Information Security Is Becoming Infrastructure

Bruce Schneier has a story at Wired about his observations from the recent RSA conference. He noticed that the 350+ vendors who attended the conference were having difficulties selling their products or even communicating with potential buyers. Schneier suggests that the complexity of the security industry is forcing it away from end-users and into the hands of companies who can bundle it with the products that need it. Quoting: "When something becomes infrastructure -- power, water, cleaning service, tax preparation -- customers care less about details and more about results. Technological innovations become something the infrastructure providers pay attention to, and they package it for their customers. No one wants to buy security. They want to buy something truly useful -- database management systems, Web 2.0 collaboration tools, a company-wide network -- and they want it to be secure. They don't want to have to become IT security experts. They don't want to have to go to the RSA Conference."

Comment removed

[account_deleted]

Comment removed based on user account deletion

maybe the market is working

[convolvatron]

maybe the problem with selling security is that is that the products are a pile of afterthought patches. security is a property that should lie at the foundations of a design. why should i put some 1u appliance with alot of molded plastic on my ethernet at all?

NOOOOOOOOO

[Original Replica]

the complexity of the security industry is forcing it away from end-users and into the hands of companies who can bundle it with the products that need it.

Great, once again the tools I need to protect myself are being taken away given to "the professionals". So if all the security tools go to the ISPs and other infrastructure how do I protect myself from ISP spyware?

Re:maybe the market is working

[houstonbofh]

I was thinking this myself... I could be that people don't understand it. But it could be that the products don't work all they well. Or it could be that a bad network design makes it all pointless anyway. But get HP or BMC in there with a big network plan that includes security, and it works.

I think they have it backwards. Security isn't a utility, it is a highly technical skill. You need a person, not a box.

Nobody likes paying for "security"

[smithfarm]

Whether you're a computer user or a small shop owner in the Bronx, nobody likes paying for security.

Self-serving horseshit

[duffbeer703]

Of course, security consultants think that security should be left to the professionals. (ie, them)

The information security people are getting jealous because project managers have the certification/religious body (PMI) and a certification (PMP) that is basically required for many serious projects. That keeps the rates high by limiting the marketplace and mandating some prescribed process for doing everything.

Security consultants like to put that "CISSP" on email signatures and business cards because it makes them sound like doctors or lawyers, but at the end of the day, nobody really gives a shit. So now every so-called security guru is coming around telling us that the russian mafia has probably already hacked our systems, and the Chinese are going to take over the world, starting with our company's PCs. The magazines roll out witicisms like "digital pearl harbor" and "cyber 9/11".

The solution, is to give more money to security consultancies. Maybe buy some million dollar IDS solutions from the likes of Symantec to let you know that some putz in accounting tried to use FTP.

IMO, it's all bunk. IT people are finally starting to question the dubious value of cash-cow security software like AV, so the security community rolls out some more fear-mongering.

Transparent Tech is Better

[Doc Ruby]

One advantage of security as infrastructure rather than as products is that infrastructure is the foundation of a service, not just something bolted on afterwards.

The biggest problem with security is that it's added afterwards as a "deluxe feature", rather than integrated with every design and implementation detail. Adding security afterwards means always catching up with the original insecure condition. It means creating an insecure system that the bad guys like, then fighting your own system along with the bad guys while you labor to secure it.

But the "built-in" tech shouldn't become completely invisible. The bundles should be transparent, not closed and opaque. Because nothing has a higher risk of insecurity than something unknown that you can't inspect. And no matter how well a vendor inspects their own secure component, if it's properly secured no extra scrutiny makes it less secure, only more. Leaving it transparent, visible only when you inspect it, is the best, safest tech.

Re:We've seen this with PGP

[PDG]

I read your post the other day and agreed whole heartedly with it. I remember back in '97 when PGP keys were parts of email signatures and such.

Now, its unheard of.

I've set my machines up with GPG and my wife's as well, and autoconfigured them to encrypt any and all email between the two of us, but my attempts to get others to do so has proven fruitless.

