There's really no such thing as security in the abstract. Security can
only be defined in relation to something else. You're secure from
something or against something. In the next 10 years, the traditional
definition of IT security -- that it protects you from hackers,
criminals, and other bad guys -- will undergo a radical shift. Instead
of protecting you from the bad guys, it will increasingly protect
businesses and their business models from you.
Ten years ago, the big conceptual change in IT security was
*deperimeterization*. A wordlike grouping of 18 letters with both a
prefix and a suffix, it has to be the ugliest word our industry
invented. The concept, though -- the dissolution of the strict
boundaries between the internal and external network -- was both real
and important.
There's more deperimeterization today than there ever was. Customer and
partner access, guest access, outsourced e-mail, VPNs; to the extent
there is an organizational network boundary, it's so full of holes that
it's sometimes easier to pretend it isn't there. The most important
change, though, is conceptual. We used to think of a network as a
fortress, with the good guys on the inside and the bad guys on the
outside, and walls and gates and guards to ensure that only the good
guys got inside. Modern networks are more like cities, dynamic and
complex entities with many different boundaries within them. The access,
authorization, and trust relationships are even more complicated.
Today, two other conceptual changes matter. The first is
*consumerization*. Another ponderous invented word, it's the idea that
consumers get the cool new gadgets first, and demand to do their work on
them. Employees already have their laptops configured just the way they
like them, and they don't want another one just for getting through the
corporate VPN. They're already reading their mail on their BlackBerrys
or iPads. They already have a home computer, and it's cooler than the
standard issue IT department machine. Network administrators are
increasingly losing control over clients.
This trend will only increase. Consumer devices will become trendier,
cheaper, and more integrated; and younger people are already used to
using their own stuff on their school networks. It's a recapitulation of
the PC revolution. The centralized computer center concept was shaken by
people buying PCs to run VisiCalc; now it's iPads and Android smart phones.
he second conceptual change comes from cloud computing: our increasing
tendency to store our data elsewhere. Call it *decentralization*: our
email, photos, books, music, and documents are stored somewhere, and
accessible to us through our consumer devices. The younger you are, the
more you expect to get your digital stuff on the closest screen
available. This is an important trend, because it signals the end of the
hardware and operating system battles we've all lived with. Windows vs.
Mac doesn't matter when all you need is a web browser. Computers become
temporary; user backup becomes irrelevant. It's all out there somewhere
-- and users are increasingly losing control over their data.
During the next 10 years, three new conceptual changes will emerge, two
of which we can already see the beginnings of. The first I'll call
*deconcentration*. The general-purpose computer is dying and being
replaced by special-purpose devices. Some of them, like the iPhone, seem
general purpose but are strictly controlled by their providers. Others,
like Internet-enabled game machines or digital cameras, are truly
special purpose. In 10 years, most computers will be small, specialized,
and ubiquitous.
Even on what are ostensibly general-purpose devices, we're seeing more
special-purpose applications. Sure, you could use the iPhone's web
browser to access the *New York Times* website, but it's much easier to
use the NYT's special iPhone app. As computers become smaller and
cheaper, this trend will only continue. It'll be easier to use
special-purpose hardware and software. And companies, wanting more
control over their users' experience, will push this trend.
The second is *decustomerization* -- now I get to invent the really ugly
words -- the idea that we get more of our IT functionality without any
business relationship. We're all part of this trend: every search engine
gives away its services in exchange for the ability to advertise. It's
not just Google and Bing; most webmail and social networking sites offer
free basic service in exchange for advertising, possibly with premium
services for money. Most websites, even useful ones that take the place
of client software, are free; they are either run altruistically or to
facilitate advertising.
Soon it will be hardware. In 1999, Internet startup FreePC tried to make
money by giving away computers in exchange for the ability to monitor
users' surfing and purchasing habits. The company failed, but computers
have only gotten cheaper since then. It won't be long before giving away
netbooks in exchange for advertising will be a viable business. Or
giving away digital cameras. Already there are companies that give away
long-distance minutes in exchange for advertising. Free cell phones
aren't far off. Of course, not all IT hardware will be free. Some of the
new cool hardware will cost too much to be free, and there will always
be a need for concentrated computing power close to the user -- game
systems are an obvious example -- but those will be the exception. Where
the hardware costs too much to just give away, however, we'll see free
or highly subsidized hardware in exchange for locked-in service; that's
already the way cell phones are sold.
