At the Black Hat security conference on Wednesday, former Google VP of Engineering Douglas Merrill gave the opening keynote presentation, and it wasn't a traditional security industry talk. The takeaway: Let users dictate enterprise security needs.
Merrill, who most recently served as Chief Operating Officer and President of EMI Records, started with a metaphor of placing sidewalks on a college campus to describe his view of security architecture. Campus planners, he said, come in and put down sidewalks and grass. Six months go by and they begin to notice patches of dead grass. In response, the planners would put up metal chains to keep the students on the pavement. If the students persist in walking on the grass, the planners put in planters to discourage such traffic once and for all.
The same happens with security in the enterprise. Companies will try to control employees by restricting IM use, by forcing Gmail through a proxy. Merrill cited his experience as COO, his own frustration with Exchange, and faulted the classic enterprise software for not being user friendly. "Employees want better tools at work," said Merrill. "They're trying to make use of the best technology." In his opinion, the best technology can often be found in consumer-grade software.
He said that twenty years ago everyone wanted to work in enterprise software; not today. Today there are better, more user-friendly tools such as IM. And rather than fight the needs of the employees, security officers should work to secure the networks that use them.
There is another approach to putting sidewalks on the college campus: plant grass and let the students walk where ever. Merrill said that after six months the planners can go in and then harden the most used paths with sidewalks. Merrill thinks the same could happen with security: the users should lead the security development.
But rather than present a threat to the billion-dollar security ecosystem currently in place, Merrill sees a compromise. "I do believe that security companies will change from creating infrastructure boundaries to infrastructure resilience. If we can build security correctly, we make things easier, not harder."
Robert Vamosi is a freelance computer security writer specializing in covering criminal hackers and malware threats.