ORLANDO, Fla.-- Security pros are constantly weighing whether a new security policy could be costly to employee flexibility and productivity. But in recent years, one expert says, less flexibility appears to be the new standard as vendors protect their products from Web-based attacks -- and it could stifle technological innovation.
"The Internet has so many different moving parts and so many different independent hands involved that it's too difficult for anybody to do anything to make it more secure," said Jonathan Zittrain, professor of Internet governance and regulation at Oxford University and co-founder of the Berkman Center for Internet and Society at Harvard University.
While personal computers and devices are protected by firewalls and security software, attackers are finding other avenues of attack. Device makers are responding by locking down devices and configuring them to automatically update, but the result is less flexibility for their owners, Zittrain said. Like a home appliance, the devices can be easily used by their owners, but little can be done to update the internal software or configure them to make them work better.
"There's a movement to turn the PC into things like the Tivo or BlackBerry, which are tethered to their maker," Zittrain said. "The makers of a device are now determining what you can do with it."
Zittrain talked about his work as co-director of StopBadware.org, a Web site that is aiming to be a central clearinghouse for research about Websites that are configured to immediately dispense malware when visited. The goal is to slow the spread of malware by getting the sites labeled by Google and other search aggregators if they contain spyware or deceptive adware, he said. So far more than 31,000 Web sites were found to be configured to dispense malware when visited. Still, the complexities of the Internet is making enforcement of rules and regulations virtually impossible, Zittrain said.
To deal with Web uncertainties, vendors are turning their software into a service, to protect it from vulnerabilities that can be exploited by attackers. Zittrain and other experts who are studying what can be done to better secure systems and devices from Internet attacks say Internet service providers need to take a greater role in securing Web traffic.
"You don't want to let your channel of communication rules be the same channel for executable code," Zittrain said. "One hopes that ISPs take a greater responsibility."
For now, some companies are locking out employees from certain productivity tools and some vendors are tightening their grip on their proprietary software. So far the strategy is helping defend against the bad guys, said Cleveland Greene, a Department of Defense systems analyst based in San Antonio, Texas.
"You've got to increase security and you're going to realize that trade-off, which means employees will be locked into their specific business process," Greene said. "If we're gong to win the battle you've got to accept that trade-off."