By now, you have likely heard about the latest massive breach over at Adobe. Besides the source code for Acrobat and Cold Fusion, something like 3 million accounts were breached as well. The good news is that credit card numbers for many of the account holders was encrypted. The bad news is that the credit card numbers for many of the accounts was encrypted. It is probably just a matter of time on that front.
But forget credit card numbers for a second. The fact is that Adobe has suffered yet another breach. Millions of accounts were compromised. If you use the same password on other sites that you use for Adobe, they are now in danger. Once again, the source code to their products is available. The Flash and Acrobat products are already two of the leading causes of breaches and sources of vulnerabilities.
Do you get the picture or do we have to Photoshop it for you? Adobe has some serious security concerns. But I am afraid it gets worse. Last May or so, Adobe announced a fundamental shift in its business model. Like Microsoft and others, Adobe wanted to move from the traditional software model to a Software-as-a-Service subscription model. Instead of buying software for a lot of money that starts the clock ticking on its obsolescence the day you buy it, they would instead "rent" you the software for a monthly fee. Under this SaaS model you always have up-to-date versions of the software, you don't lay out big money up front and Adobe sees a steady, hopefully growing monthly revenue stream. Sounds great.
The problem here is that a basic tenet of model is the ability to do recurring billing on a monthly or otherwise regular basis. Imagine if you had to log in every month and re-enter your payment information. Well, you probably don't have to imagine - I know several of my regular monthly bills where I have to do this. However, for a software vendor like Adobe looking to a SaaS model, if I can't trust you to store my information securely, heck if you can't even keep your own source code safe, how can I justify using you as a vendor?
Ultimately, this is the problem. It is a very difficult proposition for a vendor, even one as well-known as Adobe, to move to a subscription SaaS model if customers can't trust the company to keep their information safe. While it is true that, generally, consumers have short memories, recurring breaches will shake the confidence of even the most diehard supporter. Hey, we would all love a business where all of our customers send us money every month forever. But the logistics of doing this at scale demand that they secure the information.
So what does Adobe do now? In my opinion, it's off to a good start by being as transparent as it has been regarding this matter, even acknowledging the contributions of my friend Brian Krebs and Alex Holden in discovering this breach. But that will only go so far.
What I would like to see Adobe do is something akin to what Microsoft did years ago in launching the Trustworthy Computing initiative. Even if it means delaying new software releases, Adobe must go back to square one and see to it that security is built into everything they do. From the lack of vulnerabilities in their code (to the extant humanly possible), to instituting better security process and procedures in storing customer's confidential data.
It can't be just a PR stunt, either. It has to be nothing less than a fundamental rethinking and re-engineering of how they operate and the value placed on security. Until they do, I for one cannot trust them as a SaaS vendor to keep any of my confidential data, and I'm sure I'm not alone..