RE: The Future of Security

["Crumrine, Gary L" <CrumrineGL () state gov>]

Not to disagree with the esteemed Mr. Ranum... I'd like to add to what he
has said.  I think the industry as a whole is going to change drastically,
as corporate pressure to perform will force individuals and service
providers to take more responsibility for the work they now perform.  Let's
face it, in the last few years, there have been a great deal of major league
players in the game performing "Services" without really understanding what
they were doing... and frankly stealing their customers blind.  

Now before anyone lights the flame throwers, I think it fair to say that
there has been a lot of poor quality work done in the past, and the
complaints come from everywhere you look.  It is not focused on one industry
segment, or about one firm doing the dirty deed etc.  The problem is that
when mediocre work is performed at the fortune 500 level, the trickle down
effect is that we all get a black eye.  So that is why I think that the
market will force so called experts to do a better job. 

Secondly, I disagree with Marcus on the niche prediction.  Although this
will always be the case in certain levels of any industry, I think the truly
successful person will be more focused on the systems approach.  The
individual that is able to look at an enterprise as a complete whole, and
deal with the issues from that perspective is going to be the one that
proves to be a key player in any organization.

I also think that you will see so called experts grouping together into some
sort of service bureau or clearing house, and offering their services to
clients at more affordable rates.  Intrinsic to this, will be additional
service offerings such as remote network management, centralized monitoring
and reporting etc.  I think outsourcing of this function will become the
only affordable solution in many cases... especially in the small to medium
sized company.  Businessmen will focus more on their business of making
money, not worrying about their network functions.  By sharing the
management overhead costs with many other clients, the service becomes more
affordable, and in many cases will be the only option for small business.
On a side note, there also appears to be a growing amount of evidence that
large corporations are moving towards outsourcing their IT engineering and
networking management as they tighten belts and increase bottom lines...

Salaries will continue to skyrocket for the foreseeable future.

On a Hardware/Software note, I have said in the past, and will say it again.
I see an integrated product suite that includes firewalls, IDS, VPN etc. in
the short term... an area in which we have seen great progress,  and for
long term, I think the products will include virus scanning, and usage
statistics.

Also, the appliance should gain momentum when performance, logging,
flexibility and applicability match the big boys.  

I see more work being done on the hardware to address the needs of secure
remote management and better solutions for remote users and satellite
offices.  



> -----Original Message-----
> From: Marcus J. Ranum [SMTP:mjr () nfr net]
> Sent: Tuesday, November 30, 1999 7:37 PM
> To:   Mark Veronda; 'firewall-wizards () nfr net'
> Subject:      Re: The Future of Security
>
>
> > I am interested to know where the experts see the security industry move
> > towards during the next 1-5 years.  What security skills are in demand
> today
> > and what will be needed in the future?
>
>
> My guess is that not much will change at the broad level. Most of
> the security problems we have today (active content, transitive
> trust, trojan horses, firewall permeability) are problems we have had
> for a long time.
>
> Security experts' most crucial skills, in my opinion, are the ability
> to synthesize common sense from a large number of conflicting and
> apparently unconnected inputs. In other words, you need to see the
> forest and the trees, and understand how trees imply forests and vice
> versa. That's a useful skill in just about any profession, from
> security analyst to stock broker, CEO, or restaurant owner.
>
> On the technical side, I think the biggest issue for all of us will
> be making sense of the bewilderingly complex menu of offerings in
> modern networks. What, of a host of options, works, and what does
> not - and why. This is going to be particularly dicy when it comes
> to all the myriads of new applications which are and will be coming
> out. My prediction is that security experts will specialize into
> niches based on what they're interested in. Others will specialize
> in tying together many niches. Some of this process has been going
> on for a long time. For example, there are security folks whose
> entire focus is NT, or Netware, or Java, or browsers. There are
> others who don't focus on details but worry about the implications
> of combined security issues in how (for example) browsers interact
> with NT. To me, what's endlessly fascinating about the field is
> that the vulnerabilities and problems relate to the cross product
> of entities deployed. For example, if you are worried about security
> of browsers on Win98, NT, UNIX, and Macs, and there are 2 (let's keep
> it simple!) browsers for those platforms, there are 8 or so different
> problem domains to worry about at a detailed level, and 4 or 2 at a
> higher level. Keeping track of that kind of stuff is going to be
> full-time jobs for a lot of smart people.
>
> Another place I see security heading in the next 5 years is the
> whole issue of tracking users to their actions over the Internet.
> Depending on what laws get passed, etc, that could be a very
> interesting problem. It's going to be directly related to whatever
> resolution occurs with respect to the problems in Ecommerce, online
> auctions, denial of service, spamming, etc. These are all places where
> Internet society is torn between its love of anonymity and its desire
> to catch and strangle miscreants.
>
> I think many things will become appliances, as computers move
> into an ever-increasing household penetration. This will bring
> up new sets of problems. What if someone hacks your toaster oven?
> OK, that's probably not realistic, but what about Dreamcast, and
> Playstation 2, which will have humongous installed bases and
> which will all run IP?? My Dreamcast has a browser and a terrifying
> logo on the front that it is made for Windows CE. Again, there will
> be fascinating niches for specialization.
>
> About the only thing that scares me is that security may become
> a problem that everyone hates because it never goes away. I don't
> want to see security experts lumped in with lawyers and insurance
> salespeople, as "people you hate to but have to do business with."
> Security, eventually, will have to solve something. Someday.
> Of course, I'm one of the security guys that operates at the
> "forest level" rather than the "tree level" (I got sick of building
> trees!) and at the forest level a lot of our problems appear to be
> unsolvable.
>
> Sorry to ramble!
>
> mjr.
> --
> Marcus J. Ranum, CEO, Network Flight Recorder, Inc.
> work - http://www.nfr.net
> home - http://www.clark.net/pub/mjr