Schneier on Security
A blog covering security and security technology.
« More on Chinese Cyberattacks |
| Hacking the Papal Election »
February 22, 2013
All Those Companies that Can't Afford Dedicated Security
This is interesting:
In the security practice, we have our own version of no-man's land, and that's midsize companies. Wendy Nather refers to these folks as being below the "Security Poverty Line." These folks have a couple hundred to a couple thousand employees. That's big enough to have real data interesting to attackers, but not big enough to have a dedicated security staff and the resources they need to really protect anything. These folks are caught between the baseline and the service box. They default to compliance mandates like PCI-DSS because they don't know any better. And the attackers seem to sneak those passing shots by them on a seemingly regular basis.
Back when I was on the vendor side, I'd joke about how 800 security companies chased 1,000 customers -- meaning most of the effort was focus on the 1,000 largest customers in the world. But I wasn't joking. Every VP of sales talks about how it takes the same amount of work to sell to a Fortune-class enterprise as it does to sell into the midmarket. They aren't wrong, and it leaves a huge gap in the applicable solutions for the midmarket.
To be clear, folks in security no-man's land don't go to the RSA Conference, probably don't read security pubs, or follow the security echo chamber on Twitter. They are too busy fighting fires and trying to keep things operational. And that's fine. But all of the industry gatherings just remind me that the industry's machinery is geared toward the large enterprise, not the unfortunate 5 million other companies in the world that really need the help.
I've seen this trend, and I think it's a result of the increasing sophistication of the IT industry. Today, it's increasingly rare for organizations to have bespoke security, just as it's increasingly rare for them to have bespoke IT. It's only the larger organizations that can afford it. Everyone else is increasingly outsourcing its IT to cloud providers. These providers are taking care of security -- although we can certainly argue about how good a job they're doing -- so that the organizations themselves don't have to. A company whose email consists entirely of Gmail accounts, whose payroll is entirely outsourced to Paychex, whose customer tracking system is entirely on Salesforce.com, and so on -- and who increasingly accesses those systems using specialized devices like iPads and Android tablets -- simply doesn't have any IT infrastructure to secure anymore.
To be sure, I think we're a long way off from this future being a secure one, but it's the one the industry is headed toward. Yes, vendors at the RSA conference are only selling to the largest organizations. And, as I wrote back in 2008, soon they will only be selling to IT outsourcing companies (the term "cloud provider" hadn't been invented yet):
For a while now I have predicted the death of the security industry. Not the death of information security as a vital requirement, of course, but the death of the end-user security industry that gathers at the RSA Conference. When something becomes infrastructure -- power, water, cleaning service, tax preparation -- customers care less about details and more about results. Technological innovations become something the infrastructure providers pay attention to, and they package it for their customers.
The RSA Conference won't die, of course. Security is too important for that. There will still be new technologies, new products and new startups. But it will become inward-facing, slowly turning into an industry conference. It'll be security companies selling to the companies who sell to corporate and home users -- and will no longer be a 17,000-person user conference.
Posted on February 22, 2013 at 6:03 AM
• 17 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
All of this of course assumed that the outsourced security model becomes dominant, especially under increasing regulatory scrutiny. First, while in theory cloud providers should be able to do a better job, if they ultimately prove that they cannot then customers with high security requirements are going to have to insource their IT and security again.
Also, regulation could prove huge here, especially if the government wants to ensure that users with high security requirements maintain responsibility and custody of their own data. Cloud providers and end users could play off each other to avoid all sorts of security liability and if the law decides the end user needs to be more responsible then outsourcing will become infeasible.
Another regulatory concern could be single point of failure. If Amazon gets pwnd and everyone uses Amazon then in one stroke the IT infrastructure of a % of the economy could be affected in one go. While everyone cooking their own IT may be less secure, it does present more barriers to an attacker looking to do real damage. Furthermore if Amazon or other cloud providers are susceptible to government spying, taxes and court orders, it could again make cloud services less desirable.
Remember we all thought manufacturing was dead in America until the hidden costs of outsourcing became clear.
An example: In December, parties unknown got into the credit card records of Knitpicks.com (Crafts Americana Inc.). Based on my tiny sample of three out of three accounts getting hit with fraudulent charges, they seem to have made good use of the the stolen information. Crafts Americana reported the breach to the State of California, but never directly notified the affected customers. It offered no public acknowlegment at all until a Feb. 17 blog post.
The other thought I has is that anyone who operates any significantly complex network is going to have a strong need for Security Industry services. Right now there are many large organizations that should have robust security operations, but simply do not because they are still in that see no evil pre-internet mindset.
If you have distributed boxes with computers in them you have a need for security services and Amazon is probably not going to be able to help you. Any modern high rise building with IP controlled lighting and access control and elevators and HVAC is going to need an on-site network security infrastructure unless every one of those devices is attached directly to a cloud service provider.
