Copyright © 2002 John Zipperer unless indicated otherwise.
(04/01/02) In the fantastic discworld novels by British writer Terry Pratchett, the wise old witch Granny Weatherwax often avoids using magic by relying on what she calls "headology," that is, by matching her actions with the expectations of other people, no matter how unrealistic they may be. It works pretty well for Granny Weatherwax, so why not for Internet identity? That's what some of Pratchett's fellow Britons at London-based Bluewave think, and they're hoping to bring headology to the practice of digital signatures.
Bluewave develops secure solutions, particularly based on PKI. Its philosophy is to examine the user interface and develop solutions that meet the user's expectations. With digital signatures, Bluewave thinks there is a danger in the cavalier attitude people have developed toward online transactions. We breeze through our Amazon.com checkout and we wouldn't seriously think of reading the disclaimers on a membership site.
That's not good, considering the legal standing of those words. After all, we typically at least skim a contract before physically signing it, but we're letting the ease-of-use of the Internet lull us into a sense of complacency that can be particularly bad when those digital signatures are on supplier contracts or order verifications.
"There's a danger that people are going to be entering into transactions without understanding the full implications," says Daniel Seaman, account director at Bluewave. So his company worked with psychologists from Cambridge University to study how changes in the user interface reinforce the gravity of the actions being performed. Bluewave heard from its Cambridge psychologists that they need to associate online transactional actions with real-world activity. "You get into a tunnel mindset when you're using your computer, and you're not recognizing that it's connected to real-world contact. You need to bring it back to reality, in effect." So instead of having a button that says "OK" or adding an "Are You Sure?!?" button, Bluewave is creating options that are more interactive.
One example is requiring users to click on a blinking square, then click on another square before completing the transaction. The intention is to give users time to contemplate the importance of their actions.
Another option has to do with making the user shift an image across the screen; the system then tells them that the transaction is locked and will complete in a certain period of time. This idea was inspired from a less-august source than intellectual Cambridge: Its roots are an Australian euthanasia machinebasically a laptop computer connected to a syringe. It took users through a series of questions to make sure they understood the consequences of their actions, and it had a countdown before completion. "We sort of borrowed that idea," says Seaman. "It's making the user actually comprehend the transaction and what's happening." Bluewave therefore includes an escape button if you want to, er, kill the transaction before it completes.
Another option makes users follow a series of numbers before they can click to complete the transaction. And there's an option that includes a pop-up box, asking questions about where they are located, to try to take them out of their tunnel vision.
Bluewave is approaching UK banks and the shipping industry, looking for partners that want to implement these ideas. I think B2B is more viable than consumer models. Consumers tend to want one-click type of ability for relatively minor transactions anyway. Also, B2C companies are wary of any delay that can lead to massive abandonment of purchases. So Bluewave may have more traction with B2B transactions, which tend to be much larger and have more necks on the line.
If Bluewave is successful, it could help digital signatures become a widespread tool that is not only secure and trustworthy, but is also recognized as such by parties on both sides. It's a use of headology at which even Granny Weatherwax would have to smile.
(04/01/02) A visit to an Equinix Network Connection Center is an opportunity to see the Internet itself; usually depicted in illustrations as an amorphous cloud, here you can reach up and touch the transparent pipes through which run the lines connecting backbone carriers, content providers, Internet service providers, and soon major enterprises as well. They come to an Equinix centercalled an Internet Business Exchange or IBXto connect their networks together, saving peering headaches and long transit infrastructure between each other by building a line into a neutral location where they connect directly.
As you would expect, an IBX is a place where security is ever-present, and even though Internet World's tour guideEquinix CTO and cofounder Jay Adelsonis quick with one-liners, it is also clear that the security system here is comprehensive and nonnegotiable.
That is evident from the outside of the kevlar-encased building itself, which bears no name or other indication of its contents. There are handprint biometric scanners at every doorway. In fact, there are five layers of these biometrics before one can get into the cages where the routers and servers are situated. In addition, visitors must negotiate cameras and human security staff and obstacles such as a series of interlocked doors. The first door shuts completely before the next can be opened. While we're standing in a vaguely Star Trekish hallway between two sets of closed security doors, Adelson quips, "This is where we release the poison gas and replace you with an android."
