Securing the cloud

[InfoSec News <isn () c4i org>]

Forwarded from: Chris Wysopal <cwysopal () atstake com>

http://www.economist.com/surveys/displayStory.cfm?story_id=1389589

Oct 24th 2002 
> From The Economist print edition

Digital security, once the province of geeks, is now everyone's
concern. But there is much more to the problem - or the solution -
than mere technology, says Tom Standage

WHEN the world's richest man decides it is time for his company to
change direction, it is worth asking why. Only rarely does Bill Gates
send an e-mail memo to the thousands of employees at Microsoft, the
world's largest software company, of which he is chairman. He famously
sent such a memo in December 1995, in which he announced that
Microsoft had to become "hardcore" about the Internet. In January this
year Mr Gates sent another round-robin. Its subject? The importance of
computer security.

Until recently, most people were either unaware of computer security
or regarded it as unimportant. That used to be broadly true, except in
a few specialised areas - such as banking, aerospace and military
applications - that rely on computers and networks being hard to break
into and not going wrong. But now consumers, companies and governments
around the world are sitting up and taking notice. Why?

The obvious answer seems to be that last year's terrorist attacks in
America have heightened awareness of security in all its forms. But
the deeper reason is that a long-term cultural shift is under way.  
Digital security has been growing in importance for years as more and
more aspects of business and personal life have come to depend on
computers. Computing, in short, is in the midst of a transition from
an optional tool to a ubiquitous utility. And people expect utilities
to be reliable. One definition of a utility, indeed, is a service that
is so reliable that people notice it only when it does not work.  
Telephone service (on fixed lines, at least), electricity, gas and
water supplies all meet this definition. Computing clearly does not,
at least not yet.

One of the many prerequisites for computing to become a utility is
adequate security. It is dangerous to entrust your company, your
personal information or indeed your life to a system that is full of
security holes. As a result, the problem of securing computers and
networks, which used to matter only to a handful of system
administrators, has become of far more widespread concern.

Computers are increasingly relied upon; they are also increasingly
connected to each other, thanks to the Internet. Linking millions of
computers together in a single, cloud-like global network brings great
benefits of cost and convenience. Dotcoms may have come and gone, but
e-mail has become a vital business tool for many people and an
important social tool for an even larger group. Being able to access
your e-mail from any web browser on earth is tremendously useful and
liberating, as both business travellers and backpacking tourists will
attest. Corporate billing, payroll and inventory-tracking systems are
delivered as services accessible through web browsers. Online shop
fronts make it fast and convenient to buy products from the other side
of the world.

The price of openness

The flip side of easy connectivity and remote access, however, is the
heightened risk of a security breach. Bruce Schneier, a security
expert, points out that when you open a shop on the street, both
customers and shoplifters can enter. "You can't have one without the
other," he says. "It's the same on the Internet." And as music,
movies, tax returns, photographs and phone calls now routinely whizz
around in digital form, the shift from traditional to digital formats
has reached a critical point, says Whitfield Diffie, a security guru
at Sun Microsystems: "We can no longer continue this migration without
basic security."

The September 11th attacks, then, reinforced an existing trend.  
Government officials, led by Richard Clarke, America's cyber-security
tsar, gave warning of the possibility that terrorists might mount an
"electronic Pearl Harbour" attack, breaking into the systems that
control critical telecommunications, electricity and utility
infrastructure, and paralysing America from afar with a few clicks of
a mouse. Most security experts are sceptical, but after spending years
trying to get people to take security seriously, they are willing to
play along. Scott Charney, a former chief of computer crime at the
Department of Justice and now Microsoft's chief security strategist,
says Mr Clarke's scare-mongering is "not always helpful, but he has
raised awareness."

