See your link here
Do we need a security industry? (and eliminating uncertainty)
1 commentThank the flying spaghetti monster, it's Friday's IT Blogwatch: in which we ponder the fate of the security industry. Not to mention deterministic programming gone mad...
Bruce Schneier asks, "Do We Really Need a Security Industry?":
What [does] it mean for the IT industry that there are thousands of dedicated security products on the market: some good, more lousy, many difficult even to describe. Why aren't IT products and services naturally secure, and what would it mean for the industry if they were?
...
The primary reason the IT security industry exists is because IT products and services aren't naturally secure ... Aftermarket security is actually a very inefficient way to spend our security dollars ... Fold security into the underlying products, and the companies marketing those products will have an incentive to invest in security upfront, to avoid having to spend more cash obviating the problems later.I know this is a utopian vision that I probably won't see in my lifetime, but the IT services market is pushing us in this direction. As IT becomes more of a utility, users are going to buy a whole lot more services than products. And by nature, services are more about results than technologies.
...
This is where the IT industry is headed ... Of course, security products won't disappear -- at least, not in my lifetime. There'll still be firewalls, antivirus software and everything else. There'll still be startup companies developing clever and innovative security technologies. But the end user won't care about them. They'll be embedded within the services sold by large IT outsourcing companies ... or ISPs ... or they'll be a check-box item somewhere in the core switch.
Security expert/pundit/provocateur Bruce Schneier, always entertaining, has one of those "He's right but so what?" columns ... this morning. (I recognize the genre because I've written my share.) The headline - "Do We Really Need a Security Industry?" - is the giveaway in that you'd expect Schneier's answer to the question to be no, just as you might expect the TV news tease "Big storm headed our way?" to mean that there's a big storm headed our way. We know better in the latter case, and you'll see the same in Schneier's essay.
...
The whereabouts of that initial "incentive to invest in security upfront" is something of a mystery - were it there today in sufficient quantities we wouldn't be having this discussion - but once located and widely acknowledged it's difficult to argue that the other pieces wouldn't fall into place. Today, however, the more prominent incentive for vendors is that so many customers appear perfectly comfortable buying today's level of security, so why should vendors invest the time, effort and money to provide more?
...
IT hardware and software vendors will continue to swear their fidelity to security and fail to deliver the goods. The security industry will go on pumping out products that network professionals will continue to buy and deploy because their failure to do so will lead to their unemployment, among other nasty consequences. Market forces may eventually bring us Schneier's "utopian vision" of a standard IT infrastructure built upon ubiquitous and inherently secure services, but I'm turning 50 this year and like Schneier do not expect to see this happen in my lifetime.
...
So, do we really need a security industry? Heck, yes. ... But we wouldn't if pigs could fly.
Here's a big cheer from Sylvan von Stuppe:
Finally - somebody else said it .. There are so many products out there to make up for things we should have done earlier. We make and sell these products to bolt on security when it's too late, rather than making things secure from the beginning. And not only that, we never really engineer the type of information into the design, either.Does your application really need for admins to be able to read all of the home addresses of your users, when you really just use a third party to do the shipping? Then you don't need to store it. The less sensitive information you have in the first place, the lower the risk of getting hacked. That's a design decision that needs to happen really early. Rather than trying to figure out how to protect credit card #'s, have we thought about whether we need them in the first place?
So back to the point - Schneier seemed to see at the [Infosec] conference a lot of what I see in trade rags now - product after product after product that doesn't really protect you, it discovers what's already broken - and something that should've been engineered properly in the first place.
Better ingredients == better pizza.
Better engineering == more secure code (without having to bolt on security later).
