Information Security Is Becoming Infrastructure

Bruce Schneier has a story at Wired about his observations from the recent RSA conference. He noticed that the 350+ vendors who attended the conference were having difficulties selling their products or even communicating with potential buyers. Schneier suggests that the complexity of the security industry is forcing it away from end-users and into the hands of companies who can bundle it with the products that need it. Quoting: "When something becomes infrastructure -- power, water, cleaning service, tax preparation -- customers care less about details and more about results. Technological innovations become something the infrastructure providers pay attention to, and they package it for their customers. No one wants to buy security. They want to buy something truly useful -- database management systems, Web 2.0 collaboration tools, a company-wide network -- and they want it to be secure. They don't want to have to become IT security experts. They don't want to have to go to the RSA Conference."

We've seen this with PGP

[CRCulver]

We've seen this problem with the PGP world. Geeks like working with everything themselves, but it's hard to convince non-geeks to use it, because they don't see the point. If encryption were really vital, it would be packaged for them to easily enable it, just like their online banking. Even with secure e-mail standards like Secure MIME, they are easy to use but are yet little known because companies don't actively pitch them to their customers.

I would beg my fellow geeks, at least, to rediscover some of the passion about encryption. As I posted a couple of days ago, a decade ago every geek had a PGP key and Schneier's Applied Cryptography was our favorite bedtime reading. Now, even geeks don't want to go through the minimal (to us) effort of working with crypto.

maybe the market is working

[convolvatron]

maybe the problem with selling security is that is that the products are a pile of afterthought patches. security is a property that should lie at the foundations of a design. why should i put some 1u appliance with alot of molded plastic on my ethernet at all?

Re:maybe the market is working

[houstonbofh]

I was thinking this myself... I could be that people don't understand it. But it could be that the products don't work all they well. Or it could be that a bad network design makes it all pointless anyway. But get HP or BMC in there with a big network plan that includes security, and it works.

I think they have it backwards. Security isn't a utility, it is a highly technical skill. You need a person, not a box.

Re:maybe the market is working

[eihab]

A similar conclusion can be drawn from the article:

The booths are filled with broad product claims, meaningless security platitudes and unintelligible marketing literature. You could walk into a booth, listen to a five-minute sales pitch by a marketing type, and still not know what the company does. Even seasoned security professionals are confused. This is the state of security products for the most part nowadays, hoax products and snake oil salesmen "IT'S 2009 READY!!!1!".

Now, I do agree with you that security should lie at the foundation of a design, but security also works by constructing layers of defense. No matter how good your design/implementation is, software is very complicated and someone will slip somewhere.

Unless you write your own OS, design your hardware and write its firmware, then write your application on top of all that: You _will_ be depending on someone somewhere to do it, and they may (or may not) mess something up.

The more layers of security you add (hardware firewall, anti-virus, etc.), the more secure you will be at the end.

A lot of companies don't want to pay for it

[MikeRT]

Probably because they don' think that security is really that critical to them. However, for many others, the cost of getting the right consultants and infrastructure might be too much for their business to handle. Most businesses don't have a lot of disposable cash that they can put into IT infrastructure, especially since a lot of IT infrastructure has to be upgraded on a semi-regular basis.

NOOOOOOOOO

[Original+Replica]

the complexity of the security industry is forcing it away from end-users and into the hands of companies who can bundle it with the products that need it.

Great, once again the tools I need to protect myself are being taken away given to "the professionals". So if all the security tools go to the ISPs and other infrastructure how do I protect myself from ISP spyware?

Nobody likes paying for "security"

[smithfarm]

Whether you're a computer user or a small shop owner in the Bronx, nobody likes paying for security.

Transparent Tech is Better

[Doc+Ruby]

One advantage of security as infrastructure rather than as products is that infrastructure is the foundation of a service, not just something bolted on afterwards.

The biggest problem with security is that it's added afterwards as a "deluxe feature", rather than integrated with every design and implementation detail. Adding security afterwards means always catching up with the original insecure condition. It means creating an insecure system that the bad guys like, then fighting your own system along with the bad guys while you labor to secure it.

