In Insecurity, as well as in my security training presentation, I discuss various aspects of building secure systems, and in Ye Olde Generic Website Security Document I highlight a reasonable way to enhance the security of CVG. During the discussions around CVG security, someone proposed farming out a part of the infrastructure, and asked if that would open us up to new vulnerabilities. I mentioned that the communications channel between the service provider and the rest of the infrastructure should be private (eg. a leased line), because using the Internet would open new vectors for attack. I also mentioned that the service provider should make sure that their equipment is properly patched, and that they employ diligence for physical security...
Blah blah blah... Or, as Crystal Waters sings, "La da dee, la dee da". (And... what ever happened to her?)
You see, all this may be beside the point. Yes, there was a customer who wanted the document, so I wrote it. But why did that customer want the document? How would that customer use the document? Could that customer even evaluate the merits of the document? Could that customer even spell?
I'd argue that none of that matters. Can you tell I'm in the mood to negate everything? Yeah, right, what do you know?
Anyway, that customer wanted a document so they could claim that they did their due diligence, and that, according to us, our product is secure. See, it says so right here! And then they can go on their happy day, and drive home peacefully at night with only that annoying paper on the rear window to worry about. The customer wanted the writeup so they can claim that they're covered. CYA. But covered from what?
Covered from liability. That's what it is all about. Aren't you surprised? In the high tech industry, very few people are really concerned about true security. Those that are are often either crooks, governments, or government topplers. Everyone else just worries about law suits. So finger pointing and the blame game are really more important than true security.
There is a fundamental problem that helps fuel the preference for avoiding liability instead of implementing security. The problem is that security is hard. And expensive. And hard things are even more expensive. And expensive hard things cost a lot of money. Expensive things should generate revenue. Security never generates revenue. At most, the customer wants to hear a plausible "security story", to check off a requirement, so every good company has to claim to have "it", whatever flavor of "being secure". Not having "security" can lose a sale, but having "great security" is never really the determining factor (and nothing's ever Secure [with a capital "S"], anyway, even though I love to nest comments). Security is an invisible cost center. Good security is never seen by the customer. Often bad security isn't seen by the customer, even when that bad security compromises the customer's computers and systems. In reality, security is a cost that almost all companies defer to the last possible moment. Which seems like a reasonable policy, even if you're Chicken Little.
But, what happens to those companies when a vulnerability becomes public? Some companies suffer from really bad press, but not many. And the rest just point the finger to someone else.
... And knowing that, I explained that outsourcing the operation of the infrastructure for CVG is good security policy. It offloads that cost center to someone else, and gives us a great scapegoat when and if the system becomes compromised. You can just hear management joyfully whining amongst themselves, interspersed with the occasional evil cackle: "Besides, that's those other people's business, it's their core competency, they must know what they're doing... surely more than we would... and we'll save the money from having to learn that invisible cost ourselves, because surely they will..." And around and around they go. Hopefully, at least the outsourced company has liability insurance!