Information Security Is Becoming Infrastructure

Bruce Schneier has a story at Wired about his observations from the recent RSA conference. He noticed that the 350+ vendors who attended the conference were having difficulties selling their products or even communicating with potential buyers. Schneier suggests that the complexity of the security industry is forcing it away from end-users and into the hands of companies who can bundle it with the products that need it. Quoting: "When something becomes infrastructure -- power, water, cleaning service, tax preparation -- customers care less about details and more about results. Technological innovations become something the infrastructure providers pay attention to, and they package it for their customers. No one wants to buy security. They want to buy something truly useful -- database management systems, Web 2.0 collaboration tools, a company-wide network -- and they want it to be secure. They don't want to have to become IT security experts. They don't want to have to go to the RSA Conference."

We've seen this with PGP

[CRCulver]

We've seen this problem with the PGP world. Geeks like working with everything themselves, but it's hard to convince non-geeks to use it, because they don't see the point. If encryption were really vital, it would be packaged for them to easily enable it, just like their online banking. Even with secure e-mail standards like Secure MIME, they are easy to use but are yet little known because companies don't actively pitch them to their customers.

I would beg my fellow geeks, at least, to rediscover some of the passion about encryption. As I posted a couple of days ago, a decade ago every geek had a PGP key and Schneier's Applied Cryptography was our favorite bedtime reading. Now, even geeks don't want to go through the minimal (to us) effort of working with crypto.

Re:We've seen this with PGP

[PDG]

I read your post the other day and agreed whole heartedly with it. I remember back in '97 when PGP keys were parts of email signatures and such.

Now, its unheard of.

I've set my machines up with GPG and my wife's as well, and autoconfigured them to encrypt any and all email between the two of us, but my attempts to get others to do so has proven fruitless.

I harp the same line Zimm did--when you put a letter in the mailbox, you put it in an envelope, right? Why is email any different?

Re:We've seen this with PGP

[Eighty7]

Putting pgp keys in our emails doesn't help that. It has to be transparent. And that's exactly what Scheiner is saying.

Yeah, good luck with that. In my experience, mail encryption is fundamentally difficult - like going from driving cars to planes. You have to know the basics of key management ie get someone's PUBLIC key, encrypt messages using HIS public key & he decrypts using HIS private key. That's already a dealbreaker for most people. Does he seriously expect they'll listen when he talk about key backups, key signing or the importance of only keeping decrypted attachments in ram?

Why johnny can't encrypt. (pdf)

maybe the market is working

[convolvatron]

maybe the problem with selling security is that is that the products are a pile of afterthought patches. security is a property that should lie at the foundations of a design. why should i put some 1u appliance with alot of molded plastic on my ethernet at all?

Re:maybe the market is working

[houstonbofh]

I was thinking this myself... I could be that people don't understand it. But it could be that the products don't work all they well. Or it could be that a bad network design makes it all pointless anyway. But get HP or BMC in there with a big network plan that includes security, and it works.

I think they have it backwards. Security isn't a utility, it is a highly technical skill. You need a person, not a box.

Re:maybe the market is working

[eihab]

A similar conclusion can be drawn from the article:

The booths are filled with broad product claims, meaningless security platitudes and unintelligible marketing literature. You could walk into a booth, listen to a five-minute sales pitch by a marketing type, and still not know what the company does. Even seasoned security professionals are confused. This is the state of security products for the most part nowadays, hoax products and snake oil salesmen "IT'S 2009 READY!!!1!".

Now, I do agree with you that security should lie at the foundation of a design, but security also works by constructing layers of defense. No matter how good your design/implementation is, software is very complicated and someone will slip somewhere.

Unless you write your own OS, design your hardware and write its firmware, then write your application on top of all that: You _will_ be depending on someone somewhere to do it, and they may (or may not) mess something up.

The more layers of security you add (hardware firewall, anti-virus, etc.), the more secure you will be at the end.

