Security-As-A-Feature And The Economics of Abundance
from the a-feature-not-a-product dept
The always insightful Bruce Schneier has a new piece out arguing that the stand-alone security industry is doomed, as security increasingly becomes a feature of other products, rather than a product in its own right. He points out that hardly anybody wants to buy a "security product." They want to buy useful products -- operating systems, databases, web servers, whatever -- and take for granted that the developers of those products have designed it to be secure out of the box. Schneier points out that consolidation in the security industry has not taken the form of large security firms buying small security firms, but of non-security-focused software firms buying security firms to help bolster the security and reputation of their products. This may indicate that developers of other software products are recognizing that better security is one of the key features customers are demanding in their products.
If you'll excuse me for jumping on a Techdirt hobby-horse here, this is another example of the economics of abundance at work. Security products are increasingly becoming commodities. Obviously the software ones -- anti-virus tools, software firewalls, intrusion detection systems -- have a marginal cost of zero, and even many of the hardware devices are built on commodity parts that get cheaper every month. What hasn't gotten cheaper is the expertise required to put the bewildering array of security tools together into a coherent system that's customized for a firm's particular business. Indeed, as security products have gotten more numerous and more complex, it has actually gotten harder to keep track of them all and know which security tools are the best ones to use in any given situation.
And crucially, this isn't something you can outsource to a third party. I've written before (in the context of e-voting) that encryption isn't magic pixie dust that automatically makes a system more secure. The same point applies to security more generally. Having the best firewall in the world won't do you any good if it's not configured properly, or if your network hasn't been designed with security in mind. And because every large organization has different security needs, every organization needs a slightly different security setup.
This creates a huge opening for companies who understand that customers are not looking to buy a security software product, but a suite of software that they can count on to be secure without worrying about the details. We've pointed out that this is essentially the business Red Hat is in: not selling software but selling the expertise of its employees with respect to the software. Security is a big part of that. "Security software" is an infinite good, and the market for it will get increasingly crowded in the future. On the other hand, the expertise needed to build complex software systems securely is as scarce as ever, and such expertise is one of the key ways that software companies can distinguish themselves from the competition.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: abundance, bruce schneier, feature, product, security, service
Reader Comments
Subscribe: RSS
View by: Time | Thread
Security can be stand-alone
But on an individual/home network level, it would make sense to package security tools into everything because lets be honest, 40 bucks for norton security? f-that...my wallet would be the only thing getting hacked.
[ link to this | view in chronology ]
Re: Security can be stand-alone
[ link to this | view in chronology ]
Prove it
[ link to this | view in chronology ]
Re: Prove it
[ link to this | view in chronology ]
Re: Re: Prove it
[ link to this | view in chronology ]
security "products" are not security "services"
[ link to this | view in chronology ]
My uncle once told me an interesting story about security...
So they found a solution and wanted my uncle to just implement it in the product. My uncle didn't want to do this so he started up a Google page, searched for a crack for this specific hardware key and quickly found hundreds of thousands of pages that explained how you could simply bypass this additional hardware key. He just forwarded that list back to management and asked them if they were really sure if they wanted to implement something that would only give an illusion of security. Management quickly forgot about it, afterwards...
He told me this story as a very valuable lesson. It doesn't matter how secure some solution appears to be. If people want to, they will always manage to bypass it.
Furthermore, the use of a generic solution method is risky because generic solutions tend to have generic cracks that will make it even easier to bypass security.
With security, you want a lot of diversity so a hacker who manages to bypass one part of your security will still have to solve a way to get around the other security systems. When you build a stand-alone security system that hundreds of users will use in their systems then a hacker has only a single system to crack. This is -in my opinion- why stand-alone security products will fail.
[ link to this | view in chronology ]
it's the end of the beginning
the information security landscape is changing. "attacks" used to take the form of virii, trojans, spyware and the like. these were automated attacks built by individuals, small teams, or small startups and spread indiscriminately across the internet to any vulnerable host. that game really isn't worth playing anymore thanks to automated security software (anti-virus, anti-spam, anti-spyware).
the current game is botnets, cross-site scripting, spear phishing (or even whaling), DDoS extortion, and other "brute force" techniques. these are largely manual or customized automation attacks that target specific sites or companies rather than the internet as a whole. these attacks are launched by skilled teams that are often funded by organized crime or nation states. is your company equipped to fend off a targeted attack?
the kraken botnet is said to have over 400,000 nodes, is your security infrastructure prepared to tangle with something that huge? how about when it grows to be bigger than google?
these kinds of attacks cannot be dealt with using primarily automated tools alone, you need help from experts, and lots of it.
secure, fault tolerant software is an unholy bitch to write, it takes loads of time, loads of testing, and loads of peer review. sure, you can "build security in" but is a for profit corporation going to invest in re-tooling from the ground up because it's the right thing to do?
[ link to this | view in chronology ]
Missing the point?
[ link to this | view in chronology ]
Oops
[ link to this | view in chronology ]
[ link to this | view in chronology ]