Can someone please do some basic security products?
09:00 Monday, 21 June 2021
UK Cyber Security Council
Security technology – just like mainstream information technology – is becoming more and more complex. Hardware is becoming faster thanks to billions spent on R&D and manufacturing, and this is enabling software to become more and more clever. Number-crunching Machine Learning (ML) and Artificial Intelligence (AI) software is now a reality because processor hardware is faster and we continually make it possible to cram more and more storage into systems without making them physically bigger.
Today’s security technology is, in short, incredible and brilliant. But this brings a problem: nobody makes boring, simple stuff.
Yes, I want really clever technology. In fact, in my day job I’m about to roll out a new cloud-based ML security package, and it’s going to bring immense value. But there are simple things for which there just seems to be no easy answer.
Imagine you have a server that holds sensitive data that you want to track for GDPR reasons. Wouldn’t it be great if you could run a report on who’s accessed that file in a time period you specify? Yes, it would, but there’s nothing I can find that will easily do this.
If we can’t see who’s accessed the files, perhaps the next best would be to see whose permissions are configured such that they can access them. Yes, but that’s not easy either: the average Windows user can right-click on a file and check out the security properties but all they get is a list of usernames and groups who have access, and they can’t drill into those groups to see which users are in there.
A system management tool I’ve been working with recently can do all manner of clever things like remote-controlling users’ PCs and deploying software and patches to them. It’s a very popular package, and works well … but if I want to export a complete list of the devices under management into something like a comma-separated (CSV) file, it doesn’t have that option so I have to manually highlight and copy the screen contents and paste them into Excel.
Most IT managers have collections of applications that authenticate in different ways: some use Active Directory, others have their own internal user database. Surely thousands of companies would like to have a funky little system that can dip into all the apps and report on which user IDs have access with what permissions … yet nobody’s made a tool that will do this for us.
Why? What on earth is wrong with doing something simple? I’m delighted that software vendors are spending probably £5million a year on research so they can sell me devilishly clever ML-based security tools for a hundred quid a seat. But I think that alongside all this high-tech stuff, they (or others) could also be spending sub-£1million a year to write simple stuff that does mundane, straightforward tasks that they could flog to me for fifty quid a seat. Half the sale price for something that’s 80% cheaper to make? Why wouldn’t you?
Maybe the commercial software vendors are working on the premise that if something’s so easy to write, maybe the Open Source or ShareWare community is likely to write it and so if they were to make a commercial offering, it wouldn’t sell alongside the free alternatives. If they think that, though, it would appear that they’re wrong because I just can’t see the low-tech, boring wood for the high-tech, trendy-concept-laden trees.
Software vendors: please carry on pushing the boundaries and producing applications that push the boundaries and do things that would, just a few years, have seemed impossible. But I exhort you to go an extra step and add a category to the “Products” section of your web sites labelled: “Boring, mundane gems”. Go and talk to your customers and ask them: what idiotic manual work are you doing because nobody’s ever written an application that will do it more automatically for you?
Because I bet you’ll be surprised by the high number and low complexity of the answers.