Security technology is important, and key to building any really effective security system.
Firewalls, Intrusion Detection Systems (IDSs), Virtual Private Networks (VPNs), encryption systems, authentication systems, PKI, biometrics, asymmetric cryptography - the buzzwords are now an everyday part of the online world.
And they're legitimate: these are all important, sometimes critical parts of information security systems. But they're not the panacea some of their suppliers would have us believe. In the end, these are all simply tools: tools that reduce risk.
No vendor of a security technology will offer guarantees, and the reasons are the same as the reasons for the general increase in the information security problem:
- Increasing complexity, both within the security technology and in the systems its meant to protect;
- The growing inter-connectivity of systems; and
- The increasing population of hackers and their ilk;
More important than all the above, though, is the fact that an individual piece of technology is simply a tool to reduce risk. And properly implemented, and used with care, that's exactly what they will do: reduce risk, not eliminate it.
Which brings us to the final hurdle that technology can't clear: the human problem.
A password is no good if someone writes it on a Post-It note... biometic identification is no good if the security guard will let you in with his pass... the human problem is where technology really meets its limitations.
