Doomed from the start

At Digital ID World we get used to telling the story of identity in the form we like best - talking about all the truly astounding value, capabilities and business models that will be enabled once the internet becomes identity based (where identity here is defined as far more subtly and richly conceived than just authentication and access control.) Every so often, however, we are brought back to earth by the realization of just how much damage the current identity deficit is doing in the global internet. This morning Eric called my attention to Security Absurdity: The Complete, Unquestionable, And Total Failure of Information Security. Some quotes from it provide the gist of what it says very well, and in great detail.

"It is time to admit what many security professionals already know: We as security professionals are drastically failing ourselves, our community and the people we are meant to protect. Too many of our security layers of defense are broken. The security community is not just failing in one specific way - it is failing across multiple categories. It is being out innovated. ... We tolerate it because we are used to it."

At the same time, after you read this article, you realize that while the author clearly sees the failures of current approaches, the only thing he really knows to say about how to improve things is that we should do more of the same, but work harder, do it better, and innovate more. Folks, this is what things look like when a failed paradigm meets its match in the real world. If this were a boxing match, they'd stop the fight on a TKO. The only answer is to adopt new ways of modeling and understanding the problem set to develop ways to fight back.

A big clue to why current security approaches were doomed from the start is found in the sports cliché that no game is ever won by defense alone. The best a perfect defense can accomplish is a 0-0 tie, and eventually this will break down under sustained pressure from the other side. Slowly this is dawning on the security industry.

One of the stronger clues that we are in the "end stages" of computer security conceived as we currently know it was when Symantec's CEO John Thompson said, "Security no longer describes what this company does." He doesn't want his company too tightly tied to this ship when it starts sinking in a business sense, and I suspect we'll see several other 'security companies' following suit later this year.

So how can security *win* its game of protecting networked computing and those who use it from threats that will never cease? To win, a way must be found to go on the offense, not just respond to each new symptom as it pops up. When the strategy used to protect things is shown a failure, winning requires changing the rules of the game. And that's where identity comes in.

It's no surprise here that the above statement from Symantec's CEO that they weren't really in the security business any more was followed in less than three weeks by a statement from him that identity management "is an area of great interest to our company." We are seeing this shift to identity based techniques occurring across the security industry, as only identity provides a direct way to secure applications and data in networked computing."

It is difficult to accept that the methods people have devoted themselves to mastering aren't the right ones to solve the problem. But to progress, we must occasionally do so. We are at such a moment now in networked computing. As a result, the evolution towards methods that view the network from identity first is rapidly gaining momentum.

As the hard work and innovation continue in the identity space, the author of the above article will be shown correct - though maybe not in the ways he imagined. Security problems will then start to get solved in more permanent, systematic, and self-damping ways. But, as we like to point out, security won't be the biggest benefit of identity.

Update: The author of the article Security Absurdity, Noam Eppel, has emailed me and posted as a comment here that "The article states that, 'Part Two of this article will contain a list of what we must do to address our current failure.' So it is not correct to state that the article left readers with no answers."  I look forward to reading part two, to see what he feels the answers are.