Information Security Is Becoming Infrastructure

Bruce Schneier has a story at Wired about his observations from the recent RSA conference. He noticed that the 350+ vendors who attended the conference were having difficulties selling their products or even communicating with potential buyers. Schneier suggests that the complexity of the security industry is forcing it away from end-users and into the hands of companies who can bundle it with the products that need it. Quoting: "When something becomes infrastructure -- power, water, cleaning service, tax preparation -- customers care less about details and more about results. Technological innovations become something the infrastructure providers pay attention to, and they package it for their customers. No one wants to buy security. They want to buy something truly useful -- database management systems, Web 2.0 collaboration tools, a company-wide network -- and they want it to be secure. They don't want to have to become IT security experts. They don't want to have to go to the RSA Conference."

We've seen this with PGP

[CRCulver (715279)]

We've seen this problem with the PGP world. Geeks like working with everything themselves, but it's hard to convince non-geeks to use it, because they don't see the point. If encryption were really vital, it would be packaged for them to easily enable it, just like their online banking. Even with secure e-mail standards like Secure MIME, they are easy to use but are yet little known because companies don't actively pitch them to their customers.

I would beg my fellow geeks, at least, to rediscover some of the passion about encryption. As I posted a couple of days ago, a decade ago every geek had a PGP key and Schneier's Applied Cryptography [amazon.com] was our favorite bedtime reading. Now, even geeks don't want to go through the minimal (to us) effort of working with crypto.

Re:

[PDG (100516)]

I read your post the other day and agreed whole heartedly with it. I remember back in '97 when PGP keys were parts of email signatures and such.

Now, its unheard of.

I've set my machines up with GPG and my wife's as well, and autoconfigured them to encrypt any and all email between the two of us, but my attempts to get others to do so has proven fruitless.

I harp the same line Zimm did--when you put a letter in the mailbox, you put it in an envelope, right? Why is email any different?

Re:

[ColdWetDog (752185)]

I harp the same line Zimm did--when you put a letter in the mailbox, you put it in an envelope, right? Why is email any different?

While in some sense I agree that the problem with encryption is that it isn't ubiquitous, isn't easy to use and isn't the default, I think part of the problem is that email isn't the functional equivalent of sending a letter in the mail. It's the functional equivalent of sending a postcard. Most the emails with my wife are at the level of "the puppy ate (insert another e

Re:

[Ethanol-fueled (1125189)]

Maybe you'd stop eating expensive things if you weren't so cold and wet.

Re:

[Eighty7 (1130057)]

Putting pgp keys in our emails doesn't help that. It has to be transparent. And that's exactly what Scheiner is saying.

Yeah, good luck with that. In my experience, mail encryption is fundamentally difficult - like going from driving cars to planes. You have to know the basics of key management ie get someone's PUBLIC key, encrypt messages using HIS public key & he decrypts using HIS private key. That's already a dealbreaker for most people. Does he seriously expect they'll listen when he talk about ke

maybe the market is working

[convolvatron (176505)]

maybe the problem with selling security is that is that the products are a pile of afterthought patches. security is a property that should lie at the foundations of a design. why should i put some 1u appliance with alot of molded plastic on my ethernet at all?

Re:maybe the market is working

[houstonbofh (602064)]

I was thinking this myself... I could be that people don't understand it. But it could be that the products don't work all they well. Or it could be that a bad network design makes it all pointless anyway. But get HP or BMC in there with a big network plan that includes security, and it works.

I think they have it backwards. Security isn't a utility, it is a highly technical skill. You need a person, not a box.

Re:

[eihab (823648)]

A similar conclusion can be drawn from the article:

The booths are filled with broad product claims, meaningless security platitudes and unintelligible marketing literature. You could walk into a booth, listen to a five-minute sales pitch by a marketing type, and still not know what the company does. Even seasoned security professionals are confused.

This is the state of security products for the most part nowadays, hoax products and snake oil salesmen "IT'S 2009 READY!!!1!".