The terrorist attacks certainly prompted companies to acknowledge
their dependence on (and the vulnerability of) their networks, and
emphasised the importance of disaster-recovery and back-up systems. A
survey of information-technology managers and chief information
officers, carried out by Morgan Stanley after the attacks, found that
security software had jumped from fifth priority or lower to become
their first priority. "It's moved up to the top of the list," says
Tony Scott, chief technology officer at General Motors. "It's on
everybody's radar now."

The growing emphasis on security over the past year or two has been
driven by a combination of factors, and has shown up in a variety of
ways. Chris Byrnes, an analyst at Meta Group, a consultancy, notes
that the proportion of his firm's clients (mostly large multinational
companies) with dedicated computer-security teams has risen from 20%
to 40% in the past two years. He expects the figure to reach 60-70%
within the next two years. Previously, he says, it was
financial-services firms that were most serious about security, but
now firms in manufacturing, retailing and other areas are following
suit.

One important factor is regulation. Mr Byrnes points to the change
made to American audit standards in 1999, requiring companies to
ensure that information used to prepare public accounts is adequately
secured. This has been widely interpreted, with the backing of the
White House's critical-infrastructure assurance office, to mean that a
company's entire network must be secure.

Similarly, the April 2003 deadline for protecting patients' medical
information under the Health Insurance Portability and Accountability
Act (HIPAA) has prompted health-care providers, pharmaceutical
companies and insurers to re-evaluate and overhaul the security of
their computers and networks. In one recent case, Eli Lilly, a drug
maker, was accused of violating its own online privacy policy after it
accidentally revealed the e-mail addresses of 669 patients who were
taking Prozac, an anti-depressant. The company settled out of court
with America's Federal Trade Commission and agreed to improve its
security procedures. But once HIPAA's privacy regulations come into
force, companies that fail to meet regulatory standards will face
stiff financial penalties. The same sort of thing is happening in
financial services, where security is being beefed up prior to the
introduction of the Basel II bank-capital regulations.
 
The growth of high-profile security breaches has also underlined the
need to improve security. The number of incidents reported to Carnegie
Mellon's computer emergency response team (CERT), including virus
outbreaks and unauthorised system intrusions, has shot up in recent
years (see chart 1) as the Internet has grown. The "Love Bug", a virus
that spreads by e-mailing copies of itself to everyone in an infected
computer's address book, was front-page news when it struck in May
2000. Many companies, and even Britain's Parliament, shut down their
mail servers to prevent it from spreading.

There have been a number of increasingly potent viruses since then,
including Sircam, Code Red and Nimda, all of which affected hundreds
of thousands of machines. The latest, called Bugbear, struck only this
month. Viruses are merely one of the more visible kinds of security
problem, but given the disruption they can cause, and the widespread
media coverage they generate, such outbreaks prompt people to take
security more seriously.

Fear, sex and coffee

Spending on security technology grew by 28% in 2001 compared with the
year before, according to Jordan Klein, an analyst at UBS Warburg. Mr
Klein predicts that spending will continue to grow strongly over the
next few years, from around $6 billion in 2001 to $13 billion in 2005
(see chart 2). A survey carried out by Meta Group in August found that
although only 24% of firms had increased their technology budgets in
2002, 73% had increased their spending on security, so security
spending is growing at the expense of other technology spending. This
makes it a rare bright spot amid the gloom in the technology industry.
 
Steven Hofmeyr of Company 51, a security start-up based in Silicon
Valley, says his company is pushing at a wide-open door: there is no
need to convince anyone of the need for security technology. Indeed,
Nick Sturiale of Sevin Rosen, a venture-capital fund, suggests that
security is already an overcrowded and overfunded sector. "Security is
now the Pavlovian word that draws the drool from VCs' mouths," he
says. Security vendors are really selling fear, he says, and fear and
sex are "the two great sales pitches that make people buy
irrationally".

So, a bonanza for security-technology firms? Not necessarily. The
sudden interest in security does not always translate into support
from senior management and larger budgets. A recent report from Vista
Research, a consultancy, predicts that: "While the need to protect
digital assets is well established, companies will pay lip service to
the need to invest in this area and then largely drag their feet when
it comes to capital spending on security."

