10 Habits of Highly Effective Security Vendors #7-10


mechanic

The priest and the mechanic.

In this third and final chapter, I look at the last few habits of highly effective security vendors and solutions, as well as a brief take on the state of the “cloud.”

HABIT #7 Don’t rely on SSL and key encryption forever. It’s a matter of when … not if.

I saw a few news blurbs where the RSA crew awarded the RSA inventors a lifetime achievement prize for inventing RSA algorithm and changing the world. Wonderful. Those fellows are truly geniuses who have enabled modern e-commerce and security on the web. Congrats. for now.

The problem is, SSL and modern key encryption are based on one mathematical reality: calculating primes is a lot more difficult than calculating exponents (at the moment). Now, this mathematical observation is not like the physical laws of gravity, death, or other inevitable, eternal truths. The eventual and impending violation of this rule is simply a matter of when, not if. At that moment, in one fell swoop, all Internet e-commerce and app security based on its principles will come to a sudden halt. Instantly.

Therefore, security vendors need to start looking beyond SSL, PKI and their variants for comfort and solace. The old “one-time pad” theories of security and encryption used before and during the world wars were truly a breakthrough in unbreakable security. Then PKI emerged as the next revolution. Now we are on the cusp of needing another such innovation. I would argue it needs to be partly science-based, but also partly behavior-based. It also requires a redefinition of privacy, identity, universality and integrity. It’s time to rethink e-commerce security, SSL and cryptography. Assume the hacker has infinite resources (crowd-sourcing will) and you cannot rely on just really, really difficult obfuscation (primes) to achieve your ends.

HABIT #8: Security is a game. Play it like one.

Gamers know it. Hackers know it. Only users and security vendors don’t seem to know it. It’s all a game. That’s right - your digital identity is NOT the same as your real one. Your flesh and bone body will not die when you lose all your health in World of War Craft. So why does your bank account and credit rating disappear when you lose your identity online? Answer? The implementation of digital value and identity is completely wrong. The stakes are wrong. The abstraction between the virtual and the real is lazy - thus the latter is always impacted by breaches in the former.

I’ve been researching this topic for years - triggered by the early writings of MIT’s Nicholas Negroponte. We spend so much time focused on the web, the computer, interfaces, our security, etc. Why not make the “computer” focus on us? That’s my definition of Web 3.0. In Web 1.0, the web simply broadcasted to us. In Web 2.0 we used the web to meet, connect, create/consume and broadcast to each other. In Web 3.0, the web will focus on us to achieve all of the above, and then some. Smart fisherman, I believe Nick called it.

So why then, have we let Internet security become so vital and so fatal an exercise? Is it, as I said in the first blog in this series, because we as the creators of the ‘Net failed to realize its flaws? Or were we lazy in the implementation of this digital 4th wall - allowing improper leakage between and amongst the creators and the consumers? I don’t know - but the result is what we have before us - a multi-billion dollar industry to fill the cracks in that dyke. If identity security is a game, and if we make the rules, why can’t we win?

The key to rethinking security is to do what most pundits do to win political arguments - change the language of the debate. The key to identity security is not to try and prevent all of the present and future bad things from happening to users, sites and applications at the hands of a skilled, burgeoning crowd of hackers. No, the answer is to eliminate the value of those attacks, the critical nature of the data or credentials captured, and the preemptive neutering of their application in any meaningful way. It’s the same as the high-availability argument - do you focus on disaster avoidance or disaster recovery? Well, any good psychologist worth his salt will say it’s not what happens to you, but how you respond that matters. You have no control over the former, but complete mastery of the latter.

So, it’s time to rethink identity security in this manner. Stop spending billions on preventing the worst, and start innovating on how to change the language of the debate and the rules of the game.

HABIT #9: Don’t be a mechanic, be a priest.

Though every private sector technology industry exists primarily to make money - the identity and security branch is unique in that it also seeks to cure some of the ills of the digital world. Much like healthcare, profit is the ultimate goal - and quite necessary to stay in business to provide said services to the populace - but if you heal a patient or two along the way, it’s a bonus!