Now, I do agree with you that security should lie at the foundation of a design, but security also works by constructing layers of defense. No matter how good your design/implementation is, software is very complicated and someone will slip somewhere.

Unless you write your own OS, design your hardware and write its firmware, then wr

Re:

[alen (225700)]

it's the same with any product

a herd of tiny companies makes something to fix some obscure problem that 99% of people will never encounter but the marketing hype makes it seem like the end of the world

A lot of companies don't want to pay for it

[MikeRT (947531)]

Probably because they don' think that security is really that critical to them. However, for many others, the cost of getting the right consultants and infrastructure might be too much for their business to handle. Most businesses don't have a lot of disposable cash that they can put into IT infrastructure, especially since a lot of IT infrastructure has to be upgraded on a semi-regular basis.

Re:

[perlchild (582235)]

A lot of companies don't want to pay for it, because they think it should have been designed in the project in the first place too... Or assume they're secure. A lot of the snake oil has one good side, it makes people aware the security wasn't in, in the first place.
However, since those salesmen have a product, not a redesign, to sell, none of their solutions really address the problem, but makes them a lot of money.
I'm mostly talking about smtp and spam here, but the same concept applies elsewhere, to a

NOOOOOOOOO

[Original Replica (908688)]

the complexity of the security industry is forcing it away from end-users and into the hands of companies who can bundle it with the products that need it.

Great, once again the tools I need to protect myself are being taken away given to "the professionals". So if all the security tools go to the ISPs and other infrastructure how do I protect myself from ISP spyware?

Re:

[Ethanol-fueled (1125189)]

That may not be an option for mobile broadband: the mandatory software is auto-installed directly from the adapter the first time you plug it in(for USB, at least).

Re:

[colinrichardday (768814)]

Is there a Linux version? Those Windows executables don't run too well on OpenSuSE.

most security products are to fix poor admins

[alen (225700)]

i can't count how many products are crazy ways to push updates or check for updates or are just easier ways for admins to use features of Windows or some other MS product that is part of the product but requires more than clicking a button to make it work. I use SQL 2005 and there are so many ways to get into the guts of the product and see what is really happening that it will take months to learn it all. but there is no shortage of products that do the exact same thing except with a colorful GUI and so yo

Nobody likes paying for "security"

[smithfarm (862287)]

Whether you're a computer user or a small shop owner in the Bronx, nobody likes paying for security.

Good news.

[Shoten (260439)]

This is a good thing. I'm working on a proposal for a...well, it's $900 million worth of something, I'll say that. It's a huge project, with a lot of different technologies (even by IT standards). I'm the "Security Tower," the group of people responsible for security in the solution, and I've never had it so easy. Sure, there are firewalls, and an IdM extension to support SSO, and a few other things for security, but for the most part our security is architectural. Every area of the solution has products with security infused into them to some degree, whether it's encryption for the endpoints, key management for the central system that manages the endpoints, and so on. Instead of having to wait until the rest of the solution was finalized, and then play catch-up to try and get security added in, it's been a matter of mapping requirements to security functionality that is already there.

Self-serving horseshit

[duffbeer703 (177751)]

Of course, security consultants think that security should be left to the professionals. (ie, them)

The information security people are getting jealous because project managers have the certification/religious body (PMI) and a certification (PMP) that is basically required for many serious projects. That keeps the rates high by limiting the marketplace and mandating some prescribed process for doing everything.

Security consultants like to put that "CISSP" on email signatures and business cards because it mak

Re:

[LadyBug@FI (110420)]

Bollocks.

The answer is not just to give more money to security consultants (like me, a CISSP + GSNA) nor hw/sw vendors.

The answer is to develop a good security management framework that works for the organization. Security is not a product or a consultant or a service. Security is a process. Invest into developing the process and the organization is set to survive whatever the Chinese/Government/God throws at it.

Re:

[by Anonymous Coward]

IT people are finally starting to question the dubious value of cash-cow security software like AV, so the security community rolls out some more fear-mongering.

