Slashdot Mirror

← Back to Stories (view on slashdot.org)

Information Security Is Becoming Infrastructure

Posted by Soulskill on from the time-to-pay-your-monthly-security-bill dept.

Bruce Schneier has a story at Wired about his observations from the recent RSA conference. He noticed that the 350+ vendors who attended the conference were having difficulties selling their products or even communicating with potential buyers. Schneier suggests that the complexity of the security industry is forcing it away from end-users and into the hands of companies who can bundle it with the products that need it. Quoting: "When something becomes infrastructure -- power, water, cleaning service, tax preparation -- customers care less about details and more about results. Technological innovations become something the infrastructure providers pay attention to, and they package it for their customers. No one wants to buy security. They want to buy something truly useful -- database management systems, Web 2.0 collaboration tools, a company-wide network -- and they want it to be secure. They don't want to have to become IT security experts. They don't want to have to go to the RSA Conference."

6 of 75 comments (clear)

  1. A lot of companies don't want to pay for it by MikeRT · · Score: 3, Interesting

    Probably because they don' think that security is really that critical to them. However, for many others, the cost of getting the right consultants and infrastructure might be too much for their business to handle. Most businesses don't have a lot of disposable cash that they can put into IT infrastructure, especially since a lot of IT infrastructure has to be upgraded on a semi-regular basis.

  2. Re:maybe the market is working by eihab · · Score: 3, Interesting
    A similar conclusion can be drawn from the article:

    The booths are filled with broad product claims, meaningless security platitudes and unintelligible marketing literature. You could walk into a booth, listen to a five-minute sales pitch by a marketing type, and still not know what the company does. Even seasoned security professionals are confused. This is the state of security products for the most part nowadays, hoax products and snake oil salesmen "IT'S 2009 READY!!!1!".

    Now, I do agree with you that security should lie at the foundation of a design, but security also works by constructing layers of defense. No matter how good your design/implementation is, software is very complicated and someone will slip somewhere.

    Unless you write your own OS, design your hardware and write its firmware, then write your application on top of all that: You _will_ be depending on someone somewhere to do it, and they may (or may not) mess something up.

    The more layers of security you add (hardware firewall, anti-virus, etc.), the more secure you will be at the end.
    --
    If you can't mod them join them.
  3. Good news. by Shoten · · Score: 2, Interesting

    This is a good thing. I'm working on a proposal for a...well, it's $900 million worth of something, I'll say that. It's a huge project, with a lot of different technologies (even by IT standards). I'm the "Security Tower," the group of people responsible for security in the solution, and I've never had it so easy. Sure, there are firewalls, and an IdM extension to support SSO, and a few other things for security, but for the most part our security is architectural. Every area of the solution has products with security infused into them to some degree, whether it's encryption for the endpoints, key management for the central system that manages the endpoints, and so on. Instead of having to wait until the rest of the solution was finalized, and then play catch-up to try and get security added in, it's been a matter of mapping requirements to security functionality that is already there.

    --

    For your security, this post has been encrypted with ROT-13, twice.
  4. And what do these companies do, besides cry WOLF? by kscguru · · Score: 3, Interesting
    From TFA:

    I can't figure out what any of those companies do Anyone doubt this? Let's take a tour through a few products that "make you more secure":
    • Antivirus: works by scanning files being written to/from disk, and by scanning I mean "run ~1 million instructions in an emulator then see if it matches a virus pattern". Requires weekly updates to latest definitions. One of the most successful "security" products
    • Static code analysis tools (e.g. Coverity). They take your source code, run a heavy-duty static analysis program on it, and point out memory leaks / double frees, uninitialized variables, and other flaws. My educated guess is that 1/3 of viruses involve such a problem. Useful, but to a manager, you can find a different 1/3 of flaws with a manual code audit that costs about as much.
    • Windows Vista (yeah, ha ha). Includes improved account control and privilage separation! Except that most users get so sick of the Allow box that is required for so many things on Windows that Vista has NOT fundamentally increased security.
    • Network intrusion detection appliance - you plug this into your network, and it does something when it detects a malicious access pattern - I dunno, maybe it bakes cookies? But detecting malicious access patterns makes you more secure!!!
    The security product that takes off will be one that says "with product X, you will never experience security problem Y". Unfortunately, the security products out there are crap (product X decreases chances of problem Y from 1% to 0.01%) and security folks are the most paranoid about providing any guarantees. (Use the word "impossible" at a security conference and watch what the blogosphere does to you. I dare you.)

