Should Advanced Security Features Just Be Included?
Corporate and government email getting hacked is unfortunately a pretty everyday story and hardly worthy of a blog post. But last week, Microsoft announced that a Chinese hacking group accessed non-classified accounts from the State and Commerce Departments (among others), and the way that it was detected is interesting.
According to the postmortem, the hack came to light when a customer with a sharp IT department and access to advanced audit logs noticed an unusual access pattern and reported it to Microsoft for investigation. So far, so good. But it turns out that the audit logs in question are only available with a higher-end enterprise license, something that at least some of the impacted customers apparently didn’t pay extra for.
Charging extra for advanced or additional security features is in fact a fairly common industry practice. One of my favorite examples is “The SSO Wall of Shame”, where SaaS vendors who make single-sign-on a premium feature get memorialized. If you have an extra minute, go take a look at some of the markups that get attached to SSO support. And when you do, keep in mind that as an engineering task, adding SSO support to a SaaS application is extremely simple, probably on the level of an intern project in many codebases. So those markups are all going directly to the bottom line.
With respect to the recent email hacks, Senator Ron Wyden likened this practice to “selling a car and then charging extra for seatbelts and airbags." It’s well-and-good to call out vendors and try to goad them into providing all of their available security features as part of their standard package. But I would suggest that
Asking if customers should pay for security features is the wrong question, and instead we should ask if software vendors should pay for not providing security features.
To be sure, something like legislation requiring that all security features be made available by default might have an impact in the short-term. But in the long term, such a move gives software vendors an economic disincentive to invest in developing new security technologies. The cost associated with research, development, and implementation of robust security measures can be substantial. Without a financial incentive, vendors may be less motivated to innovate in the security domain.
Fortunately, there is a tried-and-true way to align industry incentives around safety and security, and that is product liability law. Requiring software vendors to bear financial and legal liability for security and data breaches creates a strong motivation for them to prioritize and invest in robust security features and make those features readily available to their customers. The potential consequences of breaches would significantly impact the vendors’ bottom lines, driving them to take security seriously and allocate appropriate resources to prevent such incidents.
Of course, it is essential to strike a balance between vendor responsibility and customer responsibility. While software vendors should provide robust security features, customers must also take an active role in deploying and using those features correctly to maximize their effectiveness and protect their systems and data.
In today's online world, the security of software products is paramount. By requiring software vendors to provide advanced security features in their standard offerings and simultaneously holding them accountable for security and data breaches, we can strike a balance that promotes accessibility and, at the same time, incentivizes innovation.