Don Weber wrote a post last week describing his thoughts on the consolidation of [security] controls and followed it up with another today titled "Quit Complicating our Controls - UTM Remix" in which he suggests that the consolidation of controls delivers an end-state of additional "complexity" and "higher risk":
Of course I can see why people desire to integrate the technologies.
- It is more cost effective to have two or more technologies on one piece of hardware.
- You only have to manage one box.
- The controls can augment each other more effectively and efficiently (according to the advertising on the box).
- Firewalls usually represent a choke point to external and potentially hostile environments.
- Vendors can market it as the Silver Bullet (no relation to Gary McGraw’s podcast) of controls.
- “The next-generation firewall will have greater blocking and visibility into types of protocols,” says Greg Young, research vice president for Gartner.
Well, I have a problem with all of this. Why are we making our controls more complex? Complexity leads to vulnerabilities. Vulnerabilities lead to exploits. Exploits lead to compromises. Compromises lead to loss.
Don’t get me wrong. I am all for developing new technologies that will allow organizations to analyze their traffic so that they get a better picture of what is traversing and exiting their networks. I just think they will be more effective if they are deployed so that they augment each other’s control measures instead of threatening them by increasing the risk through complexity. Controls should reduce risk, not increase it.
Don's posts have touched on a myriad of topics I have very strong opinions on: complex simplicity, ("magical") risk, UTM and application firewalls. I don't agree with Don's statements regarding any of them. That's probably why he called me out.
The question I have for Don is simple: how is it that you've arrived at the conclusion that the consolidation and convergence of security functionality from multiple discrete products into a single-sourced solution adds "complexity" and leads to "increased risk?"
Can you empirically demonstrate this by giving us an example of where a single function security device that became a multiple function security product caused this complete set combination of events to occur:
- Product complexity increased
- Lead to a vulnerability that was exploitable and
- Increased "risk" based upon business impact and exposure
I'm being open-minded here and rather than try and address every corner-case I am eager to understand more of the background of Don's position so I might respond accordingly.