Why would I ever need that?

One of the topics touched upon briefly this week was how we might approach the securing of a nation’s corporate sector against cyber attacks, whether from foreign powers or organized crime. For the purposes of a simpler discussion, let’s assume that the corporations in question reside entirely within our nation (call it the U.S.). In the physical world, U.S. corporations rely on the U.S. military to protect its national borders against foreign incursions, on the National Guard and local police force to protect its property and maintain peace and order, and on their own contracted security personnel for day-to-day security precautions (e.g., to ensure that only authorized people enter the corporate facilities). What’s the equivalent in cyberspace?

Well, one thing to notice is that the training and the capabilities of the different forces in the physical world decrease in sophistication as you go from the highly trained U.S. military forces down to your run-of-the-mill security guard. You could ask the U.S. military to cover your company’s day-to-day security precautions, but it wouldn’t be a good use of the skilled people in the military. Plus, as was mentioned on Monday, corporations probably don’t want the U.S. military tromping around their site. It seems wrong to Americans that the U.S. government would display that much of a show of force within the country’s borders. In cyberspace, the situation is that much worse because you can’t just post guards at the door and around the property. Anti-virus software, for example, works because it scans everything on your system and is trusted more than anything else in your system (except the operating system kernel). I bet most companies would not want the U.S. military looking through every one of their drawers and files.

If we can’t rely on the sophisticated expertise of the U.S. military’s cyber division, what should one do? Well, I founded a software security company back in 2001 with this mission, and I thought I’d show you some of what I wrote 15 years ago on this question. This was a trip down memory lane for me. I hope you enjoy reading it (unedited), even if it is far from perfect.

**** Our [company’s] beliefs and philosophies

1. Our business focus is enterprise security. This security focus encompasses the protection of all sensitive digital documents within the enterprise as well as the operation of the enterprise’s distributed computing infrastructure. It does __not__ include protection of digitally-based products (e.g. music files) sold, rented, or otherwise involved in a financial transaction by the enterprise to consumers or other corporations. Though our technology can be used for such purposes, the balance between security and ease of use differs in these two market opportunities.
2. We are interested in averting strategic disruption (i.e., loss of strategic information) as well as operational disruption (i.e., loss of some or all of the capabilities of the enterprise’s computing infrastructure); disruption that occurs through the unintentional misuse or even malicious use of corporate information or resources. We are __not__ directly addressing the wide range of illegal activities associated with digital commerce.
3. We believe that security is dynamic. The security concerns that enterprises have will change over time, and thus our security solution must be flexible and extensible to adapt to these changes. The perceived importance of a security threat and the willingness of the enterprise and its employees to change their behavior to protect the enterprise and themselves against particular threats varies, and thus our security solution must support this variability directly.
4. It is very difficult for an enterprise to quantify how much it should spend on security, and thus enterprises typically purchase a security product only if it is known to be a “best practice.” To become a best practice, a security product must be widely deployed. How does a security product become widely deployed if it is difficult to quantify the benefit of security? The answer, as demonstrated by other successful security products like anti-virus solutions and VPNs, is to provide a meaningful level of security while simultaneously being easy to deploy and essentially transparent to the enterprise user. These three axes work together to define what we call the Security Success Triangle (SST). In our business space, the SST says that we must avoid operational disruption due to the deployment or use of our security solution, since operational disruption is one of the two reasons why the enterprise is purchasing our solution in the first place.
5. Once we have become a best practice, the SST says that we can increase the amount of meaningful security our solution provides. Besides the powerful and profitable business models that this enables, this observation again reinforces the need for our approach to be flexible and extensible.
6. A focus on ease of deployment and usability also implies that our security solution must not be tightly coupled to the rest of the enterprise’s computing infrastructure, except when the security solution is enforcing the security policies of the enterprise. In other words, our security solution should be tightly coupled to the enterprise’s applications when those applications are running, but it should be only loosely coupled to the application infrastructure for purposes of maintenance and upgrades, etc. Note that this coupling eases the maintaining and upgrading of both the security infrastructure as well as the application infrastructure.
7. The best way to obtain a security solution that is easy to deploy and transparent to the end user is to implement the security solution in such a manner that it is possible and straightforward to understand the user’s intentions and to be able to differentiate between normal and abnormal behavior. Security solutions that are implemented far from the end user and deep in the lower layers of the computing infrastructure cannot achieve the level of understanding and differentiation that we desire. Thus, we are driven to an approach to enterprise security that can track and affect the operations performed within applications. (Say something stronger about the need to avoid false positives and user dialog boxes?)
8. Our business is focused on the distributed computing infrastructure in today’s enterprises, e.g., devices like personal computers, laptops, and PDAs. This infrastructure is not well covered by today’s security solutions, especially when it is not clear who owns or has the right to configure (or even understands how to configure) the device. Personal computing devices are just that–something that employees would like to use for both personal as well as corporate computing. Our security solution must support the often-conflicting needs and requirements created by these two worlds. It is not a viable solution to force the user to work with two separate sets of applications.
9. Since our business focus is on the enterprise’s distributed computing infrastructure, our approach must support a wide variety of platforms. We cannot rely on special hooks that are unique to one application or computing platform. Also, we must minimize the work necessary to port our infrastructure to new platforms.

There it is. It is missing one thing that the company learned as the business started to grow, and that was a capability to assess what went wrong when something eventually did go wrong. For example, companies definitely wanted to know who accessed what files when so that when a file’s security was breached, you could review the operations associated with that file and determine how your (supposedly correct) security policy failed.