Seriously, all kidding aside, we are important members of the digital ecosystem and we have a tremendous responsibility to be both profitable and effective. To that end, I implore my fellow vendors to stop acting like a mechanic. Instead, act like a priest. What do I mean by that? Act as if we had 6 months to solve the world’s identity theft problem - or the Internet would collapse. What would you do differently? How would you re-prioritize? What would your new agile project plans look like? Where would you focus? Take quarterly sales figures, long-range planning, M&As and short-term profit mentality out of the mix. Now what? Could the problems be solved without the competitive business layers and trappings? What if you had to put your own family up in the vessel you crafted to solve the security problems and set it loose to fly? Would you build it differently? What if you were the customer?

A mechanic fixes a car just well enough to make it to the next maintenance. Why? Because he wants to fix it again in the future. He considers the warranty coverage, the wealth of the customer, the age of the car, and other factors in calculating his evaluation, personal investment and cost to fix it. But if the mechanic’s mother drives in with the same problems, he would surely fix it for free - and for good! So what is the difference? It’s the same aging car, same potholes and same shop tools. The difference is motivation.

A priest, however, has to “fix it” for good. His motivation (whether you agree with the theology of it all or not is irrelevant - substitute your own clergy, cleric or belief system here) is eternal. He knows the sinner will sin again. He knows the snares and threats of the world await the hapless parishioner, but he seeks to offer an eternal solution to an ongoing and evolving set of struggles and crises. So, we need to think more like priests. Granted, there is no silver bullet or a magical pardon for every security threat. Our motivation should not be to simply fix it enough for now, but to rethink the entire universal platform on which it plays out and apply more innovation towards the solving and not the economics of the solution. Do that, and your willing parishioners will drop a coin in the plate each Sunday for sure.

So be like priests, but think like hackers. They both have unfiltered and un-compromised goals in mind. We need to share the same motivation, passion and urgency. After all, the best “pastors” are often the ones with “pasts” - that’s why it’s in the name. They understand the game, because they lived it.

Or, just keep prepping those press releases for next year’s conference, you mechanics.

HABIT #10 Stop talking about the cloud like you know him.

I had originally planned a nice summary habit #10 that recapped my thoughts from the previous two blogs, but then I stopped and thought - nope. I want to talk about the cloud. Or rather, I want to talk about all the people talking about the cloud, like they know him (and I count myself among the guilty).

It is easier for me to count all the RSA conference press releases that don’t refer to the cloud than keep track of those that do. Let me set something straight, as one who worked on early cloud-like innovations at some of the biggest technology companies in the industry. What we have in place now is NOT THE CLOUD. Not one bit. It’s just like AOL was NOT the Internet and DSL was not broadband. Now, the cloud is coming. It surely is. But this is not it, not yet.

What we have now is the equivalent of an adolescent shovel-ware of abstracted, service-oriented architectures, data-centers and virtual storage plumbing, flung into the sky with lots of bracing and virtual CGI (in the special effects sense, not the Perl sense) to erase the “wires” from view. It is a noble attempt, and an evolutionary step to be sure, but it’s not the true “cloud” computing of our science fiction fantasies and we should stop referring to everything as such. I have the same hangup with the use of “HD” to describe anything in multimedia that looks or sounds better than it did before, or employing “virtual” to describe anything that is, well, not real, I guess.

So, it would be good if we stop plastering “cloud” in front of everything that is not fully abstracted at each layer and interface, completely autonomic, 100% implementation and model agnostic, 100% fully available, omni-redundant, semantic, self-describing, and does not require a human to engage with it at any membrane beneath the meaningful application level. The cloud is coming. Until then, we need stop labeling it as the panacea for current technology shortcomings, and actually SOLVE the identity and security problems in the real, 2-D computing world. I am confident those solutions will elegantly translate the “cloud”, whenever it is, wherever it is.