At the RSA Conference this year I have been struck even more than usual by the dichotomy between the dire statements of the speakers and the hysterical optimism of the show floor. RSA President Amit Yoran told us that, “2014 was yet another reminder that we are losing this contest.” Over and over again we heard that attack is easier than defense because the attacker only has to get it right once and the defender has to get it right all the time. Yet at the same time down in the expo center hundreds of vendors were competing for our attention with candy, t-shirts, ear buds, beer koozies, cookies, and even jugglers, all with the same message: We have a solution for you. Ha!
Perhaps, I’m just bitter because I didn’t get a free t-shirt from the jugglers, or perhaps all these solutions don’t actually add up to The Solution.
One industry analyst I talked to told me that he saw maybe as many as eighty new cybersecurity companies a month announcing that they had at least part of the answer to the world’s cyber security problems. There is currently a cybersecurity gold rush, but just as many of the miners who came to San Francisco in 1849 did not strike it rich, many of those companies that are pushing their wares here at the RSA Conference in San Francisco will find that they cannot get attention for their products in an increasingly crowded marketplace. With dozens of new offerings every month, how is a CSO or CISO supposed to work out what security products to buy to protect against attacks?
Maybe there should be an app for that.
Perhaps not, but we can move in that direction. Increasingly applications are deployed on individual virtual machines (either in the cloud or on enterprise VM clusters). Ed Amoroso, the CSO of AT&T, has for some time been promoting the idea of compartmentalizing applications, and giving each application its own security perimeter. When you are setting up a VM for your app, as well as selecting disk space, CPU cores and speed, memory, operating system, backup frequency, and so on, you should also be given a chance to select firewall, malware scanner, DNS protection, intrusion detection, exfiltration detection, data encryption, spam filtering, and so on, simply by checking boxes. You could even sign up for automated pen testing with a weekly run of Metasploit against your VM.
This would not be The Solution. Individual systems would still sometimes get compromised by zero days, or phishing, or application vulnerabilities, but it would limit the damage to that single system. It would also force a realistic risk assessment early in the development life cycle when the project costs are being estimated, rather than trying to throw some security in as an afterthought.
My hosting provider charges less than ten bucks a month to host unlimited web sites on my account, and offers one click installation of a variety of content management systems, blogging platforms, e-commerce solutions, forum software, photo galleries and so on. There’s over sixty packages to choose from, all of them freeware. If my hosting company can manage that for very low cost, a cloud provider with higher margins should be able to go further and provide hundreds of security packages with the appropriate billing and licensing as part of their set up process. Perhaps making it onto the one-click install list for Rackspace or AWS will be the new gold standard for security companies. The cloud provider should not be in the business of deciding what is an appropriate level of security for their clients, but they could be in the business of making it as easy as possible for their clients to make that decision.