This article can also be found in the Premium Editorial Download "Information Security magazine: Reflections on the impact of Sarbanes-Oxley."
Download it now to read this article plus other related content.
You're right about the shift toward services--it's the ultimate way to lock in customers.
If you can make it difficult for the customer to get his data back after you've held it for a while, you can effectively prevent the customer from ever leaving. And of course, customers will be told "trust us, your data is secure," and they'll take that for an answer. The back-end systems that will power the future of utility computing are going to be just as full of flaws as our current systems. Utility computing will also completely fail to address the problem of transitive trust unless people start shifting to a more reliable endpoint computing platform.
That's the problem with where we're heading: the endpoints are not going to get any better. People are attracted to appliances because they get around the headache of system administration (which, in today's security environment equates to "endless patching hell"), but underneath the slick surface of the appliance we'll have the same insecure nonsense we've got with general-purpose desktops. In fact, the development of appliances running general-purpose operating systems really does raise the possibility of a software monoculture. By 2017, do you think
| system engineering will
progress to the point where we won't see a vendor release a new product and instantly create an
installed base of 1 million-plus users with root privileges? I don't, and that scares me.
So if you're saying the trend is to continue putting all our eggs in one basket and blithely trusting that basket, I agree.
Another trend I see getting worse is government IT know-how. At the rate outsourcing has been brain-draining the federal workforce, by 2017 there won't be a single government employee who knows how to do anything with a computer except run PowerPoint and Web surf. Joking aside, the result is that the government's critical infrastructure will be almost entirely managed from the outside. The strategic implications of such a shift have scared me for a long time; it amounts to a loss of control over data, resources and communications.
This was first published in January 2008