COMMENT: All Secure
One Fine DayBy Mary Ann Davidson
Every soldier in the IT army will know and practice self-defense.
One of the pleasures of my job is the opportunity I have to speak at public forums. I was recently asked to speak at a venture capital breakfast on the topic of new investment opportunities in security.
I did a lot of brain-picking in preparation, including talking to customers and to a friend who is an angel investor in security companies. It's good to know what customers' real problems are and what people are funding if you want to talk about the future.
When I think about future security trends, it strikes me that there are an awful lot of security companies chasing the same dollar, that security solutions are (mostly) way too complex, and that we are still in the bolt-on world of security-as-add-on. That is changing—and it's about to change more quickly. In a recent survey of security kahunas, many (43 percent) thought that most "protection" security measures would be part of the operating system by 2008. A second group (22 percent) thought they'd be buying a bundled security product/appliance instead of purchasing protection for one hard-to-deploy product at a time.
In a way, that's as it should be. Years ago most of us didn't buy a car and then go to a third party to add those antilock brakes and air bags we'd been reading about in Car and Driver . It was too hard to shoehorn an air bag in if the car wasn't designed for one and way more expensive than if it were just there. Similarly, many safety and security features really should be built into commercial software. Market trends and economics argue for it. This reflects a maturing of the industry and the realization that even the most whiz-bang security gizmos aren't useful unless issues of scalability, deployability, and integration are also addressed. For example, it wasn't that long ago that deploying identity management meant buying a bunch of disparate products and getting a consultant to integrate your provisioning engine with your HR system and your single-sign-on solution. Now identity management is dominated by large software vendors; it is part of the stack; and integration with things like HR systems is increasingly becoming a reality. Oracle, for example, got into identity management when customers asked us to build a really scalable LDAP directory, and we have made several acquisitions in identity management for the purpose of offering a complete, integrated, and heterogeneous solution.
There's another reason security has to just be there, and that's the cost of deploying gatekeepers. Nobody is going to deploy as many host protection devices/appliances as they have hosts: it's ridiculous to think so. Even security products have to be vetted, installed, and managed, and that takes time and money. Also, if we keep adding enough security nodes to the network, we will have great security—especially because nobody can get a transaction through 16 "protection" appliances.
To the extent that entire critical infrastructures rely on IT, we have an Achilles' backbone. The network isn't the computer; it's the battlefield. And on the battlefield, you need more than just a perimeter defense, or even defense-in-depth. In the armed forces, even though not every soldier is in the Special Forces, every soldier (whether cook, medic, or stores clerk) knows how to pick up a rifle and shoot. Every soldier is, well, a soldier . In the long run, all elements of the network—and in particular, critical elements of software—have to self-defend. There is no other way to be secure.
A product that does inventory management, for example, should know what a well-behaved inventory application does and be able to allow well-behaved inventory transactions and (flexibly) disallow a transaction or raise a flag if a transaction comes down the pike that looks dicey. It's the cyberequivalent of "Halt, who goes there?" Or maybe "Just say 'no.'"
There's always going to be room for innovative security vendors, but a bleeding-edge security firm almost always starts out by solving a niche problem and almost always ends up going mainstream and embedded to survive and thrive. The more security is part of enterprise software, the more networks are innately defensible instead of defensible only by cybermercenaries. When you look at military history, the standing army has almost always prevailed over mercenaries. Self-defend or die.
Mary Ann Davidson is the chief security officer at Oracle, responsible for secure development practice, security evaluations, and assessments. She represents Oracle on the board of directors of the Information Technology Information Security Analysis Center (IT-ISAC) and the Defense Science Board and is on the editorial review board of SC Magazine.