http://www.amcity.com/twincities/stories/1999/02/08/focus1.html Minneapolis/St. Paul CityBusiness February 8, 1999 Security just got tighter Henry Breimhurst Staff Reporter Computer security used to focus on the network; today it gets down to the desktop and disk While in a waiting area in the Los Angeles airport, a local executive felt the need to powder his nose. So he got up and headed off for the restroom -- leaving his laptop computer open and running on the waiting-area seat. When he returned, the laptop -- and all of its confidential, unprotected files -- were gone. Such incidents are the stuff of nightmares for Darlene Tester, manager of the security-risk management group at Minneapolis-based Net Access. Tester was working at the time for the executive's company, and feared that a major security breach had just occurred. Fortunately, Tester said, the story ended as happily as it could have when pieces of the dismantled laptop began turning up in the marketplace. The thief had been more interested in the value of the hardware than the documents stored in the computer's memory. But issues like this underscore an often-underappreciated segment of network security: the individual machines, disks and even files that are the smallest parts of the network. As a result, consultants and manufacturers are coming up with new, more deeply layered security measures than ever before. Net Access, which does network integration consulting for clients with an eye always towards security, has grown as interest in security has grown. The situation is analogous to a bank: Even though the front door to the bank is locked, the money is still kept in a vault within the building. With computer networks, the emphasis in the past few years has been on firewalls and security against intruders via the Internet -- locking the front door. But with major security problems possible at the smallest level of the network, there is a resurgent interest in deep security layers. "I've been in security for 20 years, and it has ebbed and flowed," said Tester. "Fifteen years ago they were more concerned about workstation security, because often they were stand-alone machines. As it developed into LANs, WANs and the Internet, there was more interest in firewalls, but now it's starting to move back to more granularized security." When consulting with a client on security, Tester said, Net Access often discovers that the largest openings in the network are at the smallest level. Many companies, if not most, do not employ simple security measures such as requiring employees to have their workstations protected by a power-on password (a password needed to turn the machine on); encrypting files and e-mails on the hard drive; or setting up a regular schedule for changing passwords. "These are forms of security that are pretty cheap," said Tester. Net Access works with its clients to develop and draft such policies, establishing security from the ground up. (Sometimes the cheapest security is laughably ineffective, however. Tester mentioned the password feature on Windows 95, where a user is asked for a password. But if the user hits "cancel," the password challenge goes away and the user is in free and clear.) Tester also noted that the need for individualized security is on the rise now because of the increasing mobility of the workforce. An employee might take data that is under the tightest security at work and bring it home on a laptop or disk. Anyone who gets that piece of equipment then gets the data with a minimum of effort. The answer Net Access recommends here is encrypted files, which require passwords and other encryption keys. Imation Corp. of Oakdale has a solution of its own, the recently released encrypted Superdisk. This is a variant of the high-capacity Superdisk, which is the same size as a normal floppy but holds 120 megabytes of data, compared with 1.44 megabytes on a standard disk. Superdisk competes with Iomega's Zip and Jaz products for high-capacity storage. With the new encryption feature, files saved on a Superdisk cannot be accessed without the proper password. The encryption is hardwired into the disk, and will be recognized by any Superdisk drive, eliminating the concern of having compatible encryption on multiple machines. Such encryption can be used in different ways; in addition to protecting files that are on the move, for example, Imation told of one case in which a personnel director has taken to saving all review files onto an encrypted Superdisk instead of keeping any on the hard drive or the network, where they might be more accessible. The downside is that if the password is lost or forgotten, there isn't a back door into the data. "Its most obvious use is in areas where there is a high security concern," said Jim Judge, Imation's marketing manager for the Superdisk media. Government, law and financial services have been among the first to make use of the technology, he said. The mobility issue also played a role in the development of the encrypted Superdisk. One of the areas where Superdisk has had successful penetration is in the laptop market, so coming out with a product that added to the peace of mind of all those laptop users seemed a natural next step, said Judge. Imation is using 64-bit encryption on its Superdisks, which it claims would take 585,000 years of brute force to crack. While no one has actually confirmed this number empirically as yet, it is notable that the federal government won't allow 64-bit encryption to be shipped out of North America, as it could provide a security advantage to outside interests. "We pitch the Superdisk first, and then this feature becomes the frosting on the cake," said Judge. "The encoded disks cost more, a premium of $3 per disk more. That's small change compared to the security you get." Superdisks cost between $10 to $15. Imation is throwing a free encrypted disk in with its multipacks to get people using it. Superdisk is likely only the beginning for Imation's encryption business. Judge said that there are efforts underway to introduce encryption features into other Imation desktop-storage products. When it comes to securing files, another Twin Cities company has spent years developing ever-more-foolproof ways to make sure only the right people have access to certain things. Datakey Inc. of Burnsville offers a security system built around actual physical keys or other so-called "hard tokens" which have the holder's electronic signature on it. This electronic signature, coupled with passwords and other security devices, help to eliminate any doubt about who is getting access. "We say that software [security] in most cases is not good enough," said Alan Shuler, vice president and chief financial officer of Datakey. A password does not encrypt, for one thing. Once an intruder gets past it, all the data is free and clear. For another, the physical key makes security breaches easier to detect. "If someone learns my password, I don't know it. The physical possession of the card can tip the holder of security problems." The card or key can also be programmed to shut down after a set number of failed attempts to guess its password. Shuler said that the same groups identified by Imation have been the early adopters. In fact, passkey encryption was developed by the military to secure the transmission of data. Datakey's system involves the key or card (the key is only superficial; the actual unlocking system is based on reading a code, not a mechanical unlocking) and a device that plugs into the computer; the key or card is then inserted into that device. The key has the user's electronic signature, which can be purchased from a number of signature certificate vendors, and that is where some difficulty creeps in. Datakey and other encryption systems use what is called a "public key" system. When sending an encrypted e-mail, for example, the public key or code will be sent in the clear. The receiver will have a private key that interacts with the public key to decode the message, but only if using the same verification system as the sender. This incompatibility between the different security vendors has slowed the acceptance of the public key system. Until more people and companies buy electronic signatures, they won't have a need for hard-token systems like Datakey's. Net Access' Tester said that the different certificate vendors are starting to set some standards for interoperability, which may help encryption become more popular. As it is, different vendors have different standards for selling their certificates. Those used by banks often require a person to physically come in and confirm who they are before being assigned a certificate, while others take orders over the Internet and don't confirm them. There likely will be some resolution of the certificate issue as companies get more interested in deeper security, always egged on to a certain degree by none other than the security experts themselves. "We're Chicken Littles with attitudes," said Tester. "The sky is always falling, and that's what makes us money." -o- Subscribe: mail majordomoat_private with "subscribe isn". Today's ISN Sponsor: Internet Security Institute [www.isi-sec.com]
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:18:45 PDT