The staff of the Software and Information Industry Association (SIAA), a trade association for the software and digital information industry, recently published a Top 10 of the most significant e-commerce developments of the past 10 years. Inspired by this I decided to put together my own Top 10 Security developments of the last decade. All alternative suggestions are welcome.
1 The X.509 Standard for Digital Certificates – The standard that inspired and enables secure e-Commerce and Identity Management. Without this there would be no safe use of the Internet for business communications. Initially conceived back in the late 80s but not introduced into mainstream operations until the dot com days.
2. SSL/TLS – Built on the above, the essential security protocol, originally developed by Netscape just over a decade ago, underpinning contemporary e-Business and secure remote access to corporate networks.
3. ISO 27000 Series of Standards – When we penned the original BSI PD 0003 Code of Practice back in 1993 we knew it was good. But we never envisaged it would evolve into such an important Global standard. Well done to the International Standards community for a decade of patient and progressive evolution. Quality always wins through in the end.
4. SAML – The standard protocol for conveying authentication and authorisation data between systems and organisations. SAML and its derivatives represented a huge step forward, enabling single-sign-on and the evolution of enterprise and extended-enterprise Identity Management systems.
5. Vulnerability Management Software – Without modern vulnerability management software we would have no real-time visibility or metrics to measure the security posture of our external-facing infrastructure. Vulnerability management systems have transformed the capability of organisations to keep up with fast-changing e-Business applications, especially those outsourced to contractors.
6. Intrusion Prevention Systems – Without IPS appliances and managed services, we’d be vulnerable to extortion bids by organised crime and other bad actors. IPS may seem a luxury for many organisations but once you’ve experienced the helplessness generated by a professional DDoS attack you’ll quickly become a convert.
7. Californian Law SB 1386 – The controversial local law that quickly went global and requires all companies to notify the authorities of breaches affecting the privacy of Californian citizens. Wherever you are, this law or something similar is likely to be coming your way.
8. The Jericho Forum – Formed by a group of CISOs from leading user organisations, this forum was a breakthrough in standards-setting, transferring the upper hand in security standards strategy to users rather than vendors.
9. The AES Algorithm – Cryptographic algorithms are amongst the hardest components of the infrastructure to change. Amongst other things, they require universal approval and buy-in. This algorithm comes with accreditation and is a step is in the right direction for quantum-immune transactions.
10. Windows Security Centre – Nothing revolutionary here in technology. But without this relatively easy-to-use feature, the average Windows user would be an awful lot less secure.
Many other technologies offered great promise but sunk without trace, in some cases because they were introduced before their time. Amongst the casualties was the Royal Mail Group Viacode certificate service, a blue-chip authentication service which arrived in the marketplace before anyone realised they needed one. Also, the extraordinary Tristrata encryption system, a revolutionary cipher system that promised a lot but failed to impress Bruce Schneier and could never satisfy the short-term investment criteria of its West Coast venture capitalists.