Even where security spending is increasing, it is from a very low
base. Meta Group's survey found that most companies spend less than 3%
of their technology budgets on security. Technology budgets, in turn,
are typically set at around 3% of revenues. Since 3% of 3% is 0.09%,
most firms spend more on coffee than on computer security, according
to a popular industry statistic. The purse strings loosen only when
companies suffer a serious security breach themselves, see one of
their rivals come under attack or are told by auditors that lax
security could mean they are compromising due diligence.

Jobs on plates

Mr Byrnes notes another factor that is impeding growth of the security
market: a shortage of senior specialists. For much of the past year,
he says, "There was more security budget than ability to spend it."  
John Schwarz, president of Symantec, a security firm, puts the number
of unfilled security jobs at 75,000 in America alone. As a result, the
security boom widely expected last year has yet to materialise. But Mr
Hofmeyr reckons that the increase in security spending is just
starting to kick in.

Given the new interest in security, established technology firms,
which have seen revenues plunge as firms slash technology spending in
other areas, are understandably keen to jump on the bandwagon
alongside specialist security vendors. Sun's advertisements boast: "We
make the net secure." Oracle, the world's second-largest software
firm, has launched a high-profile campaign trumpeting (to guffaws from
security experts) that its database software is "unbreakable". Whether
or not this is true, Oracle clearly regards security as a convenient
stick with which to bash its larger arch-rival, Microsoft, whose
products are notoriously insecure - hence Mr Gates's memo.

It suits vendors to present security as a technological problem that
can be easily fixed with more technology - preferably theirs. But
expecting fancy technology alone to solve the problem is just one of
three dangerous misconceptions about digital security. Improving
security means implementing appropriate policies, removing perverse
incentives and managing risks, not just buying clever hardware and
software. There are no quick fixes. This survey will argue that
digital security depends as much—if not more - on human cultural
factors as it does on technology. Implementing security is a
management as well as a technical problem. Technology is necessary,
but not sufficient.

A second, related misperception is that security can be left to the
specialists in the systems department. It cannot. It requires the
co-operation and support of senior management. Deciding which assets
need the most protection, and determining the appropriate balance
between cost and risk, are strategic decisions that only senior
management should make. Furthermore, security almost inevitably
involves inconvenience. Without a clear signal from upstairs, users
will tend to regard security measures as nuisances that prevent them
from doing their jobs, and find ways to get around them.

Unfortunately, says Mr Charney, senior executives often find computer
security too complex. "Fire they understand," he says, because they
have direct personal experience of it and know that you have to buy
insurance and install sensors and sprinklers. Computer security is
different. Senior executives do not understand the threats or the
technologies. "It seems magical to them," says Mr Charney. Worse, it's
a moving target, making budgeting difficult.

A third common misperception concerns the nature of the threat. Even
senior managers who are aware of the problem tend to worry about the
wrong things, such as virus outbreaks and malicious hackers. They
overlook the bigger problems associated with internal security,
disgruntled ex-employees, network links to supposedly trustworthy
customers and suppliers, theft of laptop or handheld computers and
insecure wireless access points set up by employees. That is not
surprising: viruses and hackers tend to get a lot of publicity,
whereas internal security breaches are hushed up and the threats
associated with new technologies are often overlooked. But it sets the
wrong priorities.

Detective stories

A final, minor, misperception is that computer security is terribly
boring. In fact, it turns out to be one of the more interesting
aspects of the technology industry. The war stories told by security
consultants and computer-crime specialists are far more riveting than
discussion of the pros and cons of customer-relationship management
systems. So there really is no excuse for avoiding the subject.

Anyone who has not done so already should take an interest in computer
security. Unfortunately there is no single right answer to the
problem. What is appropriate for a bank, for example, would be
overkill for a small company. Technology is merely part of the answer,
but it has an important role to play, so that is where this survey
will start.





-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.