It's remarkable how many PMPs are really risk-seeking, control-averse, self-declared security expert cowboys trying to impress the bosses on how many shortcuts they've taken to get the project out the door. Outlooks like this are far from scarce and unfortunately leads to the purchase of expensive common-control level solutions to compensate post-im

Re:

[Bargeld (621917)]

Well damn, wish I'd read your reply before I posted. Far more eloquently stated than I put it. /salute

Re:Self-serving horseshit

[Bargeld (621917)]

Of course, security consultants think that security should be left to the professionals. (ie, them)

Because it should. Or more accurately, oversight of it should. But when you have security-savvy architects, project managers, and (rarely) business-line managers, it makes the need for micro-managed technical oversight MUCH less. But no matter what, someone needs to be managing the big picture of risk across all the silos of expertise.

Security consultants like to put that "CISSP" on email signatures and business cards because it makes them sound like doctors or lawyers, but at the end of the day, nobody really gives a shit.

Amen :) It's always struck me as a grandiose, sad conceit...and I _AM_ a CISSP. It'll be a cold day in hell when I throw it around like a badge of pride, let alone authority, because frankly, it's a mediocre standard. Management at my last employer forced me to write the exam "to make our practice more credible to clients", and I spent a whopping 2 days "studying". The bar it sets is...very low. Not bad for a foundation, but not good for much else.

I've been doing infosec work for over 17 years now, and IMO, the "problem" as it were, is that the demand for expertise has utterly outstripped the experienced pool of talent.

Net result? Exactly what you observe: "cash cow security" that is more focused on implementing wildly expensive (and frequently Rube-Goldberg-esque) technology solutions. Why? Because the inexperienced security practitioner immediately and inevitably turns to vendors for "turn-key solutions" to every risk (and many non-risks :)

Conversely, the much smaller number of people with substantial experience in the trenches are the ones who might point out that a $50,000 security awareness campaign _just might_ reduce net risk a WEE BIT more than a $3million 17-tier-firewall-atrocity. Or that a 10-man-hour risk assessment by security professionals attached to EVERY project's design phase _just might_ have a better chance of reducing risk than a $30k penetration test of every project by an external vendor that is 9 times in 10 a glorified canned vulnerability scan by a junior drone.

Not much of this is likely to change anytime soon. Sad to say, information security is still a very young and immature science. Things won't get better until the experience-pool gets deeper.

--Bargeld

Re:

[duffbeer703 (177751)]

I totally agree with you on taking proactive measures during the planning phases of the project. That also makes me stop and think that the team-building approach that Brooks laid out in the "Mythical Man-Month" is the type of approach that would help address problems like this.

When people talk about the Mythical Man-Month, they usually refer to the assertion that throwing people on a project tends to delay the project. But another key point in that book was that the programming/implementation team was more

Transparent Tech is Better

[Doc Ruby (173196)]

One advantage of security as infrastructure rather than as products is that infrastructure is the foundation of a service, not just something bolted on afterwards.

The biggest problem with security is that it's added afterwards as a "deluxe feature", rather than integrated with every design and implementation detail. Adding security afterwards means always catching up with the original insecure condition. It means creating an insecure system that the bad guys like, then fighting your own system along with the bad guys while you labor to secure it.

But the "built-in" tech shouldn't become completely invisible. The bundles should be transparent, not closed and opaque. Because nothing has a higher risk of insecurity than something unknown that you can't inspect. And no matter how well a vendor inspects their own secure component, if it's properly secured no extra scrutiny makes it less secure, only more. Leaving it transparent, visible only when you inspect it, is the best, safest tech.

Re:

[yuna49 (905461)]

Along the same lines, my general predisposition is to remove as much responsibility for security from users as is possible. That means scanning email for viruses before they reach the desktop, blocking users from downloading dangerous payloads (like executables) over the web, and so forth. Security should be a part of infrastructure, not something tacked on at the users' end.

Perhaps one reason why it's so hard to figure out what those guys are hawking at the RSA conference is that what they're really hawk

Connective Awareness?