It isn't that dramatic in practice, but Equinix has clearly thought through not only how a sound security regime would work but how it might fail and need multiple backups and other safeguards. When Internet World notes the gap between the top of the cage and the ceiling and suggests one might climb over the cage instead of going through yet another layer of biometrics, Adelson smiles: "Try it. [WorldCom's] Vint Cerf [co-designer of the TCP/IP protocol] tried it when we gave him a tour of this place. He didn't get over it." The barriers aren't all limited to the ones you can see.
Equinix is a good illustration of what is happening to the security environment in enterprises around the world. They are moving from a paradigm of just defending themselves from break-ins and mischievous employees to one in which partners and suppliers and some customers have varying levels of access directly into their systems. To take advantage of collaboration with these business partners, IT departments are faced with the task of deciding what type of protections to give their systems and how they can prevent their partners from compromising each other through the collaborative system.
The Scale of the Problem
The need for an integrated point of view is becoming strongest right as the number of items and players being integrated is expanding rapidly. "I understand why people are doing thatwhy people are connecting and burrowing into pieces of each other's networksbecause it used to be that your network was where you held the information important to you, and you had a very narrow pipe for getting information to another company," says Mark Epstein, CTO and cofounder of Ponte Communications, a network-device security company. "People want to be able to set up partnerships quickly and tear them down quickly."
Trust and scale are two big issues of this new paradigm. Brian Anderson, chief marketing officer for Access360, which focuses on provisioning access, says he knows of a company that has 4,500 business partners and 80,000 individuals with access into its systems for collaboration. "What they do is make 4,500 phone calls twice a year to make sure those 80,000 people are still there," he says. "That's just not viable. The reality of B2B collaboration is that it's all about people and resources."
Can companies manage 80,000 individuals? The problem is broader than that. Anderson tells of a software company that signs a typical business-to-business contract with an analyst firm. The research firm grants a limited number of generic passwords to contract workers for access behind its firewall. When that contractor leaves, he still has the unchanging generic password.
"He has valid access for invalid reasons, and that's the fundamental flaw in B2B relations and what you have to fear," Anderson says. With authorization systems offered by Access360, Waveset Technologies Inc., and others, the technology is available to automate these otherwise overwhelmingly complex tasks.
The response is part technology and part organization. Greg Gilliom, vice president of engineering at Internet Security Systems, thinks companies realize that the security products they are using simply aren't good enough to counter today's threats. The challenges are extensive between a supplier and buyer.
"A cool way for us to exchange information instead of running couriers back and forth with zip drives is just to do a secure connection between us," says Chris Roeckl, director of product marketing for Netscreen, which does firewall, VPN, and traffic-management solutions. "That's the way everyone is going. We all say, That's cool,' but the IT guy goes, No way.' There are so many issues in connecting our two networks that this is a real trust issue."
Dealing with those issues means addressing every layer of technology in your organization, from the desktop to the host to the Web server. Therefore, companies that successfully handle security will resemble Equinix's IBX, with in-depth protection everywhere, in forms large and small, visible and invisible.
Fingers in the Dike
"Whenever you outsource
something in the financial services area, those outsourcing companies
have to go through rigid security certifications," Hagmann says.
Healthcare is another industry that has been forced to meet high standards,
in the form of the privacy rules drawn up to support the Health Insurance
Portability and Accountability Act.
Perhaps the most common way to respond to the loss of distinction between inside and outside is by deploying extranets to Web-enable applications to partners. John Summers, director of product strategy at network-services provider Genuity, says that works for a well-defined class of partners, such as communities that trade a certain kind of widget, where "the kind of things each partner can do when they log in is pretty consistent. But if you're a big PC manufacturer and you're trying to provide an extranet to your distributors and suppliers to come in and have access, the range of things they want to do is so large that what you really want to do at that point is set up a big DMZ and set up the servers there and let them do stuff right on the servers. It opens up a can of worms. If you can stay in the HTTP world, it makes things pretty simple, with a single protocol. When you start developing a richer extranet experience, which you've got to do to automate more processes, you have to be cognizant that you're trying to interconnect, say, 30 or 40 legally independent entities. You can't do it on the assumption of trust; you have to take commercially reasonable efforts to secure the infrastructure."
