What security technology do you need that you can't get today? Here's your wish list.
Necessity is the mother of invention. The wheel was invented to make movement easier. The Romans invented the arch to support large, heavy structures. Samuel Morse invented the telegraph for fast communication across vast distances. The list goes on.
Security technologies and processes are also born of necessity. Marcus Ranum commercialized the firewall because enterprises migrating to the World Wide Web needed network-layer access control. Peter Tippett pioneered AV technology because PC users were getting hammered with boot-sector viruses. Marty Roesch developed Snort because enterprises needed a flexible IDS sensor to detect the things firewalls can't stop.
Security practitioners run into necessity all the time. Like craftsmen tinkering in workshops, they discover what's missing in their toolboxes and improvise solutions to new problems and tasks. Eventually, improvisation is translated into new standards, technologies and products.
Information Security wanted to know what new technologies, protocols, standards and processes you--the security practitioner--yearn for to make your job easier. What doesn't exist today that you wish you had? Here's a sampling of the "wishes" you want to see come out of security workshops and policymakers' offices.
Making ISPs Responsible for Security
Who's in the best position to deal with security threats and events other than the people handling the traffic--the Internet service providers? Readers wish ISPs were mandated to secure their backbones and networks, and guard against Internet-borne attacks--worms, spam and bots--so enterprises won't have to.
Many ISPs filter for viruses, worms and malicious traffic, and others are beginning to provide AV scanning for e-mail and malicious traffic traveling over their pipes, sparing their customers that burden. But there's no requirement--yet.
Some readers wish that the government would require ISPs to take responsibility for security. They'd also like to see offshore traffic enter the U.S. through specific points, allowing the government to monitor all incoming traffic for security compliance and providing control over unregulated traffic.
The benefits of regulated ISP security are obvious: greater control over traffic flow, the blocking of malicious traffic before it hits PCs, and reduced theft of bandwidth and resources. As one reader states, "Trying to fix these problems at the individual computer level will never work, because users will never be able to update and patch their computers effectively."
Despite the availability of digital certificates, PKI and complex authentication schemes, security experts say there isn't a ubiquitous technology that can guarantee a person isn't a hacker.
E-commerce and B2B transactions depend on irrefutable identification of the person using the machine. Certificate authorities are expensive, difficult to manage in broad deployments and lack accepted standards. And, biometrics isn't feasible because of the expense and limited installment base. Instead, enterprises must rely on conventional authentication schemes (passwords, tokens and certificates), which aren't necessarily bad or unreliable. But they aren't foolproof, either.
What users wish for is a mechanism that binds the user to the machine to form a nonreputable authentication and signing scheme that would cut down online fraud and theft.
Eliminate E-mail Anonymity
Spammers love the ease and anonymity of e-mail. They can create tens of thousands of Hotmail, Yahoo! and private domain accounts from which to launch spam.
Users wish that ISPs and e-mail vendors would require the validation of an e-mail address--marrying the account to the owner--before it becomes operational.
Eventually, this would create a central e-mail registry, which would help facilitate antispam/antifraud efforts, such as Microsoft's SenderID.
Cross-Platform Compliance Utilities
There's no shortage of tools for scanning, auditing and assessing the health of network devices. What's missing is a tool that can check all devices, regardless of their OS or vendor make, for compliance with security policies.
This cross-platform tool would check for parameter settings required by security policies, log noncompliant devices with a risk weight (green, yellow, red) and issue detailed reports to security managers.
Current tools such as FireMon claim this functionality and capability, but users insist that universal scanning and auditing tools aren't available. Once such a tool is available, users would then want common processes to conduct risk assessments and business impact analysis throughout their enterprise.
Trusted E-mail Wrappers
Encryption has long been the Achilles' Heel of antivirus technology because conventional scanners can't break through its shield. Readers wish for more than just real-time, outbound host and network AV scanning; they want to know they can trust e-mails coming from trusted domains, and they want a mechanism to convey that trust. One reader calls it a "trust wrapper."
Here's how it would work: A user completes an e-mail with an attachment. The system automatically scans the e-mail for malware, signs it with the user's key and encrypts it. The whole package is then placed in the trust wrapper that's signed with the corporate key. The wrapper tells the recipient that the sending enterprise verifies it's the e-mail's source, and that the e-mail is safe.
Of course, such a system would depend on enterprises establishing trusted relationships. If e-mail wrappers come to pass, they could cut down on AV scanning and put a dent into spam.
Real-time Security Awareness Tool
How often do you send an urgent e-mail warning against opening strange attachments, and, yet, some hapless user will open it anyway? We can put up all the firewalls we want, write policy after policy, and impose controls and rules, but ultimately our security is at the mercy of naÏve users who rarely realize the implications of their actions.
What many security practitioners wish for is an intelligent rules engine that can recognize risky or prohibited activity and pop up a dialogue box that either confirms the user's intended action or blocks the action entirely. For a greater degree of control, the system could send a message to a security manager, requesting a policy exception, such as the one-time right to transmit a .vbs script via e-mail.
Users want the system to generate reports on policy violations and warnings; it would help managers identify topics for security awareness training and identify users that cause frequent security problems.
We already have the foundation for this in several applications, such as the e-mail warning box that pops up when opening attachments. Verdasys' Digital Guardian and other DRM vendors provide warnings and logging systems for misuse of content and digital media. What security managers want is a system that's mapped to security polices and can apply those rules to nearly all user actions.
Software Deinstallation Manager
Software management and installation controls are often all-or-nothing propositions. You can lock down devices and desktops, preventing users from installing unauthorized applications, and you can use Active Directory, SMS and other tools to install applications by groups across an enterprise. What's missing is a tool that can push new software to specific devices, and then remove them once they're no longer needed.
In an enterprise with locked-down configurations, the system would allow a user to request software, have the request reviewed and approved, and then initiate the installation process.
Security managers also want the power to back out of application installations. If the user only needs a piece of software for a specific period of time, this system would know when to uninstall the app, including .dll files, registry entries and other system directory components.
A True One-Stop Shop
It's still a best-of-breed world, but security managers wish for the day when they can go to a single vendor to get what they need.
Every year, the security market goes through a round of consolidations, where large IT and security vendors snap up the smaller boutique shops to fill out their product catalog or capitalize on their technology. Despite the rapid expansion of product lines by Symantec, McAfee, Cisco Systems and others, most enterprises still go to multiple IT and security vendors to get the technologies and products they need to operate and secure their infrastructures.
Reliable Security Statistics and Metrics
Statistics and metrics will be the buzzwords of 2005 and beyond. Security managers need to quantify risk and measure effectiveness to refine their security programs and prove they're working.
But how do you measure security and risk, and how do you compare your enterprise's security performance and risk mitigation to other enterprises'? How do you demonstrate compliance requirements? Readers express a need for different kinds of metrics, baselines and guidelines across the board. Here's a sampling of what they wish for:
- Accurate baseline statistics on security incidents. Enterprises and law enforcement hold this information too close to the vest. Security managers want reliable numbers of breaches for different sized enterprises and verticals, the level of sophistication of attackers (script-kiddies vs. skilled hackers), and the cost of damages and recovery.
- Risk analysis and forecasting models. Security managers want an effective way to translate security intelligence gleaned from internal and external sources to predict future threats. This would help enterprises prepare and respond to attacks, and develop new mitigation strategies.
- Proof security policies work. You deploy all sorts of technologies and policies; you need metrics that demonstrate that the precautions and restrictions imposed by security are both necessary and beneficial.
Identity Management Tracking
Enterprise databases and directories hold an extensive amount of data on users' profiles and roles. What they don't have is a tool that normalizes that information across different identity management systems, and tracks how identity information changes over time.
Readers wish for a utility that culls this information at the time an identity is created and can compare the current profile to previous versions. They want an audit trail of what changes were made, by whom, when and why. Readers say this is essential for justifying the cost of identity management and ensuring regulatory compliance.
By setting up standards for what a user profile should look like and having mechanisms on how profiles change over time, enterprises could better ensure the integrity of their identity management scheme. Tie this concept to a certification scheme, and you'll have single sign-on, validated e-mail and other useful security measures.
Wishes Do Come True
Surprisingly, we got a lot of submissions for things that already exist, and perhaps some solutions are already in product development projects. Which of these wishes will come true? That will likely depend on necessity.
Security wizards are dreaming up new approaches and technologies all the time. They'll come up with new uses of existing technologies, such as using security information management solutions as forensics tools, or combine new technologies with existing product sets, such as adding SSL VPNs to firewalls. But real innovation will come those who devise the next revolutionary idea, just as Whit Diffie and Martin Hellman did when they devised the first public key exchange.
What affect change and innovation are consumers--the enterprise security managers--conveying their needs to vendors, and startups companies acting as the incubators of new technology. We'll be watching to see if any of these wishes do come true and what other necessities arise.