In the long run, the OS you choose for your business
should make a difference in it's operating costs and
in how some of your customers view the technical
reliability of your business.
Bob
From Bruce Schneier's CRYPTO-GRAM:
** *** * *** *** *
Insurance and the Future of Network Security
Eventually, the insurance industry will subsume the computer security
industry. Not that insurance companies will start marketing security
products, but rather that the kind of firewall you use -- along with the
kind of authentication scheme you use, the kind of operating system you
use, and the kind of network monitoring scheme you use -- will be
strongly
influenced by the constraints of insurance.
Consider security, and safety, in the real world. Businesses don't
install
building alarms because it makes them feel safer; they do it because
they
get a reduction in their insurance rates. Building-owners don't install
sprinkler systems out of affection for their tenants, but because
building
codes and insurance policies demand it. Deciding what kind of theft and
fire prevention equipment to install are risk management decisions, and
the
risk taker of last resort is the insurance industry.
This is sometimes hard for computer techies to understand, because the
security industry has trained them to expect technology to solve their
problems. Remember when all you needed was a firewall, and then you
were
safe? Remember when it was an intrusion detection product? Or a PKI?
I
think the current wisdom is that all you need is biometrics, or maybe
smart
cards.
The real world doesn't work this way. Businesses achieve security
through
insurance. They take the risks they are not willing to accept
themselves,
bundle them up, and pay someone else to make them go away. If a
warehouse
is insured properly, the owner really doesn't care if it burns down or
not. If he does care, he's underinsured. Similarly, if a network is
insured properly, the owner won't care whether it is hacked or not.
This is worth repeating: a properly insured network is immune to the
effects of hacking. Concerned about denial-of-service attacks? Get
bandwidth interruption insurance. Concerned about data corruption? Get
data integrity insurance. (I'm making these policy names up,
here.) Concerned about negative publicity due to a widely publicized
network attack? Get a rider on your good name insurance that covers
that
sort of event. The insurance industry isn't offering all of these
policies
yet, but it is coming.
When I talk about this future at conferences, a common objection I hear
is
that premium calculation is impossible. Again, this is a technical
mentality talking. Sure, insurance companies like well-understood risk
profiles and carefully calculated premiums. But they also insure
satellite
launches and the palate of wine critic Robert Parker. If an insurance
company can protect Tylenol against some lunatic putting a poisoned
bottle
on a supermarket shelf, anti-hacking insurance will be a snap.
Imagine the future Every business has network security insurance,
just
as every business has insurance against fire, theft, and any other
reasonable threat. To do otherwise would be to behave recklessly and be
open to lawsuits. Details of network security become check boxes when
it
comes time to calculate the premium. Do you have a firewall? Which
brand? Your rate may be one price if you have this brand, and a
different
price if you have another brand. Do you have a service monitoring your
network? If you do, your rate goes down this much.
This process changes everything. What will happen when the CFO looks at
his premium and realizes that it will go down 50% if he gets rid of all
his
insecure Windows operating systems and replaces them with a secure
version
of Linux? The choice of which operating system to use will no longer be
100% technical. Microsoft, and other companies with shoddy security,
will
start losing sales because companies don't want to pay the insurance
premiums. In this vision of the future, how secure a product is becomes
a
real, measurable, feature that companies are willing to pay
for...because
it saves them money in the long run.
Other systems will be affected, too. Online merchants and
brick-and-mortar
merchants will have different insurance premiums, because the risks are
different. Businesses can add authentication mechanisms -- public-key
certificates, biometrics, smart cards -- and either save or lose money
depending on their effectiveness. Computer security "snake-oil"
peddlers
who make outlandish claims and sell ridiculous products will find no
buyers
as long as the insurance industry doesn't recognize their value. In
fact,
the whole point of buying a security product or hiring a security
service
will not be based on threat avoidance; it will be based on risk
management.
And it will be about
