Security Expert: Trusting Service Providers With Security Is Dangerous


In the days of feudalism, serfs and minor lords pledged allegiance to the king and received protection in return. As long as the king held up his end of the bargain, the system worked. If he didn't, the system would crumble, as it eventually did in Europe around the 15th century.

Bruce Schneier, CTO of BT Managed Security Solutions, sees the feudalism dynamic happening today on the Web, where users of social networking and other online services must blindly trust that the companies providing those services are paying enough attention to security. And given the power these firms wield, that is by no means a safe assumption.

Service providers are getting better at collecting user's data, a trend that could pose problems for serfs down the road, Schneier said in a Tuesday afternoon talk at the RSA Conference 2013 in San Francisco.

 

[Related: 8 Cool Network Security Products At RSA 2013]

"Remember when Microsoft was the big company we were all worried about? Now it's Google, Amazon and Facebook," Schneier said. "Already, Google knows more about my interests than my wife does. ... We as users have to trust these vendors."

In the traditional security model, the onus was on the user to choose the right products for their needs, such as antivirus and firewall, and to configure it on their networks. Now that traditional model is breaking, according to Schneier.

He chalks this up to the rise of devices such as the iPad and iPhone, over which Apple exerts complete control; and cloud services, which vendors maintain completely on their own, affording zero visibility to the end user.

"You can't control security on Gmail or Facebook," Schneier told RSA attendees. "You get what they provide. With this model, someone else is taking care of it. When we trust Facebook security, we do it blindly."

Governments and corporations hold the lion's share of power at the moment, and they're increasingly using the Internet to further strengthen their position. Under the banner of combating digital piracy, media companies are using the government to enforce their business models with proposed legislation like the Stop Online Piracy Act (SOPA) and Protect IP Act (PIPA), said Schneier.

"Right now the powerful are winning these debates, whether it's law enforcement or a large corporation," Schneier said.

NEXT: Can We Trust Service Providers Not To Screw Up?