Bruce Schneier, in his Schneier on Security blog, has a very interesting essay about how current trends in technology, security, and business might shape how security evolves as we move forward towards 2020. His basiic thesis is somewhat provocative:
In the next 10 years, the traditional definition of IT security—that it protects you from hackers, criminals, and other bad guys—will undergo a radical shift. Instead of protecting you from the bad guys, it will increasingly protect businesses and their business models from you.
He talks about several trends that seem to point in this direction. One, which has been going on for some time, is the increasing irrelevance of the concept of the network perimeter, the boundary between the “Good Guys” in the inside, and the untamed wilderness without. (I talked about this briefly in my previous post.) Schneier also cites “consumerization”: the increasing degree to which users want to use their own devices, configured as they like them, rather than using standardized machines provided by the organization’s IT function. The increasing use of “cloud computing”, particularly for storing data in the cloud, also is a poor match to the traditional model of security.
Schneier also identifies two new trends that he thinks will be important in shaping security understanding and strategy going forward. The first is the increasing prevalence of special-purpose computing devices.
The general-purpose computer is dying and being replaced by special-purpose devices. Some of them, like the iPhone, seem general purpose but are strictly controlled by their providers. Others, like Internet-enabled game machines or digital cameras, are truly special purpose. In 10 years, most computers will be small, specialized, and ubiquitous.
The second trend, which Schneier calls “decustomerization”, is one that should really provoke some thought. More and more, we are getting online services, like E-mail, collaboration, and social networks, in the cloud for “free”, with the costs being covered by advertising. The essay points out an obvious consequence: the traditional relationship between the supplier and the user is being radically changed:
This is important because it destroys what’s left of the normal business relationship between IT companies and their users. We’re not Google’s customers; we’re Google’s product that they sell to their customers. It’s a three-way relationship: us, the IT service provider, and the advertiser or data buyer. … Facebook’s continual ratcheting down of user privacy in order to satisfy its actual customers—the advertisers—and enhance its revenue is just a hint of what’s to come.
(I’ve used the word ‘obvious’ here in the sense it’s used in mathematics: something is obvious once someone has shown it to you.) Realizing that the users of a social networking system life Facebook are the product, not the customers, makes many changes much easier to understand. For example, when I first started using Facebook a couple of years ago, the user profile had text fields in which one could enter things like favorite books and movies. In a couple of subsequent design changes, these text entries have been replaced, in essence, by check boxes, with which you can select your favorites from a defined list. The latest redesign, just a few weeks old, takes this further. Now, for example, you can say that you do or do not speak French; the former possibility of writing that you spoke a bit of French is now off the menu. One effect of these changes is clear: it is easier for Facebook to supply advertisers with lists of users that meet pre-defined criteria.
Quibbles about ugly neologisms aside, the whole essay is worth a read; it’s definitely thought-provoking.