I harp the same line Zimm did--when you put a letter in the mailbox, you put it in an envelope, right? Why is email any different?

Re:Self-serving horseshit

[ladybugfi]

Bollocks.

The answer is not just to give more money to security consultants (like me, a CISSP + GSNA) nor hw/sw vendors.

The answer is to develop a good security management framework that works for the organization. Security is not a product or a consultant or a service. Security is a process. Invest into developing the process and the organization is set to survive whatever the Chinese/Government/God throws at it.

Re:Self-serving horseshit

[Anonymous Coward]

IT people are finally starting to question the dubious value of cash-cow security software like AV, so the security community rolls out some more fear-mongering.

It's remarkable how many PMPs are really risk-seeking, control-averse, self-declared security expert cowboys trying to impress the bosses on how many shortcuts they've taken to get the project out the door. Outlooks like this are far from scarce and unfortunately leads to the purchase of expensive common-control level solutions to compensate post-implementation for lacking system security discovered by external auditors or hackers.

An approach I'd suggest alternately is a risk-balanced one (e.g. ISO 31000, AS/NZZ 4360). As a financially-educated risk manager in a large financial corporation's information risk program, I see repeated framework purchases (e.g. web application firewalls) that have to be implemented at the data center level due to shortcuts and an absence of basic security planning and design by the information system owner. When you can't take an application offline or recode it in a short period to address PCI findings, you end up throwing millions at compensating common controls.

Our business executives have gotten sick of countless millions spent on database encryption, gazillions of firewalls, application scanning systems, etc. but don't understand nor care that the inclusion of system security in the design phase of these applications would have avoided much of this cost.

I'd concur that much of the security efforts are seriously not risk aligned and lack any awareness of risk optimization. Too many in our world seek perfection, having zero tolerance for risk. Unfortunately, that unrealistic attitude, combined with the risk-seeking "shove it in and call it a day" PMP types, leads to a total breakdown in communication and ultimately insecure applications and unacceptable residual risk.

From TFA

[techno-vampire]

No one wants to buy security. They want to buy something truly useful...

And there you have it, ladies, gentlemen and slashdotters, the problem in a nutshell. People don't want to buy security because they don't think it's useful. And then what happens when their site gets defaced or their database hacked? They blame the admins, that's what. They never, ever admit that it happened because they wouldn't pay the price needed to secure their machines, they just blame somebody else for not keeping them safe even though they didn't have the tools to do the job.

Why do we even have that lever?

[argent]

Why do browsers even have a "run malicious code" function?

In "The Emperor's New Groove" there is a running gag where someone pulls the wrong lever and falls through a trap door into an alligator pit, then returns dripping water and kicking away alligators and asking "Why do we even *have* that lever?"

Why does Firefox have a mechanism to install extensions to Firefox from within a Firefox window?

Why does Internet Explorer have a mechanism to run native code downloaded from a website?

Why does Safari have an 'Open "Safe" Files after Download' option?

Why doesn't Microsoft provide a way for browsers to launch and pass parameters to helper functions that doesn't require them to guess how the helper function's quoting mechanism works?

Why do we even HAVE these levers? These are all obviously bad designs.

Every other plugin you install in a browser can be installed by downloading it and running it as an application. Why does Firefox have to implement a mechanism to allow a web page to request that an XPI installer run?

ActiveX and other mechanisms based on using "security zones" to allow the HTML control to guess whether it's being asked to run a plugin that Windows Update needs instead of one that's going to install spyware are inherently insecure. Why doesn't Windows Update, for example, run as an application and provide its extensions to the specific instance of the HTML window that needs them, instead?

Apple has finally turned 'Open "Safe" files' off by default. This tiny increase in security is probably the best news I've heard in web security in a year... which is kind of sad. The underlying problems with helper function bindings are still there in OS X and Windows, alas.

Finally, Microsoft's POSIX subsystem actually includes "exec", the UNIX system call that is available on other platforms to avoid the quoting problems that the corresponding Windows call has. Unfortunately you can't use that call from Win32 programs, and they haven't implemented the equivalent in the past 15 or so years that it's been there. Why not?