Better documentation and better GUI interfaces will make a huge difference, but these things take a lot of time and effort. It is getting there, it just has a way to go.
What is, in your opinion, the biggest challenge in protecting sensitive information at the enterprise level?
Unquestionably, the biggest challenge is with the people within the enterprise. All the technology in the world won't prevent someone from giving out their password or doing damage to a compute environment.
What's your take on the adoption of Linux in the enterprise? Do you think it will give a boost to security?
I think that it has been slowed by the dot com bomb, but the evidence that it is moving into the enterprise is everywhere. Even IBM offers Linux on an LPAR and they've got customers using it. The biggest limiting factor with its adoption in the enterprise, I believe, is the knowledge required to provide various higher end functionality. It is one thing to set up a Linux desktop or server, another to configure a Beowulf cluster. Because there is limited support for Linux, administrators have to become much more knowledgeable. Although this is also true with commercial UNIX systems (Solaris, AIX, HP-UX, etc.), those commercial companies offer a variety of support services including customization and consulting. Often, with Linux, the best support available is a newsgroup or email alias. Having said that, though, there are many companies that are offering customized Linux solutions - it's a very different business model and not as prevalent as commercial UNIX offerings.
I believe that it definitely provides a boost to security, generally. Anything that can be done for security can be done on a Linux box more cost effectively and, because of the open source nature of Linux, more customizably.
What do you think about the full disclosure of vulnerabilities?
I've always felt that full disclosure of vulnerabilities is critical. The bad guys are going to find out about them whether they're disclosed or not. By disclosing them fully, administrators minimally have an opportunity to do something about them.
What are your future plans? Any exciting new projects?
Right now, I'm enjoying C++ and Java coding and fixing old cars in my spare time. I'm doing a lot with networking these days, so I'll probably end up doing some work on the network administration book.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.