Hopefully you’ve got the idea: Solving the “desktop problem” has almost nothing to do with technology, and everything to do with me. In this post I want to focus on another human-centric challenge to our approach to end user computing, and since the remainder of my quest requires a tour through ancient history, our journey fittingly commences with the Trojan War.
Thus far I’ve argued that disaster results from an impedance mismatch between humanity and technology: poorly architected systems made vulnerable by fallible developers, combined with gullible users. But users will always be gullible and our software always vulnerable, so the bad guys will get in.
Perhaps we could statically segregate apps & data into domains of trust to prevent attacks? When the Greeks laid siege to Troy the Trojans locked down their city and endured for ten years. The policy was simple: Trojans only on the inside, and “bad guys” on the outside.
This ought to be familiar to everyone in IT today: Lock down the PC so that the user can only use it for work. Ban any other use through policy. Prevent data loss with DLP policies. I encountered an extreme version of this at a large manufacturer whose employees working on sensitive data are given two laptops, and trained to partition their activities between “high side” and “low side” to try to contain risk. Citrix XenClient is a “desktop consolidation” version of this, with independent, isolated corporate and personal VMs on the same PC.
What happened at Troy? Well we can be certain that the Trojans were getting mighty sick of olives and stale bread after ten years. More importantly, by locking down their city they were unable to be productive as a society and by contrast their attackers had every resource they needed to sustain their lengthy siege. An IT department that erects walls for security is a barrier to the productivity of the enterprise. And the attackers have the benefit of freely available resources to bolster their attacks – “the cloud” helps the bad guys far more than the enterprise. Ultimately this posture will fail. Locking down a PC so that it becomes a single function device makes employees all the more keen to get enterprise data into Dropbox. And segregating different workloads onto different devices is cumbersome and twice as expensive.
How about XenClient – with two VMs per PC with “walls” between them? It fails too, because the attacker will send the poisoned attachment to your corporate email in your corporate VM. From this we can conclude that the approach that IT is taking – locking things down and static isolation – doesn’t prevent attackers from getting in. Just as the Greeks eventually did, at Troy.
Other rigorous static segregation approaches have been proposed. For example, each application could run in its own VM, like Qubes OS. But in this model the management complexity explodes: provisioning and lifecycle management of the hypervisor, multiple OS images and apps, and policy galore (to hook all the running components together). It is simply too painful to deal with. An operating system is supposed to be a perfectly integrated system that runs applications, that is a joy to use, simple to manage and secure by design.
It is we – the users – who are the issue. Since time immemorial humans have had to enter a “grey zone” where it is impossible to determine the trustworthiness of their environment. We had to go into the unknown to hunt and gather food; we have to browse the public web to gather information and we have to use applications and consume data of unknown provenance – just to be productive employees. The very nature of our humanity demands that we enter environments, communicate with individuals and interact with systems whose trustworthiness cannot be established. Moreover, success requires that we compete, and competition exposes us to competitors.
When we enter these zones of unfathomable trust, our operating systems and applications are exquisitely vulnerable, just like the famous Greek hero Achilles in battle at Troy. But we can no more shut out the outside world, than Achilles could avoid battle: We have to give users access to the public web, you have to open the attachment that seems to be from your boss, and you have to insert the USB stick I give you with my report on it. It is precisely in these zones of unfathomable trust that today’s technology fails to protect us. The Trojan hero Paris’s arrow struck Achilles in the heel – exploiting his only vulnerability and killing him. He was unaware of his vulnerability, just as we are unaware of zero-day exploits that have not been exposed. But they exist, and moreover the attackers will take advantage of them.
We cannot plan for the unknown threat. We require our employees to enter zones of unfathomable risk, just to be productive. It is precisely here that our technologies fail to protect them. A trustworthy system must remain trustworthy in the most hostile of environments, and it must remain trustworthy in spite of its exposed heels.