By now, you have likely heard about the latest massive breach over at Adobe. Besides the source code for Acrobat and Cold Fusion, something like 3 million accounts were breached as well. The good news is that credit card numbers for many of the account holders was encrypted. The bad news is that the credit card numbers for many of the accounts was encrypted. It is probably just a matter of time on that front.
But forget credit card numbers for a second. The fact is that Adobe has suffered yet another breach. Millions of accounts were compromised. If you use the same password on other sites that you use for Adobe, they are now in danger. Once again, the source code to their products is available. The Flash and Acrobat products are already two of the leading causes of breaches and sources of vulnerabilities.
Do you get the picture or do we have to Photoshop it for you? Adobe has some serious security concerns. But I am afraid it gets worse. Last May or so, Adobe announced a fundamental shift in its business model. Like Microsoft and others, Adobe wanted to move from the traditional software model to a Software-as-a-Service subscription model. Instead of buying software for a lot of money that starts the clock ticking on its obsolescence the day you buy it, they would instead "rent" you the software for a monthly fee. Under this SaaS model you always have up-to-date versions of the software, you don't lay out big money up front and Adobe sees a steady, hopefully growing monthly revenue stream. Sounds great.
The problem here is that a basic tenet of model is the ability to do recurring billing on a monthly or otherwise regular basis. Imagine if you had to log in every month and re-enter your payment information. Well, you probably don't have to imagine - I know several of my regular monthly bills where I have to do this. However, for a software vendor like Adobe looking to a SaaS model, if I can't trust you to store my information securely, heck if you can't even keep your own source code safe, how can I justify using you as a vendor?
Ultimately, this is the problem. It is a very difficult proposition for a vendor, even one as well-known as Adobe, to move to a subscription SaaS model if customers can't trust the company to keep their information safe. While it is true that, generally, consumers have short memories, recurring breaches will shake the confidence of even the most diehard supporter. Hey, we would all love a business where all of our customers send us money every month forever. But the logistics of doing this at scale demand that they secure the information.
So what does Adobe do now? In my opinion, it's off to a good start by being as transparent as it has been regarding this matter, even acknowledging the contributions of my friend Brian Krebs and Alex Holden in discovering this breach. But that will only go so far.
What I would like to see Adobe do is something akin to what Microsoft did years ago in launching the Trustworthy Computing initiative. Even if it means delaying new software releases, Adobe must go back to square one and see to it that security is built into everything they do. From the lack of vulnerabilities in their code (to the extant humanly possible), to instituting better security process and procedures in storing customer's confidential data.
It can't be just a PR stunt, either. It has to be nothing less than a fundamental rethinking and re-engineering of how they operate and the value placed on security. Until they do, I for one cannot trust them as a SaaS vendor to keep any of my confidential data, and I'm sure I'm not alone..
As co-founder and Managing Partner at The CISO Group, Alan Shimel is responsible for driving the vision and mission of the company. The CISO Group offers security consulting and PCI compliance management for the payment card industry. Prior to The CISO Group, Alan was the Chief Strategy Officer at StillSecure. Shimel was the public persona of StillSecure as it grew from start up to helping defend some of the largest and most sensitive networks in the world.
Shimel is an often-cited personality in the technology community and is a sought-after speaker at industry and government conferences and events. His commentary about the state of security, open source and life is followed closely by many industry insiders via his blog and podcast, "Ashimmy, After All These Years" (www.ashimmy.com). Alan is now also a regular contributor to The CISO Group’s security.exe blog and podcast. Follow him on Google.
Alan has helped build several successful technology companies by combining a strong business background with a deep knowledge of technology. His legal background, long experience in the field, and New York street smarts combine to form a unique personality.
Disclosure: The CISO Group sells a software-as-a-service PCI compliance application called SAQPro. The company is independent and does not represent any other vendor's products as a reseller.
Policy on comments: Respectful discussion is welcomed! However comments that use inappropriate language, consist of name calling or personal attacks, or include accusations of wrongdoing are not appropriate. Those comments will be deleted or edited.