Tempted to “Skimp” on IT Security?

FACT: According to a study presented at last week’s annual RSA Conference on cyber security, by Palo Alto Networks CTO Nir Zuk, “Users are routinely, and fairly easily, circumventing corporate security controls. And that is because traditional firewall technology was not meant to grapple with the diversity of Internet applications of recent years.”

ANALYSIS: Security has been an even hotter topic than usual for the past month, what with new national-level attention to cyber security and, for Microsoft, a culmination of sorts of various strands of effort into our new “End to End Trust” initiative.  My boss, Jim Simon, attended the RSA Conference in San Francisco, with his boss, Craig Mundie, Microsoft’s Chief Research and Strategy Officer.  Craig laid out Microsoft’s “End-to-End Trust” vision, designed to provide users more control over online and enterprise systems.  His keynote was widely covered (even by offbeat security blogs, like RiskBloggers.com) so I don’t need to rehash it.

Nir Zuk’s presentation was interesting – and not just because he’s one of the true pioneers of firewall technology.  He really understands secure enterprise environments, something I’m talking about increasingly with government organizations, who are learning the hard way the need to protect their data, apps, and computing platforms.  

Nir’s focus was on the challenge of corporate users accessing internet apps – basically, making use of cloud computing capabilities, but in ways that can compromise traditional corporate or enterprise firewall protection.  This occurs at the same time that CIOs and IT managers are being asked by business-side about saving money by using this “free cloud we keep reading about.”  

There are other costs, of course, when users try using “free” or unsupported software, beyond the security implications. An editor for the Wall Street Journal, Vauhini Vara, last week tried an experiment of “A Week Without Desktop Software,” using only web apps.  The blessed connected life!  Didn’t turn out too well… you can read the story here (or on the WSJ site if you have a subscription), but here’s the upshot:

Another editor walked by my desk and found me hunched over my BlackBerry, thumbs sore and eyes straining.”How’s the connected-only life?” he asked.  I wanted to vent about every little inconvenience I’d encountered, from sluggish email to disappearing spreadsheets. But after a week of BlackBerry conversations, I had learned to be succinct.  “Not great,” I said.

If you’re interested in secure systems for government, I’d encourage you to read the white paper on “Establishing End to End Trust” by Microsoft’s Scott Charney published the same day as Mundie’s RSA keynote, which lays out the vision overall and concept of a “trusted stack,” where each element — including the operating system, applications, users, and data — can be authenticated and considered trustworthy.  As Scott points out, a “more secure and trustworthy Internet ecosystem” would address broader goals designed to:

Mitigate common risks, substantially, so that public faith in the safety of the IT ecosystem is restored and/or enhanced;

Permit security professionals to reduce their current efforts to address existing threats and allow them to redeploy those resources to address more intractable risks;

Make it more difficult to conjure up new criminal schemes because authentication and audit make it more difficult to complete crimes successfully;

Enable law enforcement to find and prosecute a greater number of cybercriminals, thus increasing deterrence on the Internet.

Can’t get there just using free software, I reckon. Realistically, achieving these levels of trusted identity-driven systems will require addressing “all of the complicated social, political, economic, and technical issues raised,” as the white paper points out.

Email this post to a friend