Companies can put firewalls between the DMZ and their systems to protect them. But what about the person who has access to do legitimate business but has to be stopped from compromising the other partners? Summers urges use of authentication in the DMZ, as well as strong authorization controlso the person in the system is limited to doing specific things, with the rules configured on both inbound and outbound users to prevent users from coming in and bouncing off your servers and going into another user. He says DMZ design is important, with no back doors between the DMZ location and the people back on the LAN who maintain the network.
"There was one really bad situation I know of where the IT guys were overworked," Summers says, "so they set up a backdoor where they didn't have to go through the firewall and log in twice. The network got penetrated that way."
A visit to any security trade show will demonstrate that there are plenty of companies seeking to exploit the need for authentication solutions, whether based on PKI or not. [See "PKI Promises Security and Solid Identification," December 2001, p. 30.] Jothy Rosenberg, CTO of GeoTrust, an Internet security and identity company, says people can get sound authentication without big PKI infrastructure investments. His company offers an outsourced solution that includes interfacing between GeoTrust and a security administrator inside the customer, to ensure secure issuance of digital certificates.
"The goal is to get back to the identity of the person," Rosenberg says. "You'd love to get to biometrics eventually. It's something that you knowa shared secretand something that you havea smart card. The ultimate is something that you arean iris scan or thumb print. We're trying to move people from something that you know to something that you have. Someday, laptops will have built-in thumb scanners or iris readers."
If Rosenberg is right, that would be a significant increase in the ability to trust the identity of the user. But there are other worries for enterprise security officers. So many of the expensive virus and worm problems companies experienced last year would have been avoided if they had installed the patches for their software.
"The pinnacle of protection would be to do a vulnerability scan that will tell you every patch you are missing on servers, hubs, routers, switcheson everything you have," says Charlie Young, director of security management at Unisys. "Then you have this shopping list of every patch you need to get. The reason Nimda and Code Red and all the others were so successful is because they were exploiting problems that have been known for years." Companies can have thousands of servers, "and if Microsoft comes out with one patch a week, and it takes half an hour to install the patch, you have 60 people applying patches all the time in a place the size of Unisys."
The future may include some sort of automatic patching served up directly from the anti-virus vendor. Dan Nadir, director of protection solutions at ISS, says it could work with individuals and small companies but not large ones, which have many more servers and applications that may conflict with the patch. Another solution is to outsource the patching, letting someone else keep everything updated and in compliance with the applications.
That is the challenge Young faces at Unisys. Unisys works jointly on some partnerships, sharing information back and forth through extranets and other means. Young gives those outsiders only very specific access rights.
"Let me paint a worst-case example," Young says. "Someone comes in, and there's something piggybacking on their workstationthey've been infected, say, with the next Nimda worm. By virtue of them coming inside, just like if an employee came in, that worm can then affect Unisys. What we can do is have firewalls, have anti-virus established for all the e-mail and all the servers, and have intrusion-detection applications on all the servers." Step it up another level to host-based intrusion detection, which looks for hacking attempts in process. Just having network-based intrusion detection might not suffice if the worm or hacking attempt comes through a VPN connection that is encrypted and therefore can't be read by the detection software.
So we're back to putting security on every point of the network. "There's no way around it," Summers says. "Good security is layered security." That means security on all devices and servers and appropriate applications but controlled centrally.
Al Potter, network security lab manager at TruSecure Corp.'s ICSA Labs division, which does security product certification, describes in-depth defense. "For anti-virus, you block .exe attachments at the gateway. That's one layer. Second, you might have an anti-virus scanning layer at the gateway, so any threat that gets through still gets scanned. The third layer is anti-virus software on the desktop," he says. "Consider a typical company that has formal office workers and a small development operationa large population of mainstream computer users and a few off the deep end using special stuff like development software. In an environment like that, it's often difficult to get anti-virus software on every desktop. It may conflict, legitimately. And it's challenging to keep every version of anti-virus software current. Suppose I have 1,000 desktops, and a virus gets loose on one of them; it's a situation. It's harder for me to keep all 1,000 of them working correctly and current than it is for me to keep one or two gateways current and running."
