The fundamental basis for any kind of relationship is trust: the difficulty lies in attaining it.
Trustworthy computing is a heavy concept, one that is far from becoming a reoccurring reality. There are network security breaches happening everyday. Fears of Internet fraud have become so pervasive that e-commerce has been slow to fully realize its potential. Computer viruses have become so commonplace that people who don't even use the World Wide Web with any frequency understand that these types of bugs are usually exchanged via the Internet, not unwashed hands or sneeze-filled air.
In other words, safeguarding the Internet and all the beneficiaries on it is tremendously difficult, given the tons of obstacles to overcome. Yet, despite this, guardians of IT security are making attempts to make trustworthy security something we take for granted - not something for which we longingly pine away.
But how can you go about securing that which is fundamentally insecure? The Internet was constructed on the premise of fast and efficient information sharing; a secure computing environment wasn't necessarily a requirement. Had it been, had trust been considered from the outset, then you and I would be perusing want ads, rather than this newsletter. Instead, here we are not wanting for job security, because addressing the problem of protecting an environment after it has already long been established takes a bit of time, dedication, training and resources, to say the least.
All of these requirements: time, dedication, resources and training, are scarce commodities in the world of IT. Yet players that once seemed indifferent to the issue are now moving forward with all kinds of initiatives, postulations and programs to try to address this. And, finally, it seems Microsoft is no different.
Using the phrase "trustworthy computing" in one of their recently released white papers, Microsoft - a once seemingly aloof, almost Houdini-like company when the topic of infosecurity sprung up as a topic of discussion - is making attempts to evangelize the word of security. Noting the subject as covering a "whole range of advances that have to be made for people to be ... comfortable ... using devices powered by computers and software," they contend that the IT security world has to raise the bar to get the public to fully depend on the Internet.
First off, without showing any disrespect in exchange for a little irreverence, where were these guys when they came to corner the great world of IT in the business community? And, secondly, to where should the bar be raised, and how exactly?
In taking into account the sheer enormity of any network environment, one must consider application, network, server, mobile and physical protection, in addition to the ongoing management of all this. One must address insider threat, as well as that posed by the typical outsider. Security, in other words, is no small task and certainly can't be resolved by one vendor or service provider. It's a challenge that must be done with help from all fronts, meaning that users, developers, system integrators, government officials, corporate entities and others, will need to be involved in sharing information.
Through such sharing, the hope would be that understanding about the issues would be reached. Instead of just band-aiding everything in sight, organizations' managers would understand that they need a more cohesive, thoughtful approach. They would understand the wide breadth of the many vulnerabilities that plague them and their various forms of Internet communications and information sharing. They would get the message that a strong security infrastructure takes a whole lot more than money, Dan Geer, CTO of @stake notes, explaining that IT security is an ongoing business endeavor based, yet again, on trust.
Indeed, the expectation corporate organizations have for consumers to use the Internet more frequently for e-commerce all hinges on this concept of trust. In the same way, cooperation among divergent groups, as well as managers within the confines of a company, will require trust as a cornerstone of the overall security picture. Once that comes to pass there's no telling what kind of information corporations will have at their fingertips to help solve the information security problem. And maybe then, trustworthy computing won't seem such a heavy, overwhelming and impossible-to-reach concept after all.
Illena Armstrong is U.S. editor, SC Magazine (www.scmagazine.com).