SHARE in Boston 2013 Journal: Surviving in a Feudal Security World

Although I’ve already written about the SHARE day one keynote offered by Greg Lotko of IBM, I’d be remiss to overlook the insight which came from Bruce Schneier, Chief Security Technology Officer for BT, on day two. His keynote, “Surviving in a Feudal Security World” was a most interesting commentary on the times we live in, both from a business and personal perspective.

Recent events involving the NSA and individual privacy in the United States have shined a spotlight on Schneier. He’s even testified before Congress on matters of information security. Though he steered away from a direct connection to the mainframe, his overall message was clear: security is a paramount concern for all.

Lining up for Bruce's Keynote at SHARE in Boston

SHARE in Boston Attendees line up for Bruce Schneier's Keynote presentation. 

Who’s Responsible?

Schneier opened with one of the most insightful metaphors you may ever hear. He was discussing the fact that traditionally, the user was always responsible for security for their computer. You’d purchase a new laptop and a sales associate may try to upsell you on getting a security package for it as well. Schneier likened this to purchasing a new car and the dealer telling you what a good idea it would be to have brakes installed. If that concept doesn’t make you stop and think, it should. We have regularly taken for granted a critical piece of personal computer infrastructure for over two decades. But now, that’s all changing.

Schneier explains how we no longer control our email. We no longer control our photos. We no longer control much of our personal data. It’s all on cloud data services such as Gmail or Flickr. Even the devices we regularly use to access our data are out of our control. You don’t control the security of your iPhone, Apple does. So we’re moving away from the model of us controlling our computer and our data to someone else controlling our data and our device. Schneier calls this new model ‘feudal security’.

This concept is likened to the feudal system of the Middle Ages where individuals (serfs) worked the land and pledged their allegiance to lords who would, in return, offer them protection. The modern day version of this being users pledging their allegiance to a more powerful company which in turn promises to protect our data. Which is an otherwise pretty appealing concept, per Schneier. Just think, you get convenience of automated protection, redundancy in security, etc. The basic level of security you get via Google and your Gmail account is often better than what you could do on your own.

But there are also disadvantages. You’ve now lost control. Maybe you want higher levels of security? Or your data could be shared with other companies or the government. Schneier notes that the inherent risk here is that vendors are only acting in self-interest. There are no financial transactions to make them beholden to us. For example, you don’t pay Google for the use of Gmail.

The result is that we experience the same fate as the serfs. Just as they were tied to the land, we are tied to our email provider, our cell phone provider, etc. And since we’re tied to them with limited checks and balances, they may not always act in our best interest. .

Implications for Business

Schneier continued on, expounding on balances of power and the roles the government, corporations, and individuals will play as data and security continue down their current course. But from an IT perspective, there’s an entirely separate conversation to have. As your organization increases interactions with other companies, clients, and individuals, it will continue to amass even more data. Some of which will be sensitive in nature. Yet again, the spotlight will shine on how secure your data center is. And if it’s comprised of servers, you can find yourself facing a breach.

Why am I singling out servers? It’s because they are vulnerable, unlike the mainframe. I’m reminded of a blog post by SHARE past president Janet Sun where she breaks down various myths about the mainframe. One of which, of course, addresses security. Here’s a brief excerpt:

With increasing attention on security, it is important to note that the mainframe has the highest server security rating in the industry.  The Evaluation Assurance Level (EAL) of an IT product or system is a numerical grade assigned following the completion of a Common Criteria security evaluation, an international standard in effect since 1999.  IBM mainframes have EAL5+ certification.  What does EAL5+ mean? - “The intent of the higher levels is to provide higher confidence that the system's principal security features are reliably implemented”.

Security is built into every level of the mainframe’s structure, including the processor, operating system, communications, storage and applications.  Security is accomplished by a combination of software and built-in hardware functions, from identity authentication and access authorization to encryption and centralized key management.  Despite the way Hollywood portrays the mainframe, in reality there has never been a reported incident of a mainframe being hacked or infected by a virus.

That last sentence almost bears repeating. Think about it. We take for granted how often we hear about security breaches in the news. But all of those issues happen as vast server farms are easy targets for hackers. The mainframe is a far more secure option.

The Takeaway

Overall, Schneier's message is a valid one. We all know that security is a top concern, and while the risk and exposure associated with personal data is an issue for the individual, the risk and exposure for corporations is enormous. Those who are responsible for the vast amounts of data housed by companies need to be continuously vigilant and monitor and upgrade security to ensure that they protect the data that we as individuals entrust to them.. Just as we shouldn’t allow ourselves to accept an out of sight and out of mind policy for our personal devices, we shouldn’t just accept servers as the go to option for data storage and security. Click here to find out more about System z and its security advantages.

Ryan Segovich attended SHARE in San Francisco on special assignment. Follow him on Twitter @TIRyan2.  Follow SHARE on Twitter @SHAREhq.

Recent Stories
Using IPCS to Solve CICS Failures

Tips and Tricks: The Transition to Remote Work

Master the Mainframe 2005: Anna Clayton's Springboard to Success