An Open Letter to IT Vendors For 2012


2012 is nigh upon us and with the new year, I am throwing down a challenge to each and every IT vendor out there. 2011 was a brutal year of incidents, breaches, outages and FUD and the last thing anyone needs is a repeat performance. Instead, please take this list back to the development teams, product managers, marketing department and sales team and do your best to be part of the solution this year, not another problem.

  • Do not ship any product with insecure protocols used for administrative/programmatic access even available in the configuration options

    Router/firewall vendors: remove telnet completely from the configuration options. All vendors: Only make your web interfaces & APIs available via TLS/SSL (even if that means shipping with default, self-signed certificates). Where you must leave a choice (e.g. legacy support), present the default configs with only secure options for new installations and slap enough warning dialogs to annoy organizations’ IT workers into Doing The Right Thing™.

  • Default to integrating with centralized identity & access management systems

    I understand the need for one “failsafe” account to get into the application prior to full integration, but if you should be ashamed of yourself if you ship a product that uses local accounts &amp groups and has no robust means of integrating with SiteMinder, Active Directory, LDAP or other centralized systems. Every organization need to be able to control all access as centrally as possible and you are doing us all a disservice by not providing this functionality.

  • Have multi-factor support for administrative access

    Lack of control of admin-level access is one of top findings in audit reports. There are a multitude of multi-factor authentication systems out there, many at little-to-no-cost. Giving organizations the means to stave off hackers and auditors in one stroke will score you major points, especially at contract re-up time.

  • Provide robust & open reporting out-of-the-box

    You all claim to provide good reporting and you all lie. All of you. Capture every action and event and make it easy to get to that data, even if it means providing access to the back-end database (read-only, of course). The ability to tie reporting sources together is one key weapon in our arsenal as we try to defend our organizations from malicious individuals (both internal and external). Giving us the ability to slice & dice what is happening in your systems (using any tool we want) is a crucial component in this defensive strategy.

  • Don’t use “cyber” or “APT” in any of your literature this year

    I’ll give you a pass if more than 75% of your revenue comes from the U.S. government as you have to sell you wares to them with those keywords in your proposals or you’ll never get in the door. But, when selling to the rest of us, forget buzzwords and give us practical solutions to help in ailing areas such as signature-based anti-malware or managing a ton of boxes in a private cloud effectively. We don’t need FUD, we need to be fed a healthy diet of cost-effective, easy-to-manage, enterprise-capable wares.

  • Align your licensing structure to fit “the cloud”

    Many of us are having to become contract, legal and finance experts just to be able to figure out how to make your products cost-effective in public and private clouds. I guarantee you that no matter how inbred you may be within an organization, you will be easily supplanted by the first competitor who makes it easy to transition from your tool and had a easy way to manage licenses in modern dynamic computing environments.

Those are just a few points, but it will be difficult for most of you to tackle even one of them. However, if even one of you does manage to check even one item off that list, you stand to help make Christmas a little more merry and a little more bright this time next year*.

*Apocalypse not withstanding.

Cover image from Data-Driven Security
Amazon Author Page

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.