Skype's outage last week created a whole range of rumours. Was it a DDoS? An attack against a known vulnerability? Some bug?

It seems that the outage was caused as an unanticipated consequence of Microsoft's path Tuesday. As a major patch was rolled out, millions of computers rebooted. As skype is a peer-to-peer network it did not suffer from a single point of failure. But a balancing algorithm that allocates resources on the network suffered a "death by a thousand papercuts". The rebooting machines caused an instability that continued to grow until it exceeded skype network's ability to adjust.

The release of the General Public License 3, was intended to strengthen open source against patents claims. Microsoft's deal with Novell, selling vouchers that indemnify SUSE customers from any Microsoft patent claims, prompted the changes in the GPL. Novell's announcement that new code would be GPL3 left Microsoft with little choice but to dance the quickstep. The first part of the announcement states that Microsoft is not a party to GPL3. The second part states that the vouchers will not apply to GPL3 code, thereby effectively discontinuing the vouchers for new code.

Regulatory compliance offers security vendors a tremendous opportunity to hitch their sales pitch to something that has a dedicated budget. As a result we see many vendors touting compliance as a feature, even if all they do is provide a report that (possibly, maybe with a bit of massaging) can be used to document compliance.

But while vendors tout their ability to make you compliant they often forget to be compliant themselves! Many regulated industries require that companies use vendors who follow best practices and have proven compliance to certain regulations. A security architect participating in our Security and Information Protection research commented "Our internal requirements say that anybody who delivers services for us has a SAS 70, yet when we speak with a lot of vendors they do not understand what a SAS 70 is or why it is necessary. They don't have those docs or auditing functions in place. It makes it very difficult for us to purchase a product if they do not have those capabilities in place."

While enterprises are interested in the concept of endpoint control and admission, they are not committing budget just yet. IT executives are looking at both aspects of endpoint control: admission/access at L2/L3 and also policy verification and remediation (is the AV up to date etc.).

Some companies are implementing "poor man's NAC" by using RADIUS or ACLs to restrict access to known hosts. Such solutions may provide some control but become quite unmanageable in large networks. Others are using their VPN clients to do some basic policy checks on endpoints.

But the vast majority are still waiting for Cisco, Microsoft and others to agree on standards and provide broadly interoperable and mature solutions.

Walking the show floor at RSA last week, I found the perfect metaphor for the state of enterprise security. With 200+ products on the floor, there’s still no holistic solution to the problem of end-to-end security. (I also found out that wearing new shoes to a trade show is not the best of ideas—my feet were aching before I got past the first couple dozen).

Even worse, most of the products didn't even, strictly speaking, qualify as "products"—more like “features”, because each one only tackles a single aspect of security. Tying them all together becomes a daunting task.

Consider what I, as an IT executive, would need to deploy in my enterprise to secure against all these threats:

Banks may be dropping support for online direct connections from Money and Quicken while scrambling to comply with new banking regulations. If you are a user of these software applications you may find that you lose features either temporarily or permanently.

In October of 2005 the FFIEC (a bank regulator) created a regulatory "guidance" that pushes banks towards stronger authentication. Authentication that is appropriate for the risk level is required for transactions involving large sums of money, transfers out of the account or other transactions which may be the target of hackers. That may mean two-factor or other approaches, but any changes must be made by the end of 2006 (see FAQ)

Backup is a huge challenge for small and medium businesses. Tape drives are expensive and to really safeguard data you have to send it offsite. Add to that the risk of information disclosure and backup becomes a real headache. Online storage seems to be the answer, but how do you trust a third party with your data?

Well... you don't: You give them an encrypted copy that only you can read. Better yet, create multiple encrypted copies and spread them around multiple providers ensuring that you can reconstruct the data from a subset of all the copies. A bit like RAID: A redundant array of inexpensive storage providers (RAISP?). Throw some P2P in the mix and you can also include disk space on millions of home computers (or co-worker laptops) in the storage equivalent of SETI@Home.

The New York Times is reporting on ClearSafe, a startup open-source company developing a distirbuted encrypted P2P storage solution.