Not a LaGrande Security Plan

It would be nice, though ultimately very silly, to think that the world’s computing facilities could be secured by locking down the technology and ignoring the human factors. But that is what Microsoft and Intel seem to believe, with a chip encryption technology in development at Intel called LaGrande, and a forthcoming suite of security software and hardware from Microsoft dubbed Palladium.

Of course, there is nothing wrong with making computing technology more reliable. Security, however, starts with user awareness and a policy planned and implemented by a CIO, not with the dictates of platform vendors. LaGrande and Palladium will confuse users more than help them.

To Err Is Human

The most common security problems have a human element that is not well served by innovations at a chip or operating system level — at least, not in the way Microsoft and Intel are proposing. Sensitive documents are printed out and left lying around. Passwords are cracked because someone used their birth date rather than a random string of alphanumeric characters. Moldy, rotting floppy disks brought into the office infect first one, then many PCs with the latest virus because proper protection tools were not run. Small business Web sites are compromised and exploited as jumping-off points for denial-of-service attacks because the proprietors of those businesses have bandwidth but lack the necessary security tools to protect it.

The solution, in the view of such vendors as Intel, is simply to put the technology in place and let users know it is working for them behind the scenes. For example, LaGrande supposedly would encrypt secure sockets layer (SSL) sessions at a chip level so that mischievous types could not snoop on personal information being transmitted to a shopping Web site, for example.

However, if individuals are already clueless about Web site authentication procedures — and they are — how well will they deal with an additional layer of complexity involving encryption? If this is a confusing matter for individuals, it could be a nightmare for CIOs. Imagine someone trying to manage fleets of PCs if some users have encrypted part of their hard drive to protect their vital data. You have a Mexican standoff waiting to happen.

I Know What You Downloaded Last Night

Security has to be a CIO priority, and there must be a clear plan to achieve it. These issues cannot be addressed by hiding or burying encryption and passcodes within PC hardware. Efforts like LaGrande and Palladium would create exactly what CIOs do not need — non-portable black boxes, ill-understood except by vendors, that are unevenly deployed across a mix of hardware and software.

For the same reason, the technology will fail in the area of rights management for digital media, which, despite all the talk of protecting users, is just as much a priority for Microsoft, Intel and their media partners. Any security on digital media is a contract between media consumers and media providers. Telling consumers that their computer has a secret contract with a media vendor negotiated behind their backs is a quick route to confusion and frustration, not copyright protection.

Raise User Awareness

No, the answer is to leave security technology to the gurus, and to try to educate users away from the human failings that can torpedo security.

My grandfather had a cynical expression for it: “You can’t cure crazy, and you can’t fix stupid.” Certainly, hidden tools like LaGrande and Palladium are a bad way to reengineer flawed but fundamentally human practices. The most you can hope to do is to teach computer buyers how to take responsibility for the systems they use, and to give CIOs and IT administrators the system-wide tools they need to act responsibly.