But Jamie Saker couldn't disagree more:
As an econometrician employed in the information security industry for one of the largest financial processors, I found Bruce's perspective both shocking and unfortunately not atypical. Bruce inadvertently touches on the fact that many executives and decision-makers ... naively expect perfection.Having served as a bank IT auditor in my previous capacity, I had countless interactions with bank managers who couldn't comprehend why the expensive, proprietary banking software system with an outlandish maintenance contract could be exploited with trivial efforts ... perfection was usually demanded, yet the reality of human imperfection ignored. The very environments that lacked the financial and personnel resources for appropriate compensating controls in separation of duties had even higher expectations of their technology assets to provide perfection that magically absolved the risk from these limited resource decisions.
...
Instead of pursuing the path of avoidance by expecting perfection as Schneier has outlined, successful systems will recognize that risk is endogenous. Once we've accepted that condition, we can focus our efforts on more successful measures that handle it and keep most of the risk behavior controllable and manageable.
The article assumes security is static: "..if computers were designed to not be susceptible to virii.."If it's not virri or worms or buffer-overflows then it would be something else. Human intellect has this uncanny ability to grow and adapt.
Lord Ender sees the oint in the flyment: [you're fired -Ed.]
The problem here is that 99% of software purchasers simply don't have the ability to evaluate a product on the merits of its security. They do have the ability to evaluate products on the merits of their prices. The companies that develop software know that doing security properly is extremely expensive, and requires hiring skilled specialists, and inegrating those specialists at all levels of the development process.
[So] there is a lot more ROI in developing cheap insecure software than there is in developing expensive secure software. This is an example of capitalism failing due to poorly-informed consumers ... the industry will continue along as it does today: cheap software and band-aid security.
But khasim has a counter-example:
Take a default installation of Ubuntu Feisty Fawn. Even if you hook it straight into the Internet WITHOUT an external firewall (or running any firewall software) you'll still be very secure. That's because, by default, there aren't any open ports. There's no way for any worms to attack your system. That's just basic security practice.Now, there are other ways to crack a default Ubuntu installation. But they require that the admin have done something to make it LESS secure (or you can physically access the box).
Time Ed says the point's being missed:
Its not that he's stating the obvious, he's saying the glory days of IT security as an aftermarket industry are over. The focus of IT security is shifting from point products that deal only with the threat du jour, to integrated infrastructure. Security as a service, if you will.Look at Cisco. More and more of the monitoring and mitigation systems we run are turning up as part of the switch in next generation gear. Businesses want simple, cost effective systems that are built in to the infrastructure, don't get in the way of the money-making, and keep the bank and federal auditors happy.
If buildings were fireproof we wouldn't need sprinklers. But people like to use paper and to have affordable buildings, so we have sprinklers.
Where Schneier's point comes in, as I see it, is that sprinklers are taken for granted as part of a building. Nobody expects to buy a building and then pay a separate sprinkler industry to install a fire supression system. Instead it's one payment to one contractor. He expects to see security incorporated into the infrastructure analogously to sprinkler systems.
Buffer overflow:
Around the Net
- Epicenter: PC World Editor Quits Over Apple Story
- Nicholas Carr: Elegy for the photojournalist
- Tom Adelstein: Top 7 Things System Administrators Forget to Do
- Olaf Heimburger: OC4J: Configuring DataSources
- Tony Pearson: Gartner predicts 80% by 2011
- Jeff McQuigg:The Importance of Naming Standards
- James Governor: If Markets Are Conversations Then Twitter Is Money
Around Computerworld
- Douglas Schweitzer: New Bank Cards with an Innovative Feature!
- Michael R. Farnum: Phighting Phishing with a new top level .bank domain?
- Shark Tank: See if you can spot the ones having problems
- Shark Bait: You need to take yesterday's backup and . . . .
Previously in IT Blogwatch
And finally... Are you sure?
Richi Jennings is an independent technology and marketing consultant, specializing in email, blogging, Linux, and computer security. A 20 year, cross-functional IT veteran, he is also an analyst at Ferris Research. Contact Richi at blogwatch@richi.co.uk.
Print
Email this
Digg this
