[ISN] Security walls crumble

From: InfoSec News (alerts@private)
Date: Tue Feb 27 2007 - 00:22:05 PST


Karen Dearne
The Australian
FEBRUARY 27, 2007

IF you think you've finally secured your enterprise environment, sorry, 
the game just changed. The internet and anywhere access has turned 
information technology security on its head, industry heavyweights told 
this year's RSA Conference in San Francisco.

The idea that you can defend your network perimeter and keep your data 
in grand isolation, like a king in his castle, is dead. Like a king, 
data needs to move around and has to be protected wherever it happens to 

The new focus is on managing separate bits of information so each piece 
is secure and available when needed.

"Let's be honest, the industry has been too self-righteous and smug, 
intent on chasing the perfect technical solution, instead of trying to 
address real business needs," RSA Security president Art Coviello says.

RSA Security is the recently acquired security division of EMC.

"We've focused on keeping people out, rather than giving them access to 
expand their supply chains, sales channels and markets," Coviello says.

"We've built stronger and higher walls around data, but in a dynamic 
world information is never static. It won't stay behind those walls."

Security has become more a matter of imposing limits, rather than 
removing them "and it's time for that to stop", he says. "We should not 
be motivated by the threats, but by the opportunities information can 
bring," he says. "We need to step out of our comfort zones and 
accelerate new ways of doing business."

In short, the information security industry is ripe for transformation, 
and Coviello foresees the end of the industry as we know it.

"IDC reports that in 2006 alone, we spent $US38 billion ($48 billion) on 
IT security, yet only one in five companies actually believes their data 
is safe," he says.

"Clearly our approach is not working. A change is under way that will 
bring the standalone products industry to an end in two to three years."

Big technology vendors such as Microsoft, IBM, Oracle, Cisco and EMC are 
integrating security into their software from the outset.

Windows Vista is Microsoft's first release of a product based on its 
secure design lifecycle.

IBM is integrating the Internet Security Systems "pre-emptive" security 
and real-time intelligence into its enterprise platforms, and Symantec 
is working with companies such as VeriSign, Accenture, Google, Juniper 
Networks and Intel.

Microsoft chief Bill Gates says the initial reaction to the internet's 
anything-can-talk-to-anything capability was to look back.

"The data centre, the glasshouse, was very isolated," Gates says.

"So the first idea was to create a boundary, and a perimeter was a 
reasonable concept." These days, though, business partners, employees 
and customers all need access to enterprise systems and data.

"There's no doubt that people want more flexibility," he says.

"You have consultants coming into your company, staff who need offsite 
access. We can't think of the glasshouse, that kind of network topology, 
any more."

Symantec chairman John Thompson goes a step further, saying people are 
the new perimeter.

"They are connecting to networks through a variety of devices - laptops, 
desktops and mobiles - all of which need to be managed and protected," 
Thompson says. "Today, the battleground for security isn't just the 
device. It's also about protecting the information that is being shared, 
and the interactions that are happening online."

And still the torrent of data grows.

More information has been created in the first six years of the 21st 
century than was created since human history began, Coviello says.

"Today, 96 per cent of the world's data is being created digitally and 
about three-quarters of the rest is generally converted to digital 
within three months," he says.

IBM Internet Security Systems president and chief executive Thomas 
Noonan points to the nightmare facing systems administrators. "Our 
studies show that the average enterprise deals with more than 32 
security vendors," he says.

"Security requires a continuous, integrated source of intelligence that 
can never be realised if we're waiting on vendors to ship patches when 
our network is under siege every day."

Thompson says there's no going back to a bricks-and-mortar business.

"Think of the cost," he says. "Sending a bill by snail mail costs double 
what it costs to send electronically. Think about how you shop. Until 
recently we went to the local market. Today, we buy essentials online. 
Transactions once done by your employees, from money transfers to 
subscription renewals, are now done directly by customers connecting to 
the corporate network."

The lines separating enterprises and consumers have become blurred.

"Confidence is critical to making all of this work," Thompson says.

"Decades ago you trusted quality because you could see or test products 
before paying for them. You had confidence in your bank because odds 
were the manager sat beside you in church. Now that the whole world is 
connected, it's much harder to have that degree of confidence."

What is the cost of a lack of trust?

Although US consumers spent almost $US22 billion in online shops at 
Christmas, 26 per cent more than in 2005, another $US2 billion didn't 
get spent online because people curtailed their shopping as a result of 
security concerns, according to technology researcher Gartner.

Consumers must be given ways to protect their identity and to gauge the 
reputation of the sites they visit, Thompson says.

"Enterprises have the responsibility to secure anyone who connects to 
their networks, especially their customers," he says.

Symantec has unveiled a prototype of its Norton Identity Client that is 
intended to provide users with one-time-use credit card numbers and 
other means of interacting with sites without disclosing too much 
personal information, and consumers will soon be demanding a certain 
level of security before they're willing to connect, Thompson says.