    In other words: most security products provide a small marginal gain, while their vendors tout them as essential, must-have products.

    The single most telling "security" trait I have seen is from the security group at my employer. They send out a feature proposal, and then flame anyone who disagrees with by saying "if you don't agree to this, we'll probably get hacked next year and it will be your fault for being against the security of our products!". Never mind the technical flaws (ASLR doesn't work when you map 1GB of contiguous memory in a 32-bit process) or performance implications. Security "sells" based on fear, and the security industry sales arm has yet to realize they have cried WOLF too many times for purchasers to take them seriously anymore.

    --

    A witty [sig] proves nothing. --Voltaire

  5. Re:Self-serving horseshit by Bargeld · · Score: 5, Interesting

    Of course, security consultants think that security should be left to the professionals. (ie, them) Because it should. Or more accurately, oversight of it should. But when you have security-savvy architects, project managers, and (rarely) business-line managers, it makes the need for micro-managed technical oversight MUCH less. But no matter what, someone needs to be managing the big picture of risk across all the silos of expertise.

    Security consultants like to put that "CISSP" on email signatures and business cards because it makes them sound like doctors or lawyers, but at the end of the day, nobody really gives a shit. Amen :) It's always struck me as a grandiose, sad conceit...and I _AM_ a CISSP. It'll be a cold day in hell when I throw it around like a badge of pride, let alone authority, because frankly, it's a mediocre standard. Management at my last employer forced me to write the exam "to make our practice more credible to clients", and I spent a whopping 2 days "studying". The bar it sets is...very low. Not bad for a foundation, but not good for much else.

    I've been doing infosec work for over 17 years now, and IMO, the "problem" as it were, is that the demand for expertise has utterly outstripped the experienced pool of talent.

    Net result? Exactly what you observe: "cash cow security" that is more focused on implementing wildly expensive (and frequently Rube-Goldberg-esque) technology solutions. Why? Because the inexperienced security practitioner immediately and inevitably turns to vendors for "turn-key solutions" to every risk (and many non-risks :)

    Conversely, the much smaller number of people with substantial experience in the trenches are the ones who might point out that a $50,000 security awareness campaign _just might_ reduce net risk a WEE BIT more than a $3million 17-tier-firewall-atrocity. Or that a 10-man-hour risk assessment by security professionals attached to EVERY project's design phase _just might_ have a better chance of reducing risk than a $30k penetration test of every project by an external vendor that is 9 times in 10 a glorified canned vulnerability scan by a junior drone.

    Not much of this is likely to change anytime soon. Sad to say, information security is still a very young and immature science. Things won't get better until the experience-pool gets deeper.

    --Bargeld
    --
    "I hate to advocate drugs, alcohol, violence, or insanity to anyone. But they've always worked for me." --Dr. Hunter S.
  6. Problem is not in infrastructure by Iagi · · Score: 2, Interesting

    Most bad things that happen to users these days because they clicked a link that goes to a web site that installs malicious code. It seems that the largest security problem is that end users do not want to take the necessary minimal precaution (for whatever reason). It make no sense to me to try to build a "fool proof" infrastructure. The problem resides more with the end users and his/her computer. Since most computers (especially MS) like to use the internet to install software/updates. The problem is not going to go away by tweaking the infrastructure. Also the internet was designed for connectivity and interoperability. Obviously trying to move security to the infrastructure will mean giving up on these.