My intent was to write about the improving state of computer security. However, before starting, I had to clear up all the spew in my in-box from the 16th variant of the Sober worm, which had spent the weekend vomiting neo-Nazi spam into in-boxes around the world.
Is political propaganda spam more malicious than product spam trying to get you to buy bogus products? Id offer an overwhelming yes. Are we still talking about zombie computers under remote control six years after the Melissa virus appeared in 1999? Absolutely. Are technology vendors still fighting the last war instead of preparing for the next one? While that is true to some degree, Id argue that the opportunity does exist to get ahead of the security curve.
There is a lot of evidence of last-war battles going on. Microsoft Chairman Bill Gates made security a top priority in a widely publicized corporate memo in 2002.
Since then, much of the companys security effort has gone into fixing past errors of omission (leaving access defaults open instead of closed); crowding into territory once the province of its partners (the recently announced OneCare security subscription service); and promising greater security advances in products still in the pipeline, such as "Longhorn." Microsoft is also addressing the difficulty of administering security in a shared environment with a shared security tool kit now in beta.
At least Microsoft has gotten better at admitting its past problems, unlike Apple, which is still waffling on admitting that the patches issued for its Tiger operating system were not just upgrades but also security patches for its Dashboard Widgets.
But there is also a lot of evidence of vendors getting ahead of the curve. Those vendors are concentrating on addressing security from the server side rather than trying to fix every client in existence. At the server side (which today means youre looking at hosted offerings), you can apply computer muscle for the identification, analysis and filtering required to stay ahead of the bad guys.
Qualys, for example, offers a vulnerability and assessment management service for the enterprise. The three basic elements of enterprise security—assessment, auditing and compliance—are offered as a service, avoiding the capital outlay normally associated with big, enterprise-level security undertakings.
In the future, security will be treated as a service by the internal technology staff or purchased via subscription from an outside provider. The days of piecemeal security upgrades and client-to-client scrambles are quickly coming to an end.
Pushing the security model upstream away from the client to a hosted solution is good news for companies with a strong host-based business such as telecommunications, hosted e-mail and even hosted search companies. Trying to drag along a big client base is difficult, as is evident by Microsofts upcoming "Eiger" operating system, which aims to beef up security capabilities for its existing, older client base.
Cyota, a company in the anti-fraud space, boasts some of the largest banks as clients. With anti-fraud and user authentication much in the news, its refreshing to find a company that is applying business and human intelligence to the issue rather than broadly calling for massive identification programs that probably create more problems than are solved.
Amir Orad, Cyotas executive vice president of marketing, explained to me how the company uses a combination of technology and traditional investigative techniques to focus on fraud instances based on risk level.
The monthly, online mortgage payment always originating from the same place does not need the same attention as a spate of withdrawals suddenly being made to the same account in different places around the world. Whats most needed today is the ability to identify and go after that small percentage that is causing the big headline-grabbing problems.
The solution to computer security problems will not come in one quick event but will be the result of sustained effort that whittles down the openings available to online criminals. That whittling down is what is now taking place.
Editor in Chief Eric Lundquist can be reached at firstname.lastname@example.org.