But the "built-in" tech shouldn't become completely invisible. The bundles should be transparent, not closed and opaque. Because nothing has a higher risk of insecurity than something unknown that you can't inspect. And no matter how well a vendor inspects their own secure component, if it's properly secured no extra scrutiny makes it less secure, only more. Leaving it transparent, visible only when you inspect it, is the best, safest tech.

And what do these companies do, besides cry WOLF?

[kscguru]

From TFA:

I can't figure out what any of those companies do Anyone doubt this? Let's take a tour through a few products that "make you more secure":

• Antivirus: works by scanning files being written to/from disk, and by scanning I mean "run ~1 million instructions in an emulator then see if it matches a virus pattern". Requires weekly updates to latest definitions. One of the most successful "security" products
• Static code analysis tools (e.g. Coverity). They take your source code, run a heavy-duty static analysis program on it, and point out memory leaks / double frees, uninitialized variables, and other flaws. My educated guess is that 1/3 of viruses involve such a problem. Useful, but to a manager, you can find a different 1/3 of flaws with a manual code audit that costs about as much.
• Windows Vista (yeah, ha ha). Includes improved account control and privilage separation! Except that most users get so sick of the Allow box that is required for so many things on Windows that Vista has NOT fundamentally increased security.
• Network intrusion detection appliance - you plug this into your network, and it does something when it detects a malicious access pattern - I dunno, maybe it bakes cookies? But detecting malicious access patterns makes you more secure!!!

The security product that takes off will be one that says "with product X, you will never experience security problem Y". Unfortunately, the security products out there are crap (product X decreases chances of problem Y from 1% to 0.01%) and security folks are the most paranoid about providing any guarantees. (Use the word "impossible" at a security conference and watch what the blogosphere does to you. I dare you.)

In other words: most security products provide a small marginal gain, while their vendors tout them as essential, must-have products.

The single most telling "security" trait I have seen is from the security group at my employer. They send out a feature proposal, and then flame anyone who disagrees with by saying "if you don't agree to this, we'll probably get hacked next year and it will be your fault for being against the security of our products!". Never mind the technical flaws (ASLR doesn't work when you map 1GB of contiguous memory in a 32-bit process) or performance implications. Security "sells" based on fear, and the security industry sales arm has yet to realize they have cried WOLF too many times for purchasers to take them seriously anymore.

Re:Self-serving horseshit

[Bargeld]

Of course, security consultants think that security should be left to the professionals. (ie, them) Because it should. Or more accurately, oversight of it should. But when you have security-savvy architects, project managers, and (rarely) business-line managers, it makes the need for micro-managed technical oversight MUCH less. But no matter what, someone needs to be managing the big picture of risk across all the silos of expertise.

Security consultants like to put that "CISSP" on email signatures and business cards because it makes them sound like doctors or lawyers, but at the end of the day, nobody really gives a shit. Amen :) It's always struck me as a grandiose, sad conceit...and I _AM_ a CISSP. It'll be a cold day in hell when I throw it around like a badge of pride, let alone authority, because frankly, it's a mediocre standard. Management at my last employer forced me to write the exam "to make our practice more credible to clients", and I spent a whopping 2 days "studying". The bar it sets is...very low. Not bad for a foundation, but not good for much else.

I've been doing infosec work for over 17 years now, and IMO, the "problem" as it were, is that the demand for expertise has utterly outstripped the experienced pool of talent.

Net result? Exactly what you observe: "cash cow security" that is more focused on implementing wildly expensive (and frequently Rube-Goldberg-esque) technology solutions. Why? Because the inexperienced security practitioner immediately and inevitably turns to vendors for "turn-key solutions" to every risk (and many non-risks :)

Conversely, the much smaller number of people with substantial experience in the trenches are the ones who might point out that a $50,000 security awareness campaign _just might_ reduce net risk a WEE BIT more than a $3million 17-tier-firewall-atrocity. Or that a 10-man-hour risk assessment by security professionals attached to EVERY project's design phase _just might_ have a better chance of reducing risk than a $30k penetration test of every project by an external vendor that is 9 times in 10 a glorified canned vulnerability scan by a junior drone.

Not much of this is likely to change anytime soon. Sad to say, information security is still a very young and immature science. Things won't get better until the experience-pool gets deeper.

--Bargeld