Warning: Don’t buy into the security snake oil

No industry has more false prophets, blowhards and snake oil salesmen than IT security. IT professionals just want secure, well-designed technologies. What they usually get are core technologies with security holes (which hackers regularly strafe with probes and attacks), band-aid fixes, empty promises, questionable advice and a shower of “must-have” appliances that clog up the network perimeter more densely than a city traffic jam.

Certainly, corporate IT has had a role to play in allowing the current, sad state of affairs to unfold.

But let’s not forget about the vendors of security products and services that promote themselves as your salvation from hacker attacks, viruses and other threats. They’re really just selling you products – and more of them every day.

The unwelcome truth is that most security products are compensating for vulnerabilities in the basic IT architecture, an infrastructure that was never designed to be lashed onto the anarchic, business-unfriendly wide-area network that is the Internet. Businesses have even opened up their data centres to this vulnerability-riddled WAN. Think back for a minute. If you had dumped that value-added network service back in 1994 for such a disorganized and unsecured communications network, you’d have been out of a job.

But here you are, working with security tool vendors that tout “solutions” but whose business depends on maintaining a rather unhealthy symbiosis between themselves and the hackers against whom you need to be protected. A billion-dollar industry has been built by treating the symptoms, rather than the cause. Years ago, one antivirus software vendor enthusiastically offered a reward to those who “discovered” a virus in the wild so that it could be the first to offer a signature. Negative publicity stopped this pay-the-hacker strategy in its tracks. But today, virus writers and antivirus vendors are still locked in a strange embrace. Hackers get a cheap thrill from rising to the top of vendors’ top 10 lists. Vendors get to sell a steady flow of new antivirus signatures.

Meanwhile, a small army of security experts with their own biases bloviate ad nauseam about what’s wrong with IT security while constructing grand theories about how wonderful things would be if everyone would just do as they say. The most recent distraction: a return to heterogeneous computing on the desktop.

This simplistic line of thinking applies the idea of biodiversity to the health of one’s IT infrastructure. A mixed computing environment of Macintosh, Linux and Windows PCs should be more resistant to threats, proponents say. Several pundits support this idea, including Dan Geer, former CTO at Cambridge, Mass.-based security services firm @stake Inc., who was fired from his job in September for co-authoring a controversial report called “CyberInsecurity: The Cost of Monopoly. How the Dominance of Microsoft’s Products Poses a Risk to Security.” Even Gartner has promoted this idea.

But the authors’ thinly veiled resentment of the Microsoft “monoculture” (read: “monopoly”) and the Windows vendor’s failure to address their security concerns comes off more like a call for insurrection than a well-thought-out security strategy for the enterprise. And why focus myopically on Microsoft when there’s plenty of blame to go around? What about the Cisco “monoculture”? Or Intel?

IT diversity can certainly lessen the impact of a security event by limiting the damage to a subset of machines. But there’s a reason why IT planners have largely standardized on a single desktop operating system: It’s easier to manage. It took years to standardize the desktop on one operating system.

Does any sane IT organization really want to replace 50,000 PCs with a mix of Macs, Linux and Windows machines and then re-engineer the management tools, support and application sets to make it all work? And heterogeneity is less of a concern in the server world, where competing operating systems already exist in many companies.

I can’t tell you the specifics of how to solve these problems. But it’s clear to me in talking with Computerworld readers that corporate America is running out of patience.

The Internet and the IT infrastructures that connect to it must evolve quickly to a more structured and secure form, or the business that depends on them today will be conducted elsewhere.

Mitchell is senior features editor at Computerworld U.S.

Related Download
The Fast Path to Software-Defined Networks Sponsor: F5 Networks
The Fast Path to Software-Defined Networks
Download this white paper to learn how new partnerships are pioneering ways to ensure that they can transfer knowledge to enterprise IT staff.
Register Now