Information Security Is Becoming Infrastructure

Bruce Schneier has a story at Wired about his observations from the recent RSA conference. He noticed that the 350+ vendors who attended the conference were having difficulties selling their products or even communicating with potential buyers. Schneier suggests that the complexity of the security industry is forcing it away from end-users and into the hands of companies who can bundle it with the products that need it. Quoting: "When something becomes infrastructure -- power, water, cleaning service, tax preparation -- customers care less about details and more about results. Technological innovations become something the infrastructure providers pay attention to, and they package it for their customers. No one wants to buy security. They want to buy something truly useful -- database management systems, Web 2.0 collaboration tools, a company-wide network -- and they want it to be secure. They don't want to have to become IT security experts. They don't want to have to go to the RSA Conference."

Re:We've seen this with PGP

[Eighty7]

Putting pgp keys in our emails doesn't help that. It has to be transparent. And that's exactly what Scheiner is saying.

Yeah, good luck with that. In my experience, mail encryption is fundamentally difficult - like going from driving cars to planes. You have to know the basics of key management ie get someone's PUBLIC key, encrypt messages using HIS public key & he decrypts using HIS private key. That's already a dealbreaker for most people. Does he seriously expect they'll listen when he talk about key backups, key signing or the importance of only keeping decrypted attachments in ram?

Why johnny can't encrypt. (pdf) [gaudior.net]