[MessyBlob (1191033)]

Most security problems are a result of misunderstanding the purpose of an object in the infrastructure, and telling other components lies about its nature (permissions boosting). Bad admin does this with a human face. Poor products do this when out-of-the-box configurations don't match the user's requirements, allowing too much be begin with, or having options that bad admins change inappropriately.

So, how do we do this in a product-based environment? Do we need new module API, covering anything that comm

get out of jail free card

[zogger (617870)]

The vast bulk of ongoing security issues is because of a single glaring market/government oversight-software is not being required to have a normal consumer warranty. Is it a product like other products-as patents suggest-or is it a work of creative art, like copyright suggests?

I contend that society needs to make a clear distinction between the two and force the industry through legislative action (because voluntary is clearly not working) to choose one or the other, but not both.

If

Re:

[Original Replica (908688)]

forced to code so well that normal warranties can be offered. This would stop the massive release of perpetual betaware that has never ending security and functionality issues, and separate the truly thoughtful and "engineering first" efforts- from the good companies that would succeed

That is true, but it would also raise the price of an OS several fold and require more restrictions to be placed on application designers. Car manufacturers can require that you only use certain, high rated tires for their [stretcher.com]

Re:

[Skapare (16644)]

It's one thing to make an OS fully secure. It's something else entirely to make it enforce security on other products. I want the former and not the latter. It is then my responsibility, delegated to the makers of the applications I add on, to make sure the applications themselves are secure. The OS only needs to provide the necessary facilities that applications might need. If an application specifically allows anyone that can reach that computer to login and erase crucial files, that is an issue of t

Re:

[sjames (1099)]

Actually, Warranties are NOT going to help and are NOT practical in software as we know it.

For one, when is that last time you have seen anything that absolutely warrants against break-in? Certainly not your car or house. Risks digest has had several postings about keyfobs that unlock several cars in the same parking lot and even one where the physical key operated an identical car. The dirty secret of home security is that anyone with the ability to kick hard and a hammer can break in and disable most al

Re:

[sjames (1099)]

I based the prices on the guesstimate of 100 times the price. That's the same as the liability markup on drugs but considerably less than the may not fail cost for space shuttle avionics software.

Please name any industry that warrants against criminal acts (such as breaking and entering) committed by a 3rd party (hint, there re none). Since there are none, there are also no metrics for it. Even safes and armored cars don't absolutely warrant that they won't be broken in to, only that they will "resist" fo

Re:

[sjames (1099)]

Just so you know, I agree a lot of software is crap, and soem of it in addition to being insecure is also unfit for it's purpose. I'm just saying that in order to bring law into it, there must be legal standards.

I *KNOW* that whoever wrote the crap part is to blame, I'm not stupid. I'm saying that if *you* buy an OS from one place, pay someone else to install python, and then buy my python program from me and install it, who gets the blame when you get hacked? You'll probably blame me and it'll cost me a

Re:

[sjames (1099)]

There is one phenominon I have no explaination for. If we can figure that out, many of the stability and security issues would solve themselves.

MS (primarily, but others as well) repeatedly announces new improved versions just like Lucy holding the football for Charlie Brown. Like Charlie Brown, users everywhere for some reason fall for the hype and believe that the result will be different this time in spite of decades of history. When MS announces a new release I am nearly to the point of actually heari

Re:

[sjames (1099)]

Perhaps you should look at an s390. You'll get the warranty you want for orders of magintude more cash. Alas there is no "home edition". All bets are off if you run Adobe on it, that's a different vendor.

However, security is not like power

[LadyBug@FI (110420)]

While I agree in principal that security should be embedded as a core component in the services sold and puchased, I hope organizations realize security cannot really be bought simply like "..and add 1kW of power, thank you".

The correct amount and nature of security is very much relative to the risks the organisation is facing. Those risks are dependent on the kind of business they're doing and also on their business model.

However, as a security professional I still see people who say "It must be ... mmm ..

