informa
7 min read
article

The Argument To End All Security Arguments, Or Is It?

By now you've read much of the excellent coverage we've provided of the ideas, products, and personalities present at this week's RSA Conference in San Jose. But I've saved the best for last. The notion floated at the show by heavyweights such as Gates, Chambers, and
February 17, 2006
By now you've read much of the excellent coverage we've provided of the ideas, products, and personalities present at this week's RSA Conference in San Jose. But I've saved the best for last. The notion floated at the show by heavyweights such as Gates, Chambers, and McNealy that security requires a collaborative effort among technology providers is empty without a true roadmap for how this will happen. In fact, it's not as popular a notion as you might think. I spoke with some of the smartest people I could find at the show to get their perspective on the future of security. Here's what they had to say.Some experts see a collaborative approach, where Microsoft directories, databases, and protocols communicate seamlessly and securely with Cisco networking gear and management systems as well as Sun servers and storage devices, as, at best, a nice start, and, at worst, an unrealistic piece of marketing propaganda.

Who exactly will take the lead in this? Who will ultimately take responsibility for the security of the customer's IT systems and data? If you thought the finger pointing was bad today, just wait until you try to get answers from the IT vendor community when the latest spyware, virus, or worm has ground your users PCs to a halt, some say.

One of the greatest impediments to providing comprehensive IT security to businesses today is that there is no single forum in place to get technology providers to collaborate. "Security has been patchwork to this point," Richard DeMillo, dean of Georgia Tech's College of Computing and a former Hewlett-Packard chief technology officer, told me this week.

There are a few ways for this to change. One would resemble the way the semiconductor market gained steam two decades ago thanks to shared research, interoperability standards, and government funding, all of which culminated in the International Technology Roadmap for Semiconductors, which Intel, Texas Instruments, and other leading providers adhere to. Companies now design to standards and balance the need to bolster their bottom lines with the overall health of the industry.

Another is through efforts such as the Trusted Computing Group which at the RSA Conference unveiled a draft specification that will add a simplified version of the chip to storage devices, too. Intended mainly for hard disks and USB flash drives, it can be used for both and portable and networked storage.

Beyond the establishment of consortiums such as the Trusted Computing Group, there are other ways to drive a more collaborative, all-encompassing approach to security. Think of what Sprint did in the 1980's when it offered voice quality services for additional fees. The "pin drop" campaign was a hit. Pretty soon, all telecos were making voice quality guarantees to their customers and poor voice quality virtually disappeared as a problem, DeMillo says. At least until the spread of cell phones, anyway. Incidentally, my first-grade teacher tried the pin drop technique, saying that she wanted the classroom to be so quiet she could hear a pin drop. It doesn't work as well when applied to two dozen five-year olds.

DeMillo's not so sure best of breed is going to be a long-term solution for security. "Security has to be dead-on easy" in order to be successful, he told me. "You can't have 5 million devices patched together with different software and operating systems."

Others say best-of-breed would work if the technology was better designed with security in mind. It's been said by more than one IT vendor that technology isn't the problem with creating more secure computing environments, that it's more an issue of collaboration and standards. But when you look at how much effort these IT vendors have to put into patching their systems, you start to wonder where they're coming from. As Paul Kocher, president and chief scientist of Cryptography Research Inc., told me at RSA, "Bugs in Windows are a security problem."

Kocher and others think a move toward collaboration is premature, particularly when security-specific bugs are still such a big problem. "It would be nice to get to ubiquitous security, but right now there are greater security concerns, such as the assurance of individual technologies," he says. For now, technology companies should focus more on the quality of their software and other technologies than on simplicity and administration. Kocher adds, "If the technology systems aren't built properly, it doesn't matter what type of security you have at the user and administrator levels."

Bob Blakley, IBM Tivoli chief scientist for security and privacy, told me, "We've been working on end-to-end security for as long as I've been doing this," which is roughly 27 years. It's a monumental challenge when you consider all of the system components that a piece of data touches on its journey between the user and the database. The Web has only added to the complexity and created more places for something to go wrong.

Better to focus better securing individual system components, Blakley told me. Another thought, and one mentioned by RSA Security CEO Art Coviello and others this week, is to segregate security for different transactions, depending upon the sensitivity of each transaction. Such prioritization would help IT departments better manage risk and prioritize their security efforts. "The idea that we'll design a worldwide, publicly accessible packet-switched network of general-purpose computers that will have end-to-end security for significant transactions is pretty implausible," Blakley told me. "We don't have a systematic way of getting our hands around that level of complexity." Security, he added, is like water tightness: a leak anywhere in the system lets in water.

Others reject both the best-of-breed and collaborative security product suite approach. During his keynote, Internet Security Systems president and CEO Tom Noonan envisioned the future of security as an on-demand service that draws upon the "information, assets and unique functions of any network-connected device to create automated and intelligent security."

Noonan is pushing for "security platforms," which are "an enterprise system blueprint, architected from the ground up, to operate as a unified system, ensuring that all threats and vulnerabilities are preemptively addressed, and leveraging best-of-breed components that today exist only as islands of automation and that are left to be integrated and optimized by our customers." A more organic example would be the human immune system, Noonan said during his RSA keynote. As such, security platforms aren't dependent upon which infrastructure, or which applications, are used in a given company, but rather are designed to protect uniformly across a heterogeneous infrastructure.

DeMillo likes the ideas that Noonan floated during his keynote. The on-demand model for security may not be fully developed or feasible at this time, but in theory it gives the security provider an incentive for success or threatens with a penalty for failure. "It's a good model, but the technology isn't there yet," DeMillo added.

On-demand, of course, isn't a new idea. In fact, it's not even a new idea for security. DeMillo told me that while he was CTO at HP, between 2001 and 2003, then-CEO Carly Fiorina was working with then-Intel chief Craig Barrett and Vint Cerf, who at the time was senior VP of technology strategy for MCI, to develop a quality-of-service model for ensuring the integrity of systems that run the country's critical infrastructure. In the wake of 9-11, "government and industry started to see security as a quality-of-service issue, but they didn't have the infrastructure to deliver it at that time," he said. Time took its toll on these efforts, as Fiorina left HP, Barrett stepped down at Intel, and Cerf moved on to Google.

So, who's in the best position to move the on-demand security model forward? Microsoft, through its MSN network, certainly has the infrastructure to deliver and back such a security service if it wants to. DeMillo also singled out Sun as a company that could, through a partnership with a company like Google, deliver on-demand security. Sun has certainly bought into the notion that the network should handle most of the security responsibilities and this week added encryption technology to the mix. The company has been pushing its smart-card-enabled Sun Ray thin clients for years. Sun Rays operate on the premise that the user keeps their valuable security data on a smart card, making the desktops irrelevant as a target for attackers. Hey, isn't Vint Cerf at Google now? Hmm ...