Better security through federal nagging

Welcome to Runtime! Today: how far will federal regulators go when urging tech companies to secure their services, SUSE takes the private equity exit ramp, and the quote of the week.

(Was this email forwarded to you? Sign up here to get Runtime each week.)

Shields up (please)

The push to improve software security in the early days of the Biden administration was probably overdue, given how deeply the modern economy depends on enterprise software. That initiative followed the devastating SolarWinds supply-chain hack, and recent events such as the Microsoft Azure AD debacle underscore that much work remains to be done to give federal agencies and enterprise tech customers more tools to defend themselves.

But so far this effort has involved a lot of carrots and few sticks, excluding the requirement that companies looking to do business with the federal government attest to the security of their software (which was delayed because the government hasn't finalized the form yet). This week CISA introduced new guidelines for users of remote monitoring and management software that basically suggests everybody should be talking to each other more often.

• To be fair, RMM software is a juicy target because "cyber threat actors can gain footholds via RMM software into managed service providers (MSPs) or managed security service providers (MSSPs) servers and, by extension, can cause cascading impacts for the small and medium-sized organizations that are MSP/MSSP customers," as CISA put it.
• But the guidelines are really just two suggestions; one that "encourages collective action" and one that "focuses on educating RMM end-user organizations."
• “This collaboration, if successful, will be highly educative for MSPs," Teresa Rothman of Keeper Security told SiliconAngle.

There's no question that more education and information sharing is needed in cybersecurity, where the people responsible for managing these systems can be reluctant to share details about threats and compromises out of competitive pressures or embarrassment.

• But there's only so far those educational efforts can go given the complexity of modern enterprise software and services and the reality of building software.
• It's one thing to understand the best practices for securing categories of software like RMM, it's quite another to implement them in software development pipelines that are managed against many goals.
• No company wants to become the next SolarWinds, Kaseya, or Progress Software, but security incidents continue to happen because there are conflicting business incentives in any software company.

Still, any attempt by the government to regulate strict security standards in software development would likely be doomed from the start.

• Again, given the complexity of modern enterprise software it would be extremely difficult, if not impossible, to keep up with all the changes in new programming languages, development tools, and networking technologies and decide on The One True Way to build software.
• Any proposed security regulations, even if presented in good faith, would almost certainly be tied up in court for years.
• The SEC has already required that public companies disclose security breaches within four days of discovering a hack that could cost those companies significant money.

The Biden administration deserves credit for taking a closer look at cybersecurity standards and practices, but there might only be so much it can do to enforce software security

• However, thanks to Microsoft, it's clear the government is going to re-examine the "shared responsibility" security model that has governed that relationship between vendors and customers since the earliest days of the cloud.
• While the feds might not be able to tell developers how to code, they might have more success forcing cloud providers to stop charging extra for security features.

A MESSAGE FROM HASHICORP

9 out of 10 companies are wasting money in the cloud. HashiCorp helps cut costs with infrastructure automation and centralized policy. Boost your efficiency and enable cloud success with HashiCorp today.

A private matter

The boom in private equity investment in enterprise tech over the last decade has focused primarily on SaaS companies. Now SUSE, which went public on the German stock market less than two years ago, will become a private company once again.

EQT Partners, which already owned 79% of the company's shares, offered SUSE shareholders €16 per share for the remainder on Thursday. That's well below the IPO price of €30 that accompanied its 2021 public offering, but a 67% premium over where the stock closed Thursday.

SUSE has a lot on its plate this year after vowing to fork Red Hat Enterprise Linux following Red Hat's decision to stop providing a copy of its distribution to clone makers. That effort could require significant investment that public shareholders might not have appreciated, but the reward could be substantial.

Quote of the week

"I think there's a very good discipline with being a publicly managed company." — Redis CEO Rowan Trollope, who won't be offered a job in private equity any time soon.

The Runtime roundup

Meta will court developers with its own version of a LLM-powered coding assistant, according to The Information.

Google announced plans to start BigQuery users for data egress across regions as of September 15th, which is not very far away.

Intel laid off 300 employees working in cloud computing and AI groups in California, CRN reported.

A MESSAGE FROM HASHICORP

HashiCorp enables your business to reduce risk with automated governance and identity-based access helping to ensure that sensitive information doesn't fall into the wrong hands. Learn more about how HashiCorp delivers the security to help reduce risk and scale your cloud operating model today.

Thanks for reading — see you Tuesday!