We asked Bruce Schneier to preview his talk at the RSA Conference in San Francisco. This is what he said.
Power is transforming IT to meet their interests, and IT security is being transformed with it. Traditional security used to be the user’s responsibility. We managed our own networks and computers. We installed our own firewalls and anti-virus software. We purchased products — both hardware and software — and thus we owned them.
Two trends are changing this. The first is the cloud. Instead of our data being inside our computers and networks, they’re on someone else’s systems. E-mail, calendars, contacts, presentations, data files, social networking posts, sometimes our entire IT infrastructures: it’s all in the cloud. The second trend is the new vendor-controlled hardware platforms we love so much. Kindles, iPhones, and iPads are leading this trend; we have very little control over those platforms. But the new Windows and Macintosh operating systems are moving in the same directions.
Taken together, these trends mean we have less and less control over our security. We only have the security options our vendors allow us to have. Our control over that security is limited; even our visibility into the control those vendors have is often limited. We can either trust those vendors, or not use them. Gmail has essentially two security settings: Google’s way, or the highway. Facebook is no different, nor is Apple. If you don’t like how Apple secures your data on its iPads, don’t use it. It’s hard to find out what data Apple is collecting from your iPad, and even harder to find out what they’re doing with it.
It’s all about power. As these vendors become more powerful, they are more able to ignore users who want more security controls. In the past I’ve described this as feudal security: we get to choose what feudal lords we pledge allegiance to, and in return, we hope they’ll protect us.
This is today’s IT world, and it’s not going away. The question to ask is: as organizations how do we deal with it? And the answers aren’t pretty. First, decide who you’re trusting and who you’re not. You have no choice but to trust these companies, but you’ll be better off if you know who you’re trusting. Then, do your best to figure out if they’re trustworthy.
Second, the more boring you are, the better you are. In many of these trust relationships, you’re not even a customer of the company you’re trusting. You can be sold to a government or to an advertising company without notice or recourse. You can be shut off at any moment if you do something they don’t like. You’ll do best by not coming to their notice.
Third, fight for better rules. We’re so entranced by free markets and wary of government involvement that we don’t recognize market failures when we see them. The only way out of this situation is to change the rules so the companies we’re forced to trust have defined obligations and responsibilities as well as rights. This will be a long and bloody battle, and we’re not anywhere near ready for it. But prepare.
To listen to the podcast that RSA did with me about my talk click here.
Bruce Schneier will speak on “Internet Security in the Age of Power” on Wednesday at 1:00 PM at RSA
Visit BT on the RSA show floor at the Zscaler booth #639
- Tuesday 2/26 12:20 – 12:50 Location: Bookstore
Bruce Schneier book signing (Title: Liars and Outliers)
- Tuesday 2/26 1:10 -2:10 Room 134
Track Session/ Industry Experts – EXP-T17 Surviving in a Feudal Security World
Speaker(s): Bruce Schneier – Chief Security Technology Officer, BT
Feudalism is an apt model for security today. We pledge our allegiance to service providers, and expect them to provide us with security in return. Too often, this security is completely opaque, with results all over the map. Navigating this new world of feudal security is going to be the major challenge for CISOs in the current decade. This talk examines both the challenges and the solutions.
- Tue 11:-11:30 – Bruce Schneier book signings at the Zscaler/BT booth #639
- Wed 2/27 12:00 – 1:00 Location: Security Theatre – Expo (Gateway 102/103/104)
Track Session: MASH-W24 – Debate: Does Security Awareness Training Actually Improve Enterprise Security?
Tim Wilson – Editor, Dark Reading
Francis Brown – Managing Partner, Stach & Liu
Bruce Schneier – Chief Security Technology Officer, BT
Hord Tipton – Executive Director, (ISC)2
Dave Aitel – Chief Executive Officer, Immunity, Inc.
It has been an ongoing debate for years: time to settle it once and for all. On one side are experts who say that proper end user training is an essential element in end user security. On the other side are experts who say that end user training is a waste of time and the best solution is to implement technology and controls to protect users from themselves. Sponsored by Dark Reading.
- Wed 2/27 1:10 – 1:40 Location: Bookstore
- Bruce Schneier book signing (Titles : Liars and Outliers/Cryptography Engineering / Schneier on Security / Beyond Fear / Applied Cryptography)
- Thu 1:30 – 2:30 - Bruce Schneier book signings at the Zscaler/BT booth #639