Re:

[ZonkerWilliam (953437)]

No amount of "security as infrastructure" will help if organisations do not have a good risk management and analysis framework or do not understand what kind of security they need and how much. If they don't understand it, they cannot ask it of the vendors and thus they will get either nothing or something random.

I've only encountered a few companies that could even implement anything like "Best Practices" for security. Why? because currently INFOSEC is seen as a cost to the company without any type of revenue from it, like most of IT, only worse. When your blocking traffic from a poorly created application that a company depends on, or a mis-configured windows clustered server, INFOSEC is blamed for outages, because it's the one thing that actually does it's job, the rest of IT will see security as something preve

God I love Schneier

[fxer (84757)]

he seems to be the only person that consistently "gets it." Does he need a surrogate to carry his children?

Security doesn't work that way

[Jaime2 (824950)]

You can't take care of security at the infrastructure level. Insecure products can be built on a secure infrastructure. Commercial software will continue to force users to run with elevated permissions. New document formats and communications channels will provide new places for malware to hide. Infrastructure cannot police end-to-end secure tunnels.

Unless everyone participates in security, the system is not secure. As we learned years ago, a password can be purchased for a candy bar. Millions of AO

Security is not infrastructure

[ZonkerWilliam (953437)]

Theres a desire for information security to be "easy" and automated, but when it comes down to it, thats the last it (information Security) can be, at least until AI is perfected. It will always take a human who understands the technology and the implications of network/workstation based attacks on the small and large scale. There are just to much complexities in todays networks that a single device/application/solution could deal with effectivly without human intervention.

They don't want to have to become IT security experts

Maybe not but someone will

Security a problem for someone else?

[BartMan57 (1276392)]

This is interesting...are we actually thinking security is separate from the underlying applications or services that are being implemented? Security is an element of a solution we provide to our customers or if your an internal IT shop, the end-users. Sure there are components that are purely infrastructure items that IT uses to secure an environment, such as IDS\IPS, Anti-Virus, Firewalls, etc. Maybe this Slashdot post shows us a symptom of the overall lack security posture technology companies tend to ta

And what do these companies do, besides cry WOLF?

[kscguru (551278)]

From TFA:

I can't figure out what any of those companies do

Anyone doubt this? Let's take a tour through a few products that "make you more secure":

• Antivirus: works by scanning files being written to/from disk, and by scanning I mean "run ~1 million instructions in an emulator then see if it matches a virus pattern". Requires weekly updates to latest definitions. One of the most successful "security" products
• Static code analysis tools (e.g. Coverity). They take your source code, run a heavy-duty static analysis program on it, and point out memory leaks / double frees, uninitialized variables, and other flaws. My educated guess is that 1/3 of viruses involve such a problem. Useful, but to a manager, you can find a different 1/3 of flaws with a manual code audit that costs about as much.
• Windows Vista (yeah, ha ha). Includes improved account control and privilage separation! Except that most users get so sick of the Allow box that is required for so many things on Windows that Vista has NOT fundamentally increased security.
• Network intrusion detection appliance - you plug this into your network, and it does something when it detects a malicious access pattern - I dunno, maybe it bakes cookies? But detecting malicious access patterns makes you more secure!!!

The security product that takes off will be one that says "with product X, you will never experience security problem Y". Unfortunately, the security products out there are crap (product X decreases chances of problem Y from 1% to 0.01%) and security folks are the most paranoid about providing any guarantees. (Use the word "impossible" at a security conference and watch what the blogosphere does to you. I dare you.)

In other words: most security products provide a small marginal gain, while their vendors tout them as essential, must-have products.

The single most telling "security" trait I have seen is from the security group at my employer. They send out a feature proposal, and then flame anyone who disagrees with by saying "if you don't agree to this, we'll probably get hacked next year and it will be your fault for being against the security of our products!". Never mind the technical flaws (ASLR doesn't work when you map 1GB of contiguous memory in a 32-bit process) or performance implications. Security "sells" based on fear, and the security industry sales arm has yet to realize they have cried WOLF too many times for purchasers to take them seriously anymore.

Re:And what do these companies do, besides cry WOL

[ZonkerWilliam (953437)]

Ahh yes FUD (Fear, Uncertainty and Doubt) The previous INFOSEC company I worked for was all about that. Best sales technique they had. It's definitely a self-perpetuating meme, that lately, companies have started to ignore.

Re:And what do these companies do, besides cry WOL

[sgtrock (191182)]

Static code analysis tools (e.g. Coverity). They take your source code, run a heavy-duty static analysis program on it, and point out memory leaks / double frees, uninitialized variables, and other flaws. My educated guess is that 1/3 of viruses involve such a problem. Useful, but to a manager, you can find a different 1/3 of flaws with a manual code audit that costs about as much.

I'd argue that if your software is important enough to deserve a thorough manual audit, you should probably consider doing both as they tend to catch different sorts of problems. Witness all the code cleanup that has been done in FOSS code on the basis of bugs found through Coverity's DHS funded code scanning service [coverity.com]. Other than that, I'm pretty much in agreement with what you say.

Didn't he mean security is becoming a commodity?

[prxp (1023979)]

Didn't Scheneier mean Computer Security is becoming a commodity (infrastructure sounds rather vague)? Is it really a bad thing? I mean, security is such an essential part of every thing that it really is supposed to be a commodity IMHO. Nevertheless, I disagree with him, it is very hard to embed security for all aspects in all products, so you always going to need supporting tools or services that will complement the security of the product you are interested in (like Antivirus Sofware complements Operating

Re:Didn't he mean security is becoming a commodity

[Skapare (16644)]

Embedding security in other products may be hard (I don't entirely agree with this), but it is what is essential. Security should not be a separate product.

For example, if you have a router between your LAN and your link to the internet, that router should be performing the security function for you. If you want to block certain ports from being connected to via the internet, block it there. If you want to establish a VLAN tunnel to another office, you could do it there.

To the extent that any separate

From TFA

[techno-vampire (666512)]

No one wants to buy security. They want to buy something truly useful...

And there you have it, ladies, gentlemen and slashdotters, the problem in a nutshell. People don't want to buy security because they don't think it's useful. And then what happens when their site gets defaced or their database hacked? They blame the admins, that's what. They never, ever admit that it happened because they wouldn't pay the price needed to secure their machines, they just blame somebody else for not keeping them safe even though they didn't have the tools to do the job.

Re:

[techno-vampire (666512)]

First, you admit that the price of keeping those machines secure exceeds the total value of the machines.

No I don't. Security software and the extra time to install, upgrade and maintain it isn't anywhere near that expensive, and if it is, it shouldn't be. Of course, we're probably talking Windows here, where security is nothing more than an afterthought tacked on at the last minute. If we're talking Linux, Unix or some other real OS, it's largely built in from the ground up, making your claim even le

Problem is not in infrastructure

[Iagi (546444)]

Most bad things that happen to users these days because they clicked a link that goes to a web site that installs malicious code. It seems that the largest security problem is that end users do not want to take the necessary minimal precaution (for whatever reason). It make no sense to me to try to build a "fool proof" infrastructure. The problem resides more with the end users and his/her computer. Since most computers (especially MS) like to use the internet to install software/updates. The problem is no

Why do we even have that lever?

[argent (18001)]

Why do browsers even have a "run malicious code" function?

In "The Emperor's New Groove" there is a running gag where someone pulls the wrong lever and falls through a trap door into an alligator pit, then returns dripping water and kicking away alligators and asking "Why do we even *have* that lever?"

Why does Firefox have a mechanism to install extensions to Firefox from within a Firefox window?

Why does Internet Explorer have a mechanism to run native code downloaded from a website?

Why does Safari have an '

Is it 1998!?

[v(*_*)vvvv (233078)]

The reason security infrastructure sells is the same reason why security books don't. It is the same reason we want air bags, not driving lessons.

No one wants to learn anything, especially if it has nothing to do with the task at hand. We want it to just work, and it should.

Just prevent it, don't make us think about it unless you want some of us to make mistakes.