Friday, February 15, 2008

Hail the New Information Security World

As it happens I'm deep in Information Security management at the moment which is an interesting diversion from HPC. A young turk is trying to set up an Information Security practise at the firm of some chums and has been asking my advice on where Information Security is at and where it's heading. His hypothesis was to structure it along three lines: architecture (application and networks), implementation and compliance.

This, I feel, reflects the information security world of the past - blighted with too many people who write abstruse policies which no one reads and are heard to continually say "no you can't do that".

I feel it's time for a change so I proposed the following thre
e areas:
  • Security Architecture
    • Strategy
    • Governance
    • Policy framework, policy and process design
    • Security architecture: security architecture patterns
    • Security API design and analysis
    • Operational infrastructure design and implementation
    • Product selection procurement
    • Process design
  • Information Security Operations
    • Process implementation and operation
    • SLA, compliance monitoring and reporting
  • Information Security Analytics
    • KRI production, trends, outlier analysis, event correlation, ad hoc reports, event visualisation
    • Forensic evidence capture, expert witness
    • Risk Assessment
But there's still something missing - the process of cumulative risk management. Click the image to expand:



General-purpose parallelism

Via Joe Duffy's weblog I just watched an interesting interview with Burton Smith, which is definitely worth sharing. It's about an hour long but here are some key points (many of which we have discussed here in the past):
  • He discusses the "Von Neumann mistake" which has led to problems with scheduling due to shared state in computer programs, and ways to solve these problems
  • Software transactional memory is a potential solution but currently has issues with scalability
  • He is most enthusiastic about functional programming languages. Interestingly he points out that the most commonly used functional languages are Excel and SQL.
  • Existing programming languages cannot be "tweaked" - an entirely new way of writing programs is needed to obtain the necessary levels of productivity
  • He also says that if Microsoft doesn't solve this problem, nobody will. Maybe he's paid to say that, but they are doing some interesting things with .NET, in particular Smith notes that F# is being "productized" and they are working on parallel LINQ