This is important because it destroys what's left of the normal business
relationship between IT companies and their users. We're not Google's
customers; we're Google's product that they sell to their customers.
It's a three-way relationship: us, the IT service provider, and the
advertiser or data buyer. And as these noncustomer IT relationships
proliferate, we'll see more IT companies treating us as products. If I
buy a Dell computer, then I'm obviously a Dell customer; but if I get a
Dell computer for free in exchange for access to my life, it's much less
obvious whom I'm entering a business relationship with. Facebook's
continual ratcheting down of user privacy in order to satisfy its actual
customers -- the advertisers -- and enhance its revenue is just a hint
of what's to come.
The third conceptual change I've termed *depersonization*: computing
that removes the user, either partially or entirely. Expect to see more
software agents: programs that do things on your behalf, such as
prioritize your email based on your observed preferences or send you
personalized sales announcements based on your past behavior. The
"people who liked this also liked" feature on many retail websites is
just the beginning. A website that alerts you if a plane ticket to your
favorite destination drops below a certain price is simplistic but
useful, and some sites already offer this functionality. Ten years won't
be enough time to solve the serious artificial intelligence problems
required to fully realize intelligent agents, but the agents of that
time will be both sophisticated and commonplace, and they'll need less
direct input from you.
Similarly, connecting objects to the Internet will soon be cheap enough
to be viable. There's already considerable research into
Internet-enabled medical devices, smart power grids that communicate
with smart phones, and networked automobiles. Nike sneakers can already
communicate with your iPhone. Your phone already tells the network where
you are. Internet-enabled appliances are already in limited use, but
soon they will be the norm. Businesses will acquire smart HVAC units,
smart elevators, and smart inventory systems. And, as short-range
communications -- like RFID and Bluetooth -- become cheaper, everything
becomes smart.
The "Internet of things" won't need you to communicate. The smart
appliances in your smart home will talk directly to the power company.
Your smart car will talk to road sensors and, eventually, other cars.
Your clothes will talk to your dry cleaner. Your phone will talk to
vending machines; they already do in some countries. The ramifications
of this are hard to imagine; it's likely to be weirder and less orderly
than the contemporary press describes it. But certainly smart objects
will be talking about you, and you probably won't have much control over
what they're saying.
One old trend: deperimeterization. Two current trends: consumerization
and decentralization. Three future trends: deconcentration,
decustomerization, and depersonization. That's IT in 2020 -- it's not
under your control, it's doing things without your knowledge and
consent, and it's not necessarily acting in your best interests. And
this is how things will be when they're working as they're intended to
work; I haven't even started talking about the bad guys yet.
hat's because IT security in 2020 will be less about protecting you
from traditional bad guys, and more about protecting corporate business
models from you. Deperimeterization assumes everyone is untrusted until
proven otherwise. Consumerization requires networks to assume all user
devices are untrustworthy until proven otherwise. Decentralization and
deconcentration won't work if you're able to hack the devices to run
unauthorized software or access unauthorized data. Decustomerization
won't be viable unless you're unable to bypass the ads, or whatever the
vendor uses to monetize you. And depersonization requires the autonomous
devices to be, well, autonomous.
In 2020 -- 10 years from now -- Moore's Law predicts that computers will
be 100 times more powerful. That'll change things in ways we can't know,
but we do know that human nature never changes. Cory Doctorow rightly
pointed out that all complex ecosystems have parasites. Society's
traditional parasites are criminals, but a broader definition makes more
sense here. As we users lose control of those systems and IT providers
gain control for their own purposes, the definition of "parasite" will
shift. Whether they're criminals trying to drain your bank account,
movie watchers trying to bypass whatever copy protection studios are
using to protect their profits, or Facebook users trying to use the
service without giving up their privacy or being forced to watch ads,
parasites will continue to try to take advantage of IT systems. They'll
exist, just as they always have existed, and -- like today -- security
is going to have a hard time keeping up with them.
Welcome to the future. Companies will use technical security measures,
backed up by legal security measures, to protect their business models.
And unless you're a model user, the parasite will be you.
This essay was originally written as a foreword to "Security 2020," by Doug Howard and Kevin Prince.http://www.amazon.com/exec/obidos/ASIN/0470639555/counterpane/
No comments:
Post a Comment