A lot of companies don't want to pay for it

[MikeRT]

Probably because they don' think that security is really that critical to them. However, for many others, the cost of getting the right consultants and infrastructure might be too much for their business to handle. Most businesses don't have a lot of disposable cash that they can put into IT infrastructure, especially since a lot of IT infrastructure has to be upgraded on a semi-regular basis.

NOOOOOOOOO

[Original+Replica]

the complexity of the security industry is forcing it away from end-users and into the hands of companies who can bundle it with the products that need it.

Great, once again the tools I need to protect myself are being taken away given to "the professionals". So if all the security tools go to the ISPs and other infrastructure how do I protect myself from ISP spyware?

Nobody likes paying for "security"

[smithfarm]

Whether you're a computer user or a small shop owner in the Bronx, nobody likes paying for security.

Good news.

[Shoten]

This is a good thing. I'm working on a proposal for a...well, it's $900 million worth of something, I'll say that. It's a huge project, with a lot of different technologies (even by IT standards). I'm the "Security Tower," the group of people responsible for security in the solution, and I've never had it so easy. Sure, there are firewalls, and an IdM extension to support SSO, and a few other things for security, but for the most part our security is architectural. Every area of the solution has products with security infused into them to some degree, whether it's encryption for the endpoints, key management for the central system that manages the endpoints, and so on. Instead of having to wait until the rest of the solution was finalized, and then play catch-up to try and get security added in, it's been a matter of mapping requirements to security functionality that is already there.

Self-serving horseshit

[duffbeer703]

Of course, security consultants think that security should be left to the professionals. (ie, them)

The information security people are getting jealous because project managers have the certification/religious body (PMI) and a certification (PMP) that is basically required for many serious projects. That keeps the rates high by limiting the marketplace and mandating some prescribed process for doing everything.

Security consultants like to put that "CISSP" on email signatures and business cards because it makes them sound like doctors or lawyers, but at the end of the day, nobody really gives a shit. So now every so-called security guru is coming around telling us that the russian mafia has probably already hacked our systems, and the Chinese are going to take over the world, starting with our company's PCs. The magazines roll out witicisms like "digital pearl harbor" and "cyber 9/11".

The solution, is to give more money to security consultancies. Maybe buy some million dollar IDS solutions from the likes of Symantec to let you know that some putz in accounting tried to use FTP.

IMO, it's all bunk. IT people are finally starting to question the dubious value of cash-cow security software like AV, so the security community rolls out some more fear-mongering.

Re:Self-serving horseshit

[ladybugfi]

Bollocks.

The answer is not just to give more money to security consultants (like me, a CISSP + GSNA) nor hw/sw vendors.

The answer is to develop a good security management framework that works for the organization. Security is not a product or a consultant or a service. Security is a process. Invest into developing the process and the organization is set to survive whatever the Chinese/Government/God throws at it.

Re:Self-serving horseshit

IT people are finally starting to question the dubious value of cash-cow security software like AV, so the security community rolls out some more fear-mongering.

It's remarkable how many PMPs are really risk-seeking, control-averse, self-declared security expert cowboys trying to impress the bosses on how many shortcuts they've taken to get the project out the door. Outlooks like this are far from scarce and unfortunately leads to the purchase of expensive common-control level solutions to compensate post-implementation for lacking system security discovered by external auditors or hackers.

An approach I'd suggest alternately is a risk-balanced one (e.g. ISO 31000, AS/NZZ 4360). As a financially-educated risk manager in a large financial corporation's information risk program, I see repeated framework purchases (e.g. web application firewalls) that have to be implemented at the data center level due to shortcuts and an absence of basic security planning and design by the information system owner. When you can't take an application offline or recode it in a short period to address PCI findings, you end up throwing millions at compensating common controls.

Our business executives have gotten sick of countless millions spent on database encryption, gazillions of firewalls, application scanning systems, etc. but don't understand nor care that the inclusion of system security in the design phase of these applications would have avoided much of this cost.

