"Terminal" isn't a four letter word

The client's problem is dead simple: his customers want him to assure them that their data will be protected, but neither they nor his staff are prepared to accept that this simply can't be done with the technology they insist on.

I had a conversation a few months ago with a guy with a problem: his company makes money selling Windows support services and programming to doctors - and some of them were asking for a meeting with company representatives to discuss patient data security.

I didn't laugh - but after he got through telling me the "good story" he has ready for them, I did ask if he thought his techies were more capable than those employed by the U.S. DOD, the British House of Commons, the VA, or even Microsoft - all of which have suffered serious data exposures due to Wintel security breaches. My bottom line, I told him, is simple: if large organizations with unlimited budgets, lots of bright people, and significant control over their users can't secure their PCs, I think we ought to conclude that it can't be done - or, more precisely, that the general failure to maintain data security across large PC populations and extended time periods demonstrates that the technology is inadequate to the problem, not that there's anything wrong with the people trying to administer it.

He tried to answer that by arguing that it's not the specific technologies, but the complexity of the problem. That's a common response, but one confusing cause for effect: the complexity is the problem - and it's a consequence of the technology. Take client-server out of the picture and you're still liable to human spying or error, but technology based attacks become largely irrelevant. Were he using centralized Solaris computing with Sun Rays and optical cabling his exposure to electronic data theft or loss would be close to zero.

Since no one can reasonably argue with that, the common counter argument becomes the ad hominem one: a play on ignorance in which today's smart displays are equated with IBM's 1970s 32XX dumb terminals in order to attach the repugnance generated by data processing's control policies to today's best enterprise desktop management strategy. In reality we're now seeing precisely those control policies widely, and ineffectually, applied in the Wintel world but of course the point of the thing is to mislead the gullible by making "terminal" a four letter word - and invoking the hobbyist's view of the PC as personal to present client-server's risks and failures are somehow liberating in the corporate world.

They're not - quite the contrary, users have no more freedom or capabilities with locked down corporate PCs today then their predecessors had in the seventies - and IT has even less because the risks and limitations that go with client-server constrain what IT can deliver, eat up the budget, and create significant unfunded liabilities for the organization. My friend's company, for example, will not survive the first significant leak of patient data to come to media attention.