Its a paradox: If computer security—or perhaps I should say computer crime—werent so bad, there would be little need for the vibrant industry thats growing up around it.
In this age of MyDoom, a record number of attendees turned up in San Francisco for the RSA Conference late last month. It didnt hurt that Bill Gates, Microsofts chairman and chief software architect, was the shows headliner. Gates explained everything the company is doing to make its products more secure—which, if successful, could put many of the vendors in attendance out of business.
Surprisingly, though, Gates audience responded with a warmth that went beyond mere politeness. It could be that the security community recognizes the ubiquity of Microsoft technology in the enterprise and really wants the company to succeed. Or security pros just might be willing to wait for the marginal improvements in security services in Windows XP Service Pack 2 later this year, and for the rest of the ingredients of Trustworthy Computing that will come out in the “Longhorn time frame”—get used to that phrase—which means 2006 at the earliest.
Or it could be that the attendees recognize it doesnt really matter what Microsoft does. No matter what kind of “Active Protection,” “Dynamic System Protection” or any other underarm solution Microsoft concocts, the next bug or exploit is just waiting to be found.
Perhaps they recognize that Microsoft is taking security very seriously. Indeed, the company is devoting billions to fixing the problems as best it can. It also has a crack IT security staff. At RSA, Jared Pfost (as in “post”), group program manager for Microsofts internal IT team, outlined what the company does to protect itself in what is naturally a Microsoft-centric software environment.
His team has to manage security of more than 300,000 networked devices, 55,000 employees and 90,000 e-mail boxes worldwide. Every month Microsoft blocks some 100,000 intrusion attempts and quarantines 125,000 e-mail messages. Outside of the Slammer worm last year, the companys networks havent flinched. Still, not every company has the IT resources of a Microsoft, where 55 people manage security policies and response strategies full time, Pfost said.
In his speech, Gates pointed to the growing collection of culprits: the script kiddies, hacker hobbyists, experts and specialists. But if you leave your keys in the car while you pop into the convenience store to buy a gallon of milk, is it the thiefs fault your car was stolen?
We live in dangerous times, when the MyDoom disaster can cost many billions in lost data and productivity and system downtime. The finger-in-the-dike approach to security is not working. It works some of the time, to be sure, but it is not sustainable long term. Viruses, worms and other hacks are, like spam, going to overwhelm us, slow down the productivity weve worked to achieve through technology and, as VeriSign CEO Stratton Sclavos argues, slow down the adoption of new technologies.
Its time for a new approach. Its been about seven years since I first saw Suns Scott McNealy demonstrate the Java Card authentication system. It was cool and made a lot of sense at the time, but few bought into the proprietary nature of the plan.
In the years since, Java and the Java Card have evolved, and there at RSA was Suns Jonathan Schwartz, demonstrating both the Java Desktop System and Java Card. Authentication systems make even more sense today, with computing power and bandwidth much more plentiful. Only users authorized to use a device can use it. Only applications authorized to run on those devices can run. Simple.
Its not so simple to replace Windows everywhere, nor am I advocating such a strategy. But savvy IT managers owe it to themselves and their enterprises to try new approaches to security.
A sound investment strategy always begins with diversification. Many enterprises, however, remain locked into a technology, either by choice or by compulsion. They wait, complacently, for that one short stream of code, opened by an unknowing user on one PC somewhere, that can cripple the company and propagate across the rest of the world in minutes. Its a risk to try new things, but it could be a greater risk not to.
Scot Petersen can be reached at firstname.lastname@example.org.
Be sure to add our eWEEK.com security news feed to your RSS newsreader or My Yahoo page: