City-state Security

Bruce Schneier wrote an interesting piece in Wired yesterday likening cloud providers to feudal lords.  Schneier states that we’ve come to a point in the Internet era where users are putting a tremendous amount of trust in companies like Facebook and Amazon in exchange for convenience.  It’s never been more apparent – we want access to our data anywhere, anytime, without the hassle of VPNs, encryption, and other annoying “obstacles.”

Long live the king!

As Bruce points out, for some individuals and small companies, being a vassal can work in our favor – after all, our lords know better than we do (or do they?).  But what about multi-billion dollar enterprises with much more at stake?

Schneier says:

“These organizations are used to trusting other companies with critical corporate functions: They’ve been outsourcing their payroll, tax preparation, and legal services for decades. But IT regulations often require audits. Our lords don’t allow vassals to audit them, even if those vassals are themselves large and powerful.

Even if you yourself are a powerful lord, when your king calls upon you, you obey.

Enterprises realize that convenience is often the enemy of security and trust is sometimes betrayed.  Managing and protecting IP, customer data, patient data, etc. is too important to hand off to a hopefully-benevolent lord who has an entire realm to rule.  As Chris Dixon says: outsource the things you don’t care about.

Interestingly, Bruce views the outcome as binary: convenience XOR security.  I think there’s an unstated middle-ground here: a new breed of enterprise-class solutions that offer the same luxuries the kings provide, but are deployed and controlled autonomously by the organization.   Call it city-state security.

Get the latest security news in your inbox.