The existing industry approach to enterprise security is showing its age. Photo: Shutterstock/menz11stock
When you deal with money, security is a big deal.
But when it comes to enterprise platforms, the lens by which the industry approaches security is showing its age.
One common security practice was that of the corporate intranet—the firewall approach. If it was important, it was kept offline. Today, that’s no longer practical.
Last May, Google announced their about-face on enterprise security. They decided to take their corporate applications online and explained their thinking in a paper. In a nutshell, when the expectation is always-on, on-demand and real-time from anywhere you want, the intranet model simply doesn’t suffice. It’s a bottleneck on productivity. Even worse, that internal network is just as insecure as the Internet proper, says Google.
Of course, moving from the building to the cloud requires a very different kind of perspective:
And as CFTC commissioner J. Christopher Giancarlo noted in a speech at Harvard Law School, Cyber Threat is the number one threat to financial markets in the 21st century.
Perhaps unsurprisingly, as researchers have taken a close look at the financial protocols that are the building blocks of the economic machine, they were underwhelmed by their security findings. Case in point is Germany’s implementation of ISO 8583, its flaws outlined succinctly in a talk given at the Chaos Computer Club.
At Ripple, these developments are top of mind and we believe it’s important to encourage and expand this kind of research. A new approach to the transfer of value requires in tandem new approaches to enterprise security. Financial institutions, for instance, could take a page of out Google’s playbook, which pays white hat researchers millions to try and break their software.
If you follow this kind of stuff, you may have noticed that Ripple—along with the likes of Stanford University and other technology firms—recently supported the Electronic Frontier Foundation with their recent W3C proposal.
The issue at hand is that of copyright protection and the ecosystem of private laws that inform its enforcement—known as “paracopyright” by IP scholars.
Long story short, some of these rules have the unintended consequences of discouraging further study and censoring researchers from publishing known security vulnerabilities for fear of litigation.
The EFF explains:
A significant consequence of paracopyright is its impact on security researchers. Rightsholders’ counsel have argued (sometimes successfully), that the prohibition on circumventing access-controls includes a prohibition on publishing information that would assist in circumvention. This includes the disclosure and demonstration of vulnerabilities in technologies that include an access control. Security researchers widely cite the chilling effect of this as a factor in preventing disclosure of their results, and there have been real-life instances of serious security vulnerabilities that were able to fester for months after discovery because the initial discoverer was advised by counsel not to make any disclosure — these vulnerabilities were not disclosed until less risk-averse researchers independently rediscovered them and came forward. In the interim, the vulnerabilities spread to new systems and were sometimes exploited by attackers.
As EFF Special Advisor and Boing Boing editor Cory Doctorow explained to me, this is about defending “the openness that built the web.”
Ripple’s stance on the EFF proposal is a reflection of our commitment to an open approach to security. All of Ripple’s enterprise-grade products have gone through a comprehensive third-party security review. Future products will go through a similarly stringent process.
As my colleague Ripple CTO Stefan Thomas explained to me, “We believe that third-party reviews and rigorous testing is better than security by obscurity.”
“That’s why we have worked with NCC Group to review Ripple code and why the core of our technology is open source.”