For every current user of security services that might leave for cloud provided security, there is a new client waiting to take their place as IT grows to cover more entities. As soon as China starts turning building infrastructure into espionage tools and terrorists start plunging people in elevators to their deaths there will be a new rush for security services.
I was mentioning the "security gap" the other day in slightly diferent terms.
You need to consider all those employers from Mom&Pops through SoHo and medium sized enterprise and what they actually contribute to GDP and Tax Take.
It's no secret that the fortune 500 pay disproportianatly less tax than smaller companies and their GDP contribution is likewise becoming steadily smaller as they globalize.
It is thus in the National Interest to ensure that these companies below the "security poverty line" have their basic needs met.
As @Mike B has pointed out "Cloud Provision" is not wise for a number of reasons and this has significant carry over into the socio-economic indicators and actual economy of the country.
To look at it another way ICT Sec is like road safety not having it is not a good idea, where it differes is the magnitude of effect. Whilst cars might get rear-ended and the gas tank explode on an iregular basis, imagine what would happen if all vehical breaks stoped working virtualy at the same time? A lack of ICT Sec and Cloud usage can cause this latter problem rather easily as we know.
The question then boils down to the old "Lemon Law Liability -v- National Defence" argument. Currently we are seeing a major power grab for "National Defence" which as recent discussions on this blog have shown many are not in favour of.
Whilst this might be seen as not an either or argument but a spectrum argument the simple fact is we need to make our minds up on it and act appropriatly before further significant economic harm occurs.
The Security Poverty Line will continue to get worse. A significant portion of the critical infrastructure out there lies in the hands of the mid-market companies. The regulatory requirements for mid-market critical infrastructure demand action they cannot afford.
The net effect is compliance instead of security. Compliance leads the senior managers to believe they are secure. They have nothing to indicate otherwise until a security event happens. They are not security experts and often believe the risks are minimal because it's the big boys the attackers are after. Instead the attackers will see the mid-market as low hanging fruit.
Because of the high profile and the vulnerabilities the real experts are highlighting, government's response will be increasing the regulation more. The cycle is perpetuated until the mid-market is so broke and trying to survive that the infrastructure crumbles. Worst case result. But how do we prevent this failure?
The end-to-end principle has always had this flaw. Distributing skill to the perimeter doesn't scale. We saw this with email servers.
I proposed a few years ago that we create virtual CISO firms. Take what a team makes, split it among some companies, and factor in some profit. Try to make sure the same people work with the same firms most of the time. Multiply that by a bunch of small to midsized firms. They get more capabilities than they can manage themselves. The contracting business makes money and its employees get more work (job security) than they otherwise would. There are firms a bit like this, but I'm surprised there aren't more. (Note: I'm not talking traditional managed security services. If their model was economical for most businesses, then this problem wouldn't be a problem.)
I was going to start one of these companies myself. However, the recession made the companies in our area cut their security budgets plenty. I tried to explain that crime would increase as opportunity increased and wages decreased. They didn't care. That was that.
I agree with your main point, especially Nather's Security Poverty Line. However, as you know, this is a much more complex problem than "we can't afford it".
I have been selling security consulting services to SMB's for two years. I can easily improve the security posture of a small business for a fraction of what people assume it costs. I don't even need a full scope pentest, I already know what's broken.
The main problem I run into is STILL the denial of the need for a security program. "Nobody would hack us, we are too small." If we could get the business culture in this country to accept that they rely on their fragile IT infrastructure maybe we would see the poverty line lower because of the collective spending by SMB's.
I agree with the vision. I work for an organisation that has sent a large part of its application services to the cloud.
For me this transforms the business "information Security" role to an "Information Governance" role - i.e., how can I be sure the people I have entrusted my systems with are doing what I expect and have contracted for them to be doing.
@ Collin Robbins
"I agree with the vision. I work for an organisation that has sent a large part of its application services to the cloud."
Now, it's very interesting to me that Nexor (is that the one?) did that considering the high security market it operates in. I would think that company would have very sophisticated attackers staying at it to try to get information on or subvert the products it sells, which often protect high value information.
So, I guess my questions to you are:
1. What specific kinds of things do you guys put in the cloud?
2. What type of things did you not put in the cloud due to security or other issues?
3. Do you use your own technologies to increase the security of your cloud operations? How?
I understand you might not be able to provide very specific answers to all of these. Feel free to leave out information or filter it a bit to protect your company's operations. I'm just interested in seeing how companies in high security markets are handing the modern trends.
For many companies, even consumer grade cloud services are a big step up from the alternative. Running critical operations services from a spare office cube or broom closet full of unmaintained servers makes for plenty of vulnerabilities too.
It is disheartening that this group is preyed upon so heavily (by thieves, security vendors, and regulatory groups) while real-world solutions remain out of their grasp.
