WHO IS IN CONTROL?
Some of the panelists remarked on the tension between the desirability—if not necessity—of letting outsiders preserve a system's security and the discomfort of surrendering complete control over that system.
DIFFIE: The fundamental business fact is that we, the manufacturers, are much too interested in having control of our customers’ software and remote updating. Basically, that builds instability into the system. Your desire to have genuine control of your own computers, whether you are an individual user or a corporation, is up against that of manufacturers, who are in a much better negotiating positions. And they are not really interested in your having a secure system.
GILLILAND: The interesting challenge to what you just said, though, is that much of the reason behind why companies like ours get access to computers is because the market changes so much. Take the example of spam, which Rahul talked about. Spam attacks happen and then are over in a matter of hours now. Hours and minutes, right?
To help a company deal with that, you need to be able to send it data to enhance its security. Sometimes it’s just a virus signature. Sometimes it is a code change to the software framework, because new spam works in a different way. Image spam is a great example. New code was needed to help companies fight off that kind of spam attack. Companies are asking us to be faster in responding: “Help me lower the cost of administration; help me lower the management.” So this goes back to your point about outsourcing.
DIFFIE: Oh, I didn’t say there wasn’t a demand for it.
LIPNER: One of the things that has made a significant impact in reducing the sort of widescale, spreading attacks we saw in, say, 2001 is that customers used to apply their security patches 60 days after they were released, or 90 days, or not at all. Today most consumers have automatic updating enabled and are getting the updates installed. Enabling that change required process changes on our part as well as the customers’, because if people are going to rely on you and update that fast, you want to be darn sure you don’t accidentally break them.
Kaiser Permanente can certainly do security analysis and apply compensating controls and otherwise protect its systems without updating them from the outside if it chooses to do so. But a lot of users would rather rely on somebody else. I’d rather rely on the vendors to update my software because they know the software and how it can be attacked and what it should do.