During the Security 2.0 event in New York in late October this year, Symantec's John W. Thompson, Enrique Salem, and Jeremy Burton presented a vision for protecting customers from the next generation of threats targeting their information and interactions. While Security 2.0 was first mentioned during the Symantec Vision conference in May, the company has only now talked about how it would execute that new strategy. In less than a fortnight after Symantec's release announcement, the blogging community is rife with discussions that question the credibility of this vision.
The Community's View of Security 2.0
In late August this year, Michael Santarcangelo, of the Security Catalyst, recorded some of his findings on what the future for information security holds, in a podcast titled Introducing Security 2.0. He broke down the concept into three broad elements:
- Leveraging Web 2.0 to improve the way we practice information security
- Taking the knowledge we have and securing Web 2.0 offerings
- The tools, skills, attitudes and experiences required to be a Security 2.0 professional
Santarcangelo's concept of Security 2.0 for the community stems from the now popular Web 2.0 movement, which is largely aimed at ushering power back to the users and allowing them to have more meaningful interactions. Santarcangelo's concept of Security 2.0 builds upon that — software above the level of a single device, software that is portable, security solutions that are non-static and can be seamlessly integrated and expanded in a way that improves the world around us.
Symantec's View of Security 2.0
Now let's look at what Symantec has envisioned under the Security 2.0 banner. The concept Symantec calls Security 2.0 "brings together an ecosystem of products, services, and partnerships to help customers remain confident in today’s connected world". To cut a long story short, Symantec's version of Security 2.0 boils down to the announcement of new products and partnerships that include Norton Confidential Online Edition, VeriSign and Identity Protection, Accenture and Symantec Security Transformation Services, Symantec Database Security, and Symantec Mail Security 8300 Series.
Norton Confidential Online Edition, according to Symantec, is an online transaction security solution that allows financial institutions to help their customers bank online with confidence. In short, it is an anti-phishing tool that is able to block keyloggers. Says security analyst Alessandro Perilli, "[...] a very poor approach to the problem. If banks want to offer a safe environment to customers they could simply send them a USB key filled with VMware Player (free) and a custom Linux distribution (free as well), able to only connect a home-banking site. Nothing could be more 2.0 than this." Perilli also points out that the Symantec Mail Security 8300 Series is the old Brightmail Anti-spam engine in a shining new case, and the Symantec Database Security, is something he has been working on for years, still addressing false positives and false negatives issues.
So Where's the Difference?
Symantec's take on Security 2.0 is focused on its own product line, partnership for services with VeriSign (for 2-factor authentication) and Accenture (for risk assessment and management). Unlike Web 2.0, this concept does not have the underpinnings of a movement that can eventually usher power back to the user and radically change the face of how information security is practised. Symantec can be forgiven if Security 2.0 is viewed in the light of a marketing term. However, if Symantec's vision, as the CEO (John W. Thomson) says, is to make digital lifestyle exciting or dynamic, allowing for users to realise the full potential that new technologies bring to the connected world, then chances are that Security 2.0 may become a dead-end marketing term that is mocked around the world, much like Santarcangelo opines on Security Catalyst.
What Next?
If Symantec can take their pitch to the next level by creating an ecosystem of various stakeholders—corporations, the community, the users—and incorporate an open framework that borrows from Web 2.0 learnings, breeds new innovations, and fosters the creation of a new and open set of agnostic tools, skills and attitudes, we may be able to see a long lasting movement that we can proudly call Security 2.0. Till then, like Perilli says, "If this is Security 2.0, I want to directly skip the next major release". |
