaliztion of differing business models into new ones.
From a big picture security perspective, the security challenges of a convergence between a telco and a satellite tv company aren't as much about integrating the various networking technologies and exposing ground station computers to the Internet, as they would be about DRM, fraud mitigation, subscriber privacy and infrastructure protection.
The reason I'm mentioning this is because I have heard some security people talking about the problems with IP gateways to the PSTN, which is legitimately frightening to many, but the issue isn't about what will happen when some PBX manufacturer puts an IP stack and an ethernet card in their product without doing security QA testing. It is about whether the traditional telcom security models that look alot like corporate IT, where network people don't touch servers, and vice versa, will work when the line blurs between the network and the application. In corporate IT, I am one of those "Internet guys" that thinks he can manage systems _and_ networks, which is like saying to me that I play both kinds of music, country _and_ western. Worst case scenario, we get kafka'esque bureacracy with no standards or procedures. Best case, we get a hybrid of strong, auditable and enforcable policy, with an understanding of the systems and networks as a single service as presented to the customer. So, as for whether we will see better or worse security policy, I can garuntee we will see the most cost effective solutions, meeting the minimum legal requirements, which serve customers needs, and improve overall ROI for stakeholders. In other words, not much will change by virtue of convergence alone. It will take education, possibly regulation, and market incentives to create better security policy, and I think these things are independant of the features of new technologies. Cheers, -- batz