I'm here in San Francisco, at the quiet first day of the RSA Conference, listening to a bunch of very smart people talk about computer and network security. There are a few things that pretty much everyone seems to agree on. The first of these is that the likelihood is great that something very, very bad could happen to the Internet and, by extension, a lot of the networks connected to the Internet, in the relat I’m here in San Francisco, at the quiet first day of the RSA Conference, listening to a bunch of very smart people talk about computer and network security. There are a few things that pretty much everyone seems to agree on. The first of these is that the likelihood is great that something very, very bad could happen to the Internet and, by extension, a lot of the networks connected to the Internet, in the relatively near future. There is less agreement on precisely what form the attack will take, but there’s no question that we’ve seen an awful lot of “proof of concept” attacks and vulnerability probing over the last three or four years. The question isn’t whether there will be trouble — it’s what you, as a small business IT person, can do about it.It’s easy to say, “I can’t protect the Internet”, and at a certain level that’s quite true. As small business folks, it’s not up to us to keep the Internet’s core routers patched and protected against attacks. To be honest, I’m pretty happy about that. I’m perfectly content to leave that job to other people. At another level, though, we can do a great deal to protect the Internet: We can keep our systems from being used to launch the massive attacks that have proven to be so devastating.Bot networks have become incredibly sophisticated, moving control points around the Internet and successfully hiding their sleeper code until it’s used to tremendous effect as part of a spam wave or malware attack. The best way to slow down one of these networks is to deny them soldiers — to keep your systems from becoming part of the network. This, at last, is where the whole parfait concept comes in. Thanks for waiting. One of my favorite scenes in the movie “Shrek” comes when Shrek is trying to tell Donkey just how complicated ogres can be. He tries using the analogy of on onion, but Donkey finally asks why he couldn’t have used a parfait model instead. “Nobody don’t like parfait,” says Donkey. I’ve decided that Donkey is right. It’s time to climb on board the Security Parfait bandwagon.The idea, of course, is that you need multiple layers of security. There’s nothing new about that, but I’m more convinced than ever that we need to spend far more time on the layer that exists between the security staff and users. Communication about how security is working, the nature of the threats that face the organization, and just how important it is for users to be active pieces in the security system, is critical to preventing problems launched by social networking. On the flip side, users need to feel much freer to tell security when pieces of the security infrastructure don’t work, or cause so much difficulty for users that they’re tempted to go around the security. Tbe bottom line is that security and end-users have to start thinking of one another as team-mates — partners in the security layer — rather than adversaries.After you have the human layers working, the rest of the layers fall much more easily into place. In these technology layers, the multi-layer structure is important, not just because multiple layers are more difficult to penetrate, but because individual layers can be updated, modified, or swapped-out without toppling the entire structure. It’s not just more secure — it’s more stable and long-lasting. More secure, more stable, longer lasting, and ultimately more cost-effective — there’s a reason that everybody likes parfaits. Technology Industry