There is an oft-noted tradeoff between individual control and central control. The Burlington Northern Santa Fe Railway centralizes the access for its e-commerce application. It created an application to handle the security of its Web applications, "but that doesn't give us the ability for delegated administration," says Sherry Haniman, Burlington's manager of enterprise security. So the company uses technology from Waveset Technologies to define roles. It shifts responsibility to the customers and lets them manage access into the systems by their employees. "They're going to be the ones in the best position to know who should have access," adds Rick Perry, Burlington's director of enterprise operations and security.
But the overall administration
is still in the hands of Burlington, and the customers have enough
power to affect only the things the railroad wants them to affect.
"We'd be able to say the contact we have at a customer would
have the ability to create accounts on our system that would have
access to specific parts of our system," Haniman says.
"Look at a bank; these guys have got crypto all over the placedatabases, the Web servers, the network," he says, pointing to the many people employed just to keep the systems running. "Do you really want to entrust those guys with the encryption keys? Folks who are managing the boxes need to focus on keeping the boxes running; they don't need to know the magic in the boxes. The person who needs to know the secrets is really the risk manager or the head of security. You don't want that widely managed across the company. Restrict the number of people in the company who know how that works."
And the Problems Multiply
Verity is a company that focuses on information searches, offering real-time checking of authorization each time a user does a search. But with data being connected and made widely available in ways not intended when they were created, a potential problem is people coming across information they aren't supposed to have. Prabhakar Raghavan, Verity's chief technology officer, says the information security is pretty good, but there is a problem that the mathematics haven't been worked out on: How do you control what people are able to infer by the information they can't access? By being able to learn from what they aren't able to find or that is blocked from them? That line of thought brings you up against the realization that there is always another challenge.
"There's no single technology or service that will solve all of your problems. Eternal vigilance is the mantra," Young says. "It's defense-in-depth."
Talking to enterprise-security and IT folks about the technological challenges that result from connected companies brings forth comments such as "that scares me" and "we've been struggling with that." But ensuring data security in the world of connected business is going to require a lot more than just technical knowledge. It will take some old-fashioned negotiating abilities, too. That is because liability is lying around like an old cat just waiting for someone to step on its tail.
With the legal groundwork evolving for electronic business liability, you may find yourself in trouble if you haven't deployed available security technology that could have prevented someone from subsequently using your system to launch attacks against others. "Once the technology makes itself available, that's when all the legal implications start coming in and the insurance companies become involved," says Keith Waldorf, CTO of network security company Captus Networks.
One of the first places to head off problems is before you even hire an employee or contractor. Eric Boden, president and CEO of pre-employment screening company HireRight, says many more of his high-tech clients now use his company to perform background checks for potential employees. The reason is obvious: He says the companies can be held accountable if they don't do appropriate due diligence when hiring someone who, say, goes on to commit an act of violence, with average awards of more than $1 million. What if the crime they commit is an electronic one against one of your partners or suppliers?
Another thing companies can do is go over their data-security policies with fine-toothed combs. And then, make sure that everyone who connects into their systems has a security policy that is at least as tough.
Consider Equinix. The large players the company works with in its IBX centers already have security policies; they need to ensure that Equinix won't present a weak spot in their networks. Therefore, the company had to build its centers' security systems to the highest common denominator to meet the specifications for all its carriers, Internet service providers, and other customers.
Charles Schwab gave Equinix CTO Jay Adelson a thick packet of security specifications it needed to meet. Although Equinix isn't a managed service provider, it plays a similar role in ensuring a high standard for its customers.
John Summers, product strategy director at Genuity, suggests that MSPs can step in when, for example, a tire manufacturer needs to have a presence on the extranets of the auto makers. "Ford has its security policy, and GM has its, and Chrysler has its, and I have mine. How do we agree on a security policy?" he says. "When the end point of a VPN breaks, who fixes it? And my inbound/outbound rules have to match theirs. Do they trust me to keep mine right? Do I trust them?"
