Friday, April 24, 2009

Reputation-based security

Today I read a transcript of Enrique Salem's keynote at the RSA conference, and in it he talked about something I found to be very fascinating - reputation-based security. The idea is that you can set security policies for applications you allow to run not based on some impossible-to-maintain whitelist or blacklist, but based on an application's reputation.

This new method isn’t all-or-nothing blocking like we’ve had in the past. This is a policy-based approach, where the administrator can configure the protection based on their own tolerance for risk. For instance, a government agency could forbid installation of all software that is less than 30 days old, hasn’t been installed by at least one million users, and doesn’t have a good reputation. This policy would guarantee that all software installed would first have to be vetted by literally millions of other users.

On the opposite end of the spectrum, an administrator at a university—where students constantly download all sorts of applications—could have a more lenient policy. For example one that requires new software to have a good reputation and have been previously downloaded by at least 100 users.

Think about it a little like a Zagat restaurant guide. Some people with a high risk tolerance may go eat at the new sushi place based on the recommendation of an acquaintance. Someone that is more risk averse might want to first check out the Zagat guide and wait until the place receives a high food rating before they go try it. But what’s most important is that you choose how daring you want to be when it comes to picking a restaurant. You should be able to make a similar choice when it comes to security.

I think this is really cool and makes a lot of sense. I like the way it balances flexibility with security. I like the way it takes advantage of the crowd to help categorize the safety of an application. It also helps me see how there are very interesting problems and potentially fascinating solutions in the world of security.

No comments: