http://australianit.news.com.au/articles/0,7204,21277579%5E15302%5E%5Enbv%5E,00.html Karen Dearne The Australian FEBRUARY 27, 2007 IF you think you've finally secured your enterprise environment, sorry, the game just changed. The internet and anywhere access has turned information technology security on its head, industry heavyweights told this year's RSA Conference in San Francisco. The idea that you can defend your network perimeter and keep your data in grand isolation, like a king in his castle, is dead. Like a king, data needs to move around and has to be protected wherever it happens to be. The new focus is on managing separate bits of information so each piece is secure and available when needed. "Let's be honest, the industry has been too self-righteous and smug, intent on chasing the perfect technical solution, instead of trying to address real business needs," RSA Security president Art Coviello says. RSA Security is the recently acquired security division of EMC. "We've focused on keeping people out, rather than giving them access to expand their supply chains, sales channels and markets," Coviello says. "We've built stronger and higher walls around data, but in a dynamic world information is never static. It won't stay behind those walls." Security has become more a matter of imposing limits, rather than removing them "and it's time for that to stop", he says. "We should not be motivated by the threats, but by the opportunities information can bring," he says. "We need to step out of our comfort zones and accelerate new ways of doing business." In short, the information security industry is ripe for transformation, and Coviello foresees the end of the industry as we know it. "IDC reports that in 2006 alone, we spent $US38 billion ($48 billion) on IT security, yet only one in five companies actually believes their data is safe," he says. "Clearly our approach is not working. A change is under way that will bring the standalone products industry to an end in two to three years." Big technology vendors such as Microsoft, IBM, Oracle, Cisco and EMC are integrating security into their software from the outset. Windows Vista is Microsoft's first release of a product based on its secure design lifecycle. IBM is integrating the Internet Security Systems "pre-emptive" security and real-time intelligence into its enterprise platforms, and Symantec is working with companies such as VeriSign, Accenture, Google, Juniper Networks and Intel. Microsoft chief Bill Gates says the initial reaction to the internet's anything-can-talk-to-anything capability was to look back. "The data centre, the glasshouse, was very isolated," Gates says. "So the first idea was to create a boundary, and a perimeter was a reasonable concept." These days, though, business partners, employees and customers all need access to enterprise systems and data. "There's no doubt that people want more flexibility," he says. "You have consultants coming into your company, staff who need offsite access. We can't think of the glasshouse, that kind of network topology, any more." Symantec chairman John Thompson goes a step further, saying people are the new perimeter. "They are connecting to networks through a variety of devices - laptops, desktops and mobiles - all of which need to be managed and protected," Thompson says. "Today, the battleground for security isn't just the device. It's also about protecting the information that is being shared, and the interactions that are happening online." And still the torrent of data grows. More information has been created in the first six years of the 21st century than was created since human history began, Coviello says. "Today, 96 per cent of the world's data is being created digitally and about three-quarters of the rest is generally converted to digital within three months," he says. IBM Internet Security Systems president and chief executive Thomas Noonan points to the nightmare facing systems administrators. "Our studies show that the average enterprise deals with more than 32 security vendors," he says. "Security requires a continuous, integrated source of intelligence that can never be realised if we're waiting on vendors to ship patches when our network is under siege every day." Thompson says there's no going back to a bricks-and-mortar business. "Think of the cost," he says. "Sending a bill by snail mail costs double what it costs to send electronically. Think about how you shop. Until recently we went to the local market. Today, we buy essentials online. Transactions once done by your employees, from money transfers to subscription renewals, are now done directly by customers connecting to the corporate network." The lines separating enterprises and consumers have become blurred. "Confidence is critical to making all of this work," Thompson says. "Decades ago you trusted quality because you could see or test products before paying for them. You had confidence in your bank because odds were the manager sat beside you in church. Now that the whole world is connected, it's much harder to have that degree of confidence." What is the cost of a lack of trust? Although US consumers spent almost $US22 billion in online shops at Christmas, 26 per cent more than in 2005, another $US2 billion didn't get spent online because people curtailed their shopping as a result of security concerns, according to technology researcher Gartner. Consumers must be given ways to protect their identity and to gauge the reputation of the sites they visit, Thompson says. "Enterprises have the responsibility to secure anyone who connects to their networks, especially their customers," he says. Symantec has unveiled a prototype of its Norton Identity Client that is intended to provide users with one-time-use credit card numbers and other means of interacting with sites without disclosing too much personal information, and consumers will soon be demanding a certain level of security before they're willing to connect, Thompson says. For many, this won't come soon enough. In 2006, the US Federal Trade Commission received more than 670,000 complaints about consumer fraud and identity theft involving losses of more than $US1.1 billion, according to a report released at the conference. The Business Software Alliance says losses are even higher. President Robert Holleyman cites a US survey showing an estimated 8.4 million Americans were victims of identity fraud during 2006, resulting in losses of almost $US50 billion. Holleyman says the BSA is urging Congress to update the US criminal code to allow prosecutions over cyberthreats such as malicious code and zombie networks used to steal identities, spread spyware and attack critical systems. Meanwhile, common internet nasties are not declining. According to VeriSign, more than 300 new worms and viruses are released every month. Art Coviello says the trend towards "a security ecosystem" is a response to more serious threats. "Not long ago, our adversaries mostly wanted to show off," he says. "Today's attacks are completely motivated by profit, and that changes everything. "Identity fraud, phishing and social engineering are now profitable activities for criminals, foreign spies and those involved in industrial espionage." Microsoft research chief Craig Mundie says part of the problem of building and administering secure systems is that "humans are human, and they make mistakes. We have to deal with the fact that errors do happen." As well, the world "is a lot more connected than it ever was". People want constant access to their cellphones, televisions, car systems and all sorts of "smart widgets". "But the mechanisms that we developed to create security really came from the enterprise environment, where there was formal administration of activities," Mundie says. "Even there we've struggled. "Now there are not just hundreds of millions of PCs, but billions of phones and other devices. These clearly aren't in an administered world, yet people want to use them to access increasingly sensitive information such as health records. "It's incumbent on the industry to come up with some strategy to deal with that." For Microsoft, one starting point is the internet protocol, and the "fantastic capability" of IPsec that is part of the forthcoming IP 6.0. Bill Gates recalls that "in the bad days of the Slammer virus", a customer wanted to isolate factory floor applications from those used by consultants and engineers. "There was no way for them to do that. They couldn't use the firewall because the factory floor was not a separate company," Gates says. "They needed an explicit set of access capabilities from the rest of the network into those systems. "By providing tools that determine who can connect to this machine using this IPsec, we can have this kind of isolation, we can gain this level of access control." Gates also points to digital rights management tools for flagging sensitive documents or emails and restricting access to authorised personnel. He has embraced encryption: BitLocker locks down information on a laptop so files cannot be read if the laptop is lost or stolen. Passwords are still the weakest link, and the problem becomes hugely complex when you're trying to provide access for business partners, suppliers and customers. "We see digital certificates as the way to go for authentication," Gates says. "We're putting out products that will allow enterprises to start the migration from passwords to credentials on smartcards." Mundie says the CardSpace capability in Vista gives people the opportunity to create their own credentials. "It should be no more difficult for someone to identify themselves online than it is to produce a credit card or a driver's licence in the real world," he says. "Each credential conveys a certain amount of information, and you can make a rational choice to disclose enough to suit the situation." Mundie says the connected world will demand more co-operation. "The new enterprise network has a seamless boundary out to the internet", he says. "Data protection and identity mechanisms obviously require contributions from many in the industry." Karen Dearne attended RSA Conference 2007 in San Francisco as a guest of RSA Australia. Home-grown tools for the world THE Brisbane lab of security company RSA is selling products to blue-chip IT companies in the US and Japan for use in mass-market games consoles, cameras and other digital devices. "If you turn over the Nintendo Wii, you'll find an RSA brand on the back. The security was done by us in Brisbane," says Glenn Dickman, the lab's engineering director. "It's the same with Sony's PlayStation. "Most of the big companies, such as Hewlett-Packard, Sanyo, Panasonic, Oracle, Cisco and Konica Minolta, buy our BSafe security toolkits rather than using OpenSSL, because we can guarantee the quality." RSA doesn't mind people using the open source encryption software tool because it's based on work done by two of their own. "RSA labs started up in 1999 when Eric Young and Tim Hudson developed the SSLeay cryptography library, which has become SSLC, BSafe and OpenSSL," Dickman says. "We have some talent in Australia, and a lot of us have moved to Brisbane. We've probably picked up the cream of local Java programmers as well." Dickman says the team focuses on "using agile methods" to improve software engineering. The lab has produced RSA's Key Manager, which centralises provision and management of the encryption keys used to secure data across enterprises. This tool is hot, particularly in the US, where the payment card industry is required to protect consumer information. RSA, now the security division of EMC, is working to integrate its encryption and key management technology into EMC's storage range. EMC has also acquired Valyd Software, based in Hyderabad, India, for its innovative database encryption product. Dickman hopes Australian banks will start taking some interest in the new security tools. "To date, they've tended to focus on authentication. Security doesn't drive as well here as it does in the US," he says. "Some of our products will become more interesting to local banks. I'd like people to come up to Brisbane to see what we're doing." ______________________________________ Subscribe to the InfoSec News RSS Feed http://www.infosecnews.org/isn.rss
This archive was generated by hypermail 2.1.3 : Tue Feb 27 2007 - 00:30:44 PST