You need to be firm with
connected customers, partners, and suppliers. Your security is their
security. Smaller companies may not have security policies, but you
still need to connect to them. So you, the Big Company, need to have
a security policy that includes an audit of the Little Company's policy
to make sure it does everything correctly.
(03/28/02) There are two major ways to launch a product. The first, with which we're all well aware after the late 1990s, is to discover a new market (or redefine an existing market and pretend you've discovered it). The second is to go after an existing market with a product that is somehow superior to the products already being offered. This latter idea is a popular choice in the security realm, as its difficult to discover a new market or redefine this established, high-profile area, but innovators can seek to improve on products that if you listen to some industry participants have left users feeling disappointed and frustrated.
Rebecca Bace, president and CEO of network security consultancy Infidel, Inc. , is a veteran of intrusion detection systems, having worked at the National Security Agency (where she led the Computer Misuse and Anomaly Detection Research program in the early 1990s). She says businesses are frustrated with the quality of intrusion-detection systems. "They're really fed up with what they consider immature engineering processes," she tells Security Matters. Their problems lie in two general areas: manageability and reliability. "People are really tied of in order to deal with a class of threat having to go out and buy a different product line and management engine."
False-positives are such
a big problem that "they believe that that represents a noise
floor and things that they really want to get detected are being buried,"
His company recently released version 2.1 of its Peakflow DoS product this month, which looks for network intrusion not through signatures but by anomaly tracking. For example, if things deviate from the norm, it gets them. For her part, Bace also serves as a technical advisor to IntruVert Networks , which is releasing its own products to market that the company leaders say will bring signature detection, anomaly detection, and intrusion detection to a whole new level.
The idea of IntruVert gained traction after the highly publiced DoS attacks on CNN, Yahoo, and other major sites a while ago. "It became more urgent at that time from a commercial point of view," says Parveen Jain, IntruVert's president and CEO. He says those first-generation IDS products did their job in at least laying a foundation for the industry and making businesses aware of the need for a solution. But he says he is now offering a "disruptive technology" that will change that marketplace, changing the way people do their security. "We looked at the products at that stage, and they were all old-style products. When we talked to the customers, their major pain points were flexibility, scalability, and manageability. But the biggest thing was the ability to monitor it all." Jain's company's approach therefore is to focus on such issues as accuracy (to deal with the false positives problem), flexibility of deployment, and manageability.
Bace says that past security product failures have been because the technical talent has not been brought together with the business sense. Because of so much attention directed at and so many dollars flowing to the security market, "what's happened is that you have a lot of people who have marched into the intrusion-detection market, coming from very different perspectives," she says. "Precious few have come from an academic, rigorous background, like the IntruVert team."
That might be overselling it a bit. IntruVert's leaders do have an impressive background: Jain holds a Ph.D. as well as a history of executive positions in industries ranging from fiber optics networking to data mining to ASPs. Other senior staffers and board members litter their biographies with degrees from Dartmouth, the London School of Economics, Stanford, and more. But if you look at the bios of leaders from most high-tech companies, you'll find much the same. (A quick peek at Arbor Networks' executive biographies uncovers Ph.D.'s aplenty, for example, as well as real-world business experience.)
One of the best reasons to keep your eyes on IntruVert is because its leadership has taken the time to familiarize itself with these unsatisfied customers out there, as well as to draw on the expertise of intrusion-detection industry experts such as Rebecca Bace. It's taking its cues from what those customers want, and is getting valuable advice that the experts might only otherwise share in private side-room discussions at tech conferences.
(03/14/02) Unless you've developed a novel way to staff your company with robots, you can't set up comprehensive information security without addressing the human element. And knowing who you have inside the walls of the corporation-whether those walls are actual or virtual-is only going to get more important, because of the technological move to spread information access and manipulation throughout the enterprise instead of keeping it tightly controlled by departmental or IT gatekeepers.
The best place to make sure you've got honest folks in your seats is when they first try to enter--at the hiring phase. "Over 30 percent of resumes contain serious misrepresentations if not outright fraud," says Eric Boden, president and CEO of HireRight Inc., a background-check firm. He says typical lies concern falsifying degrees received or exaggerating education levels achieved. More serious falsehoods could concern concealment of criminal backgrounds or representation on a list banning doing business with the federal government.