I'd concur that much of the security efforts are seriously not risk aligned and lack any awareness of risk optimization. Too many in our world seek perfection, having zero tolerance for risk. Unfortunately, that unrealistic attitude, combined with the risk-seeking "shove it in and call it a day" PMP types, leads to a total breakdown in communication and ultimately insecure applications and unacceptable residual risk.

Re:Self-serving horseshit

[Bargeld]

Of course, security consultants think that security should be left to the professionals. (ie, them) Because it should. Or more accurately, oversight of it should. But when you have security-savvy architects, project managers, and (rarely) business-line managers, it makes the need for micro-managed technical oversight MUCH less. But no matter what, someone needs to be managing the big picture of risk across all the silos of expertise.

Security consultants like to put that "CISSP" on email signatures and business cards because it makes them sound like doctors or lawyers, but at the end of the day, nobody really gives a shit. Amen :) It's always struck me as a grandiose, sad conceit...and I _AM_ a CISSP. It'll be a cold day in hell when I throw it around like a badge of pride, let alone authority, because frankly, it's a mediocre standard. Management at my last employer forced me to write the exam "to make our practice more credible to clients", and I spent a whopping 2 days "studying". The bar it sets is...very low. Not bad for a foundation, but not good for much else.

I've been doing infosec work for over 17 years now, and IMO, the "problem" as it were, is that the demand for expertise has utterly outstripped the experienced pool of talent.

Net result? Exactly what you observe: "cash cow security" that is more focused on implementing wildly expensive (and frequently Rube-Goldberg-esque) technology solutions. Why? Because the inexperienced security practitioner immediately and inevitably turns to vendors for "turn-key solutions" to every risk (and many non-risks :)

Conversely, the much smaller number of people with substantial experience in the trenches are the ones who might point out that a $50,000 security awareness campaign _just might_ reduce net risk a WEE BIT more than a $3million 17-tier-firewall-atrocity. Or that a 10-man-hour risk assessment by security professionals attached to EVERY project's design phase _just might_ have a better chance of reducing risk than a $30k penetration test of every project by an external vendor that is 9 times in 10 a glorified canned vulnerability scan by a junior drone.

Not much of this is likely to change anytime soon. Sad to say, information security is still a very young and immature science. Things won't get better until the experience-pool gets deeper.

--Bargeld

Transparent Tech is Better

[Doc+Ruby]

One advantage of security as infrastructure rather than as products is that infrastructure is the foundation of a service, not just something bolted on afterwards.

The biggest problem with security is that it's added afterwards as a "deluxe feature", rather than integrated with every design and implementation detail. Adding security afterwards means always catching up with the original insecure condition. It means creating an insecure system that the bad guys like, then fighting your own system along with the bad guys while you labor to secure it.

But the "built-in" tech shouldn't become completely invisible. The bundles should be transparent, not closed and opaque. Because nothing has a higher risk of insecurity than something unknown that you can't inspect. And no matter how well a vendor inspects their own secure component, if it's properly secured no extra scrutiny makes it less secure, only more. Leaving it transparent, visible only when you inspect it, is the best, safest tech.

And what do these companies do, besides cry WOLF?

[kscguru]

From TFA:

I can't figure out what any of those companies do Anyone doubt this? Let's take a tour through a few products that "make you more secure":

• Antivirus: works by scanning files being written to/from disk, and by scanning I mean "run ~1 million instructions in an emulator then see if it matches a virus pattern". Requires weekly updates to latest definitions. One of the most successful "security" products
• Static code analysis tools (e.g. Coverity). They take your source code, run a heavy-duty static analysis program on it, and point out memory leaks / double frees, uninitialized variables, and other flaws. My educated guess is that 1/3 of viruses involve such a problem. Useful, but to a manager, you can find a different 1/3 of flaws with a manual code audit that costs about as much.
• Windows Vista (yeah, ha ha). Includes improved account control and privilage separation! Except that most users get so sick of the Allow box that is required for so many things on Windows that Vista has NOT fundamentally increased security.
• Network intrusion detection appliance - you plug this into your network, and it does something when it detects a malicious access pattern - I dunno, maybe it bakes cookies? But detecting malicious access patterns makes you more secure!!!

