Entries Tagged 'security' ↓

Someone asked me the other day whether I thought the United States was vulnerable to a large scale “cyber” attack. While I have no doubt that any particular organization can be compromised, what comforts me at the national level is the sheer diversity of our systems. We have – unintentionally – employed a very effective defensive strategy known as “security through diversity.”

Every organization’s IT system is composed of multiple layers: credential systems, firewalls, intrusion detection systems, tripwires, databases, web servers, OS builds, encryption schemes, network topologies, etc.  Due to a variety of factors — competitive markets for IT products, lack of standards, diversity of IT managers’ preferences — most institutions make independent and varied choices at each layer. This, in turn, means that each insitution requires a customized attack in order to be penetrated. It is therefore virtually impossible for a single software program (virus, worm) to infiltrate a large portion of them.

On the web, a particular form of uniformity that can be dangerous are the centralized login systems like Facebook Connect. But this is preferable to the current dominant “single sign on system”:  most regular people use the same weak password over and over for every site because it’s too hard to remember more than that (let along multiple strong passwords). This means attackers only need to penetrate one weak link (like the recent Rock You breach), and they get passwords that likely work on many other sites (including presumably banking and other “important” sites).  At least with Facebook Connect there is a well funded, technically savvy organization defending its centralized repository of passwords.

I first heard the phrase “security through diversity” from David Ackley who was working on creating operating systems that had randomly mutated instances (similar ideas have since become standard practice, e.g. stack and address space randomization). It struck me as a good idea and one that should be built into systems intentionally. But meanwhile we get many of the benefits unintentionally. The same factors that frustrate you when you try to transfer your medical records between doctors or network the devices in your house are also what help keep us safe.

My last startup was an information security company — SiteAdvisor — that was acquired by McAfee, where I then worked for a while. I am no longer working in security, but have many friends that do and I try to stay in touch with what’s going on in the area.

The widespread sense I get is that we are going through a period of unusual calm, especially on the consumer side.   Instead of repeating the historical pattern where new types of threats emerge every few years, we’ve seen the opposite: threat types have actually gone away or been seriously mitigated. Spyware/adware is basically gone, as most of the businesses that were pushing it (yes, it was mostly driven by legal, US-based businesses) have gone bankrupt.  Spam has been mostly controlled, at least if you use Gmail or a good spam filter like Postini.  If you use a Mac you don’t have to worry about viruses or malware.  Mobile security hasn’t ever really become an issue, mostly because the telecom carriers (and now Apple) carefully screen the installation of 3rd party apps.  Identity theft is a real issue but not really something consumers can do anything about – most of it happens offline or through enterprise data center breaches.

On the enterprise and government side, things are more turbulent.   Distributed denial of service attacks using botnets remain almost impossible to defend against. There have been a number of breaches of sensitive consumer information and those will likely only get more common, especially as more information gets centralized in the cloud. Military and terrorist computer attacks also seem to be a likely future threat.

All in all, though, the good guys have been keeping the bad guys down.  This relative calm is generally great news for the computer users, but – let’s be honest – bad news for the computer security industry and venture capital investors.  As an investor, I’ve only made one security investment in the last few years — in a cloud security startup called Vaultive. Everything else I’ve seen seems to be trying to solve non-problems or rehashing solutions that were developed years ago.

Inevitably, the calm will end and new classes of threats will emerge. But for now we should enjoy the relative peace.

This post is about computer security.  Before your eyes glaze over, let me say that – without using any security jargon - I’m going to try to convince you there is a significant security issue on the horizon that will affect every almost every business that stores valuable data on computers.

Willie Sutton was a bank robber who, when asked “Why do you rob banks?” replied “because that’s where the money is.”  This quote is famous enough that some people call it Sutton’s law.  On the internet, Sutton’s law means the bad guys will try to hack where the valuable data is stored.

One of the major trends in the technology world is “cloud computing” or a related concept “Software-as-a-Service (Saas)”.  The idea is instead of installing software within your company’s own network it is hosted by a service provider and you access it via a web browser.   SaaS applications are popular because they are much easier to use, install, maintain, and access.  The most prominent examples are probably Salesforce and Google Apps.  But the SaaS revolution is happening to almost every corporate application – HR, accounting, project management, bug tracking, and so on.

As a result, there is a giant migration of data going on.  We are moving from a world where everyone kept valuable data within their network to a world where all of their data is in SaaS providers’ databases.

Sutton’s 2nd law is that where there is lots of money, bad guys find a way to get to it (ok I made up the name for this law – but it should have a name).  When kings had piles of gold in their castles, people found a way across the moats and through the gates.   The same is true of people robbing banks, and the same will be true of SaaS providers’ databases.  It could be an inside job, someone leaving a “door” open, or just clever hacking – but you can rest assured if with a giant pile of gold sitting there, the bad guys will get it (in fact it’s already started).

We have gone from a world where everyone hid money under their mattress and protected it with an alarm system and shotgun to a world where all the money is in just a few places, run by people who have no particular expertise providing security, who for the most part deny there is any risk.   SaaS providers like Salesforce just dismiss the security risk, saying, in essence, that they have alarms and shotguns too.

It’s a powder keg waiting to explode.

Disclosure:  I invested in a stealth mode security company that addresses this problem.  Perhaps that makes me biased.  I prefer to think of it as evidence that I believe what I’m writing here.