Imagine that each of us would need a tank to safely drive on the road. We would be well protected from any obstacles that could come our way, but at the expense of speed, agility, and cost. We could also blow each other up, forcing us to buy bigger and better tanks all of the time to retain a consistent state of security. That's the kind of environment that companies face when using the Internet. Rather than being able to invest in economical transport, each has to regularly procure stronger individual protection to defend themselves. What went wrong?
When we drive an automobile, motorcycle, truck, or other vehicle, we can safely assume that there are common standards that govern the road and a basic set of rules that promote a common, predictable behavior. While specifics may vary around the world, the basics remain the same and help ensure that the roads are safe for private use, to conduct commercial activities, and to move people consistently over great distances. We trust the infrastructure and (generally) trust others to all abide by common rules of use. Unfortunately, we are so far failing to realize the same success for instilling trust in the Internet infrastructure.
According to Wikipedia, the basis for the road infrastructure trust developed rapidly. Laws requiring that drivers be tested to receive a license to drive began in the United States during the 1910s. The installation of the first electronic traffic signals and stop signs came shortly thereafter. Given that Henry Ford hadn't even begun mass producing the Model T until 1914, history shows that societies around the world recognized the need for establishing consistent road behavior before automobiles became too prominent. By the 1950s, consistent standards and behaviors resulted in a fairly trustworthy infrastructure and nations had begun establishing safety standards for the vehicles that used it.
Assuming that the founding of the first Internet Service Providers (ISPs) around 1990 represents the Model-T moment for the Internet infrastructure, then I submit that we've missed every key milestone in developing a trustworthy infrastructure in over 20 years that we were able to achieve for the road infrastructure in less than 10 years. What's worse is that we aren't even close to achieving any of the major milestones.
Here's a brief look at each of the key functions that I argue we need to meet to establish a trustworthy Internet infrastructure.
"Trust but verify" represents a basic tenet of security. In any system that includes independent elements, the system is most effective when you allow the elements to function as they need but then apply a standard set of instructions that will characterize their interactions with other functions in the system. Those instructions provide the basis for monitoring, identifying, and responding to abnormal or damaging actions.
But, that basic security tenet functions best when applied at the core system level. In the case of the Internet, the core infrastructure is managed by private organizations, a stark contrast with the road infrastructure that is primarily under public management. As such, the security focus naturally shifts from protecting the community to protecting the organization that serves the community. Unless subscribers demand that the organization serving them provide the basic trust functions I describe above (and are willing to pay for it), they will continue to employ less effective and more costly individual measures to protect themselves.
Organizations need better advice than the standard industry refrain of "spend more to stay the same (or get less)." Innovative solutions such as cloud services provide a means for organizations to pool their resources, implement more effective data protection solutions, and to focus critical funding on building their business rather than protecting it. InfusionPoints believes that organizations can break the infinite spend cycle to do more with less. They just need the right partner that cares more about the organization than about how much its willing to pay.
If you would like to comment on this or any of my other postings, you may look for it on Google+ or on LinkedIn and comment there. This helps counter SPAM and promotes intelligent discourse over anonymous rantings.
We founded InfusionPoints to be our clients' first choice for an independent trusted partner to build secure systems that protect their employee's, partner's and customer's data