Boden recommends that companies develop a nondiscriminatory policy for background screening. "You can't say 'I'm just going to background screen a person of a certain ethnicity,' for example," he says. "You want to develop a policy around a type of position. It doesn't make sense to do a credit check on someone who doesn't have access to any financial type of systems. You wouldn't do a credit check for a dishwasher, but it would be very appropriate for an accounting employee."
Legal liability is one area that's fueling a need for vetting applicants. Boden says companies could be held negligent if they do not do appropriate due diligence when hiring someone who goes on to commit an act of violence, with average awards of more than $1 million. But it may not be too late to correct past lapses; he says companies can do retroactive background checks, if they comply with Fair Credit Reporting Act rules by getting permission of the employees.
Screening temporary and permanent employees would be a start, but companies concerned about letting in someone who could compromise their corporate information security may also want to require their contractors and consultants to undergo background screening before being given physical or digital access to their company. (See the April issue of Internet World magazine for a cover story on security concerns companies face as they interconnect.) It may sound like an extra hoop to jump through for the company that is doing the hiring, but they have to worry about the employees working for their connected partners and suppliers, and they also have to worry about their own employees possibly doing damage to one of those partners or suppliers. So it's not surprising that one of Boden's customers did 25,000 background checks in the year 2000, and he says a number of his customers do 10,000 a year.
HireRight uses traditional methods such as checking local, state, and federal databases for information, as well as sending "court runners" to check public courthouse records. But these court runners no longer need to take three days to return information; now they can use HireRight's Palm wireless application to punch in their information while they're at the courthouse.
(03/13/02) Looking to make storage outsourcing and access over IP quicker and cheaper, Genuity recently announced its Black Rocket Storage suite of solutions. The suite's components include Remote Data Replication, On-Demand Capacity, Remote Site Failover, and Hosted Storage. But it's the replication of remote data that is the offering's biggest feature, in the eyes of Genuity.
That is not surprising, considering the prominence of business-continuity these days, and that is exactly the problem that customers were raising in discussions with Genuity. Paul Keresey, Genuity's director of product management for storage and edge services, tells Storage Matters that IT managers who were trying to build data-protection plans for disasters wanted data protection and a level of recovery that would keep them in business. "When you get into the territory of a terabyte of data, tape technology just isn't fast enough," he says. "One of the key features of Black Rocket Storage is a set of products for remote data replication."
The remote replication feature uses standard IP (Internet protocol) and standard pre-built storage technology from EMC . Keresey says that makes it possible to offer the solution cheaply and in a rapid-deployment mode. "The only incremental work is setting up the customer's side and getting them hooked into our backbone," he says. "A customer can basically buy a service that's about 75 percent up and running."
The information storage and mirroring features for the Remote Data Replication Service are based on EMC's Symmetrix Enterprise Storage Systems and SRDF business-continuity software. Symmetrix is EMC's flagship product line, and it does all of the SRDF mirroring on a sub-system level. "What we're hearing from customers is that business continuance and securing their information is one of their biggest priorities," says Rick Lacroix, a spokesperson for EMC. "Depending on the type of information that you're looking to protect, there are certain levels of protection you can offer. This one mirroring over IP is one that makes sure your information is always there instantly."
Other features include on-demand capacity for rapid scale-up for event-driven traffic increases, remote-site failover to handle planned or unplanned downtimes, and hosted storage. It can be run over a VPN for security, or can use encryption technology. "We can make this to whatever level of security matches their expectations," says Keresey.
Where is Genuity headed with all of this? "The end vision is to become a storage-transport company," says Keresey. "We believeevery company has a business-continuity issue. They have to protect their data; they have to move their data," and they have to have a way to get it back with a reasonable ROI. The traditional approach for them may have been to use a service provider that takes over the entire project for you. Genuity is targeting the IT manager who wants to do it one step at a time and retain more control over the process. That will mean positioning Genuity's backbone for storage provision, and building "the data-center services that are ancillary to that hosted storage, Symmetrix units, or site-failover products, content-distribution-type products that all can be mixed and matched together, so the IT manager can come up with the right solution," says Keresey.