At its core, the problem is an age old one. Given a well-known present threat versus a poorly understood future threat - which one wins attention? It gets even more complicated once a company realizes the scope of this perceived future threat. Now that data is realized as valuable, organizations quickly find their exposure exceeds their entire company's assets. And that reducing the risk from "Catastrophic" to "Medium" will still bankrupt them.
It's no wonder that this situation isn't improving. Their best choice may just be to hope something bad doesn't happen to them. For an organization constituently balancing keeping employees on the payroll versus spending to market their products, investing in security projects will likely just let their competitors get farther ahead.
It's never polite to point out flaws just for the sake of exposing them. What useful advice would be compelling to those operating daily in this security no-man's land? How can rewards/incentives be formed to encourage responsible and ethical business operations?
We also need to consider that larger firms are moving towards the "security poverty line". Where the impact of an infosec breach does not impact ongoing revenue, or can be quietly hidden, means that security is of less importance to them. These larger companies see no issue with outsourcing large portions of their security function, for the proverbial cost savings, while keeping a small internal staff to make sure that they are 'compliant' with the regulations and laws that impact their business.
We saw this coming a long time ago in NRIC, where security would be replaced by compliance, which really is a lower bar to get across. So, when your goal is to become compliant, everything else above and beyond that bar is seen as excess, impacting the ability of the business to perform. Hence, you outsource it, so you have fewer people in the business serving as evangelists for more than compliance, freeing the business to do as it feels it needs to do to continue generating revenue. In the event an incident goes public, the business can show where they were compliant, and push the failure off on their outsourcer, limiting the business's exposure, and creating a shared blame.
I find it hard to believe that a company with a thousand employees cannot afford to spend money on security. I've worked in numerous hospitals with five hundred to two thousand employees. A medium-sized hospital would have around a thousand employees with the equivalent of one full-time computer security employee, a part-time or full-time physical security (doors, fences, windows, etc.) employee, and a few security guards. Companies with lower security needs can outsource some of the work, but they should be able to afford it. Without such protection, they'll pay much higher insurance premiums.
@MingoV You apparently have never worked in a regular company. When I was a consultant we regularly had large SMBs (>500 employees) with no on-site staff, we were the out-sourced IT. Getting clients to understand that their exposure really could be crippling was usually very difficult; the most notable exception was a company that produced and sold medical supplies that had a sister company that did testing - the owners had a costly experience on the testing side.
The company for which I currently work is in compliance mode, but our new IT Director has said if we can present a good business case he will back us up completely -- he just wants to know that we can make it work. My boss and I are evaluating several options, trying to decide what we need vs. what we want. Yes, we are assuming we need a lot so there is plenty of negotiating room.
MingoV: I find it hard to believe that a company with a thousand employees cannot afford to spend money on security.
Can is different from "is willing to". Security costs money and any money you spend on security means less profit. Also if your security costs are such that you can't make a profit, then that security becomes self-defeating.
Coursey: The main problem I run into is STILL the denial of the need for a security program. "Nobody would hack us, we are too small."
Or more accurately, no one would hack us in ways that would damage us.
A few years ago, my home machine was hacked, and one thing that I noticed was that the hackers were "extremely polite." They didn't damage any personal data and were very careful to keep the machine running.
The reason for this is that they were interested in running a botnet to harvest credit card numbers from ebay, and they just wanted to use my machine as a proxy. It was not in their interest to damage my machine since damaging my machine would alert me that they were there.
My suspicion is that large numbers of SMB and home machines are in fact being hacked, but as long as the hackers don't damage any internal data or use the data that they steal against the company. It becomes "someone else's problem."
Instead of looking at companies that can't afford security effort, it is good to consider the provider side as well.
How could I provide security services for cheaper and to more companies efficiently?
I would assume the answer lies around creating standard infrastructure and management tools, then one security professional could scale up and serve a couple of companies.
It's hard to see regulation being effective/useful in a fast-changing and diversified setting. Third-party certifications, audit and prudence (to avoid PR and financial loss) make more sense.
A problem I see with outsourced security is that they will not be personally invested. A consultant is not personally invested in one of the many companies they have performed security reviews for. They can get away with - and do - shabby jobs.
They are not on the line of the web site or application or company gets hacked.
If they miss a security issue, then can say "so what".
It is even worse then with hired out security guards. When you have security guards on site, they are just there for the duration of their job day. With IT security, they are very often tasked with protecting against future attacks. They will not personally be there when attacks come.
And, of course, there is a big factor on "trusting the cloud". Do you trust someone you do not personally know with the keys to your personal kingdom? To your corporate kingdom?
Should some Joe Blow of X security company know all of the hidden secret ins and outs of your company's data?
Did you even catch your security consultant's name? Did they catch yours?
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.