The security product that takes off will be one that says "with product X, you will never experience security problem Y". Unfortunately, the security products out there are crap (product X decreases chances of problem Y from 1% to 0.01%) and security folks are the most paranoid about providing any guarantees. (Use the word "impossible" at a security conference and watch what the blogosphere does to you. I dare you.)

In other words: most security products provide a small marginal gain, while their vendors tout them as essential, must-have products.

The single most telling "security" trait I have seen is from the security group at my employer. They send out a feature proposal, and then flame anyone who disagrees with by saying "if you don't agree to this, we'll probably get hacked next year and it will be your fault for being against the security of our products!". Never mind the technical flaws (ASLR doesn't work when you map 1GB of contiguous memory in a 32-bit process) or performance implications. Security "sells" based on fear, and the security industry sales arm has yet to realize they have cried WOLF too many times for purchasers to take them seriously anymore.

From TFA

[techno-vampire]

No one wants to buy security. They want to buy something truly useful...

And there you have it, ladies, gentlemen and slashdotters, the problem in a nutshell. People don't want to buy security because they don't think it's useful. And then what happens when their site gets defaced or their database hacked? They blame the admins, that's what. They never, ever admit that it happened because they wouldn't pay the price needed to secure their machines, they just blame somebody else for not keeping them safe even though they didn't have the tools to do the job.

Problem is not in infrastructure

[Iagi]

Most bad things that happen to users these days because they clicked a link that goes to a web site that installs malicious code. It seems that the largest security problem is that end users do not want to take the necessary minimal precaution (for whatever reason). It make no sense to me to try to build a "fool proof" infrastructure. The problem resides more with the end users and his/her computer. Since most computers (especially MS) like to use the internet to install software/updates. The problem is not going to go away by tweaking the infrastructure. Also the internet was designed for connectivity and interoperability. Obviously trying to move security to the infrastructure will mean giving up on these.

Why do we even have that lever?

[argent]

Why do browsers even have a "run malicious code" function?

In "The Emperor's New Groove" there is a running gag where someone pulls the wrong lever and falls through a trap door into an alligator pit, then returns dripping water and kicking away alligators and asking "Why do we even *have* that lever?"

Why does Firefox have a mechanism to install extensions to Firefox from within a Firefox window?

Why does Internet Explorer have a mechanism to run native code downloaded from a website?

Why does Safari have an 'Open "Safe" Files after Download' option?

Why doesn't Microsoft provide a way for browsers to launch and pass parameters to helper functions that doesn't require them to guess how the helper function's quoting mechanism works?

Why do we even HAVE these levers? These are all obviously bad designs.

Every other plugin you install in a browser can be installed by downloading it and running it as an application. Why does Firefox have to implement a mechanism to allow a web page to request that an XPI installer run?

ActiveX and other mechanisms based on using "security zones" to allow the HTML control to guess whether it's being asked to run a plugin that Windows Update needs instead of one that's going to install spyware are inherently insecure. Why doesn't Windows Update, for example, run as an application and provide its extensions to the specific instance of the HTML window that needs them, instead?

Apple has finally turned 'Open "Safe" files' off by default. This tiny increase in security is probably the best news I've heard in web security in a year... which is kind of sad. The underlying problems with helper function bindings are still there in OS X and Windows, alas.

Finally, Microsoft's POSIX subsystem actually includes "exec", the UNIX system call that is available on other platforms to avoid the quoting problems that the corresponding Windows call has. Unfortunately you can't use that call from Win32 programs, and they haven't implemented the equivalent in the past 15 or so years that it's been there. Why not?