Wednesday, April 06, 2005

Information Security

Hi folks!

OK, what do I have to say about infosec?

There are a number of interesting dynamics at play with information security. Of course there are the technical issues:

o "how do you encrypt data securely?"
o "how do you allow an http connection across an organizational boundary securely?"

However, in my experience the most important factors are the practical and pragmatic:

o "given who am I, what do I do to move from my current state to a more secure state?"
o "given all factors, what level of operational security can I achieve in what period of time?"
o "is my current/desired security level sufficient to reduce the risk to the same or less than other risks I face?"

To set the tone of my views on infosec (and most other complex efforts), let me share one of the first and most fundamental lessons I learned about the evolution of technology in the face of group dynamics:

John Alsop - currently CEO of BorderWare II - was my boss at Sea Change when we dreamed up and built the first BorderWare Firewall Server. Something John said to me before the launch of the Firewall Server has always stuck with me and provided a lot of comfort when seemingly intractable challenges reared their ugly heads.

In the early Nineties I had been talking to various folks about this new Internet Security Gateway product we were building, and an engineer at a potential customer - who had more knowledge than I did at the time about how TCP/IP works - dismissed the potential of the Internet because there weren't enough IP addresses available, what with folks grabbing entire Class A addresses (16,777,216 IP addresses), and told me that the Internet was doomed. I did the math, saw the problem, and rushed into John's office to see if it was true that my vision of the future of the 'Net was hosed. John, unflappable as always, told me this gem;

"I learned long ago that if a technical problem stands in the way of enough demand for a fix, solutions will emerge organically."

A few months later we released the BFS as the first commercial Network Address Translation gateway (ironically at the same time as the other first NAT gateway - PIX :-), and since then everyone can have sixteen million computers on their network while using only one public Internet IP Address. It has been consistent in my experience that the same holds true for other roadblocks - whether it is a new type of attack that arises and seems at first glance to be unmanageable or an issue of sociology - aggregate need for a solution drives the creation of solutions with an irresistible force.

Therefore, at any one time the security solutions which exist or are in the process of creation form a very good fit with the pattern of needs being felt by the community of Internet users. Where the available or emerging solutions can be seen to fail to match the current and foreseeable pattern of needs, business opportunities exist for anyone who can address that gap.

o FUD (Fear, Uncertainty and Doubt)

- The immutable fact described above - that the open nature of the technical foundation of the Internet and Free-Market Capitalism allows anyone anywhere to recognize a need for an infosec solution and make a living addressing it - should be a great source of comfort for consumers of infosec and should be the foundation that infosec folks communicate to their customers. Using FUD to scare customers into buying Security Product XYZ not only fails to address the consumer's real desire (to remove the barrier of fear which is stopping them from achieving desired goals), but worse it creates a general malaise among the non-infosec community ("well, since it is hopeless and beyond my understanding, no sense in even trying...") leading to a vicious cycle of less security being in place, more proof of the common belief in hopelessness, less adoption of security...

Areas needing development.

o Managed Security Service Providers

- it appears that the MSSP space is on the verge of developing the kinds of services that will be consumed in volume. This will require a separate article to delve into, and a stiff Irish coffee...

o Identity

- the solution to SPAM lies in identity.

- electronic voting is enabled by identity.

- absolutely no-one uses secure passwords or authentication. The only thing keeping identity at all functional at the moment is the volume of targets for bad guys and the basic honesty and sense of fairness that is by far more common than a lack thereof.

Is infosec a hopeless effort?


The ongoing existence of the Internet and its startlingly high availability is living proof that infosec problems are not catastrophic. While there remains a risk that infosec failings can be exploited to cause significant harm - and these risks deserve all of the attention those in the industry dedicate to them - people using information technology should not overtly worry about the issue from moment to moment. Because of the nature of the Internet, open systems, standards and the motivation of those who use and develop the technologies that run the infrastructure, the Good Guys are at least as capable, more numerous and much better funded than the Bad Guys, and will stay that way.



No comments: