Let’s face it, there’s a dreadful lack of creativity and innovation in information security today. Risk management and governance methods have changed little, if at all, in three decades.
Today’s ISO standards are based on a body of text created over twenty years ago. In fact, aside from a sprinkling of security technologies, which you can count on one hand, nothing really new has emerged in the lifetime of today’s security managers.
We have a dangerous herd mentality setting in, to the point that best practices can now be considered dangerous. Whether it’s methodologies, control descriptions or technologies, we are locked into a dangerous monoculture which is leading to a growing systemic risk.
And I’m not blaming others. I drafted most of the original text that evolved into ISO 27002 and achieved the world’s first accredited certification. But I’d love to now see it consigned to the scrap heap. Common sense and creativity have vanished from security. Twenty years ago, the security community was full of competing ideas and practices. Now every presentation looks is the same.
A dangerous distraction
Security managers are chained to a backward-looking compliance treadmill that gives priority to old legacy practices, paperwork that no one reads, and outstanding audit actions from previous years. This distraction prevents security managers looking ahead and addressing emerging issues.
A few days ago I sat through a presentation from a legal firm who have rolled a most impressive suite of new security technology. The speaker admitted that “we’d be more likely to win business with an ISO certificate”. Unfortunately, there are few prizes for smart security thinking.
A legacy full of holes
A more worrying problem is the impact of technology monoculture, resulting from herd adoption of market leading products. A few weeks ago I asked Jason Larsen, a top SCADA security tester, what he felt was the biggest vulnerability in enterprise infrastructures. “Best practices” he replied, “Everyone uses the same firewalls, AV and operating systems. You only have to test a new attack against a small number of products to see if it works”.
The traditional Swiss Cheese model of defence in depth is falling down. It’s not just methods, standards and technologies that have failed to keep up with a changing threat landscape. We also lack the communications and psychology skills needed to influence security attitudes and behaviour across an extended community of networked staff, customers and suppliers. Not to mention the skill of reverse engineering that’s now needed to test application systems to the same standards used by attackers. Our professional development schemes have more holes than a slice of Emmental.
Bright spots on the horizon
There are, however, a few rays of hope in the security solution space, though they’ve to register on the security community’s radar. The Global Security Challenge encourages and rewards innovative security technologies. Competitions like this are vital to keep promising technology start-ups alive at a time when venture capital is thin on the ground. There are also numerous opportunities from the emergence of virtualisation and trusted computing technologies.
Virtualisation transforms the infrastructure from both a user’s and an attacker’s perspective. Replacing a fixed network of physical platforms with an abstract virtual environment changes the battle space, as well as the solution and problem space. Surprisingly, very few security managers seem to have noticed this trend.
Trusted computing also offers huge potential for eliminating a large slice of the risk landscape, through reliable, automatic device authentication and data encryption. Trusted platform modules are installed in virtually all PCs and laptops. Hundreds of millions have been shipped. This technology offers solutions that are cheap, transparent, secure and easy to install and manage. But they’re yet to be used, largely because they simply don’t feature in the security manager’s tool kit.
Security managers would do well to consider how phone companies, satellite TV services and popular music sites secure global networks from large scale fraud. It’s usually based on a simple, cheap, automatic mechanism, rather than through the clunky, identity management systems that are more familiar to security managers. Neat proprietary solutions are powerful, though open ones are even better.
Dream large, think long
You need big dreams and deep pockets to introduce a revolution in security technology. Trusted computing is a classic case: an innovation driven by visionary developers and serious investors, such as Steven Sprague, CEO of Wave Systems. Sprague is a man with a ten year vision and a family history of invention, who has invested his career and money in trusted computing. His company, Wave Systems, built the EMBASSY chip, the precursor to the trusted platform module, as well as the management software.
Sprague’s passion for innovation is not surprising, given his family pedigree. The Sprague family are famous for inventions and technology. His great grandfather, Frank Sprague, was the “father of electric traction”. He invented the elevator and developed the technology that made the London Underground feasible. The family went on to become entrepreneurs and manufacturers of electronic components.
Steven’s father, Peter Sprague, chaired National Semiconductor for thirty years, building it from a small semiconductor manufacturer into a global, billion dollar industry. “When I started we made 3,000,000 transistors for $1. When I left we put 3,000,000 transistors on a $1 chip and our sales were over $2 Billion.” He also introduced chips into cars, when he briefly owned Aston Martin in the 1970s.
Steven’s contribution to the family tradition is the blueprint for a ‘layered’ security infrastructure across extended enterprises. Refreshingly, his vision is a ten year one, not constrained by tactical performance targets. Wave’s most visible contribution so far has been the realisation of the self-encrypting drive. Wave’s engineers collaborated with Seagate Technologies in the development of this revolutionary product, and produce the underpinning management software.
But the most fascinating developments are yet to come. Now that we have a large population of trusted platform modules out in the field, we can develop universal security solutions across any community. Just imagine, for example, if we enabled strong authentication and encryption for networks such as Facebook. That would certainly revolutionise our perspective of security.
The secret of success
What’s the secret to being a successful entrepreneur and manufacturer? Steven Sprague’s family have been doing it for more than a century. I put this to Steven while he was in London for a Trusted Computing conference. His advice is simple but powerful. “Firstly, don’t aim to pull the wool over people’s eyes. Do the job properly. It slows down development but pays dividends in the long term. Secondly, take a good, hard look at the future: paint a clear vision of where you want to be, and stick to your goals. And thirdly, when you get up in the morning, aim to keep moving the ball in the right direction”.
One thing is certain: We need much greater vision and investment in new security technologies. Today’s security marketplace is characterised by just-good-enough products, designed to maximise short-term sales and profit margins. Tomorrow’s security threats demand rigour, openness and longevity. Trusted computing is one of the few bright prospects on the horizon that enables such innovation.
David Lacey is a Director of Research for ISSA-UK, and security thought leader. His new book, Managing Security in Outsourced and Offshored Environments: How to safeguard intellectual assets in a virtual business world, is out now and available here