For many, this won't come soon enough. In 2006, the US Federal Trade 
Commission received more than 670,000 complaints about consumer fraud 
and identity theft involving losses of more than $US1.1 billion, 
according to a report released at the conference.

The Business Software Alliance says losses are even higher. President 
Robert Holleyman cites a US survey showing an estimated 8.4 million 
Americans were victims of identity fraud during 2006, resulting in 
losses of almost $US50 billion.

Holleyman says the BSA is urging Congress to update the US criminal code 
to allow prosecutions over cyberthreats such as malicious code and 
zombie networks used to steal identities, spread spyware and attack 
critical systems.

Meanwhile, common internet nasties are not declining. According to 
VeriSign, more than 300 new worms and viruses are released every month.

Art Coviello says the trend towards "a security ecosystem" is a response 
to more serious threats. "Not long ago, our adversaries mostly wanted to 
show off," he says. "Today's attacks are completely motivated by profit, 
and that changes everything.

"Identity fraud, phishing and social engineering are now profitable 
activities for criminals, foreign spies and those involved in industrial 

Microsoft research chief Craig Mundie says part of the problem of 
building and administering secure systems is that "humans are human, and 
they make mistakes. We have to deal with the fact that errors do 

As well, the world "is a lot more connected than it ever was". People 
want constant access to their cellphones, televisions, car systems and 
all sorts of "smart widgets".

"But the mechanisms that we developed to create security really came 
from the enterprise environment, where there was formal administration 
of activities," Mundie says. "Even there we've struggled.

"Now there are not just hundreds of millions of PCs, but billions of 
phones and other devices. These clearly aren't in an administered world, 
yet people want to use them to access increasingly sensitive information 
such as health records.

"It's incumbent on the industry to come up with some strategy to deal 
with that."

For Microsoft, one starting point is the internet protocol, and the 
"fantastic capability" of IPsec that is part of the forthcoming IP 6.0.

Bill Gates recalls that "in the bad days of the Slammer virus", a 
customer wanted to isolate factory floor applications from those used by 
consultants and engineers. "There was no way for them to do that. They 
couldn't use the firewall because the factory floor was not a separate 
company," Gates says. "They needed an explicit set of access 
capabilities from the rest of the network into those systems.

"By providing tools that determine who can connect to this machine using 
this IPsec, we can have this kind of isolation, we can gain this level 
of access control."

Gates also points to digital rights management tools for flagging 
sensitive documents or emails and restricting access to authorised 
personnel. He has embraced encryption: BitLocker locks down information 
on a laptop so files cannot be read if the laptop is lost or stolen.

Passwords are still the weakest link, and the problem becomes hugely 
complex when you're trying to provide access for business partners, 
suppliers and customers.

"We see digital certificates as the way to go for authentication," Gates 
says. "We're putting out products that will allow enterprises to start 
the migration from passwords to credentials on smartcards."

Mundie says the CardSpace capability in Vista gives people the 
opportunity to create their own credentials. "It should be no more 
difficult for someone to identify themselves online than it is to 
produce a credit card or a driver's licence in the real world," he says.

"Each credential conveys a certain amount of information, and you can 
make a rational choice to disclose enough to suit the situation."

Mundie says the connected world will demand more co-operation. "The new 
enterprise network has a seamless boundary out to the internet", he 
says. "Data protection and identity mechanisms obviously require 
contributions from many in the industry."

Karen Dearne attended RSA Conference 2007 in San Francisco as a guest of 
RSA Australia.

Home-grown tools for the world

THE Brisbane lab of security company RSA is selling products to 
blue-chip IT companies in the US and Japan for use in mass-market games 
consoles, cameras and other digital devices.

"If you turn over the Nintendo Wii, you'll find an RSA brand on the 
back. The security was done by us in Brisbane," says Glenn Dickman, the 
lab's engineering director. "It's the same with Sony's PlayStation.

"Most of the big companies, such as Hewlett-Packard, Sanyo, Panasonic, 
Oracle, Cisco and Konica Minolta, buy our BSafe security toolkits rather 
than using OpenSSL, because we can guarantee the quality."

RSA doesn't mind people using the open source encryption software tool 
because it's based on work done by two of their own.

"RSA labs started up in 1999 when Eric Young and Tim Hudson developed 
the SSLeay cryptography library, which has become SSLC, BSafe and 
OpenSSL," Dickman says. "We have some talent in Australia, and a lot of 
us have moved to Brisbane. We've probably picked up the cream of local 
Java programmers as well."

Dickman says the team focuses on "using agile methods" to improve 
software engineering.

The lab has produced RSA's Key Manager, which centralises provision and 
management of the encryption keys used to secure data across 

This tool is hot, particularly in the US, where the payment card 
industry is required to protect consumer information. RSA, now the 
security division of EMC, is working to integrate its encryption and key 
management technology into EMC's storage range. EMC has also acquired 
Valyd Software, based in Hyderabad, India, for its innovative database 
encryption product.

Dickman hopes Australian banks will start taking some interest in the 
new security tools.

"To date, they've tended to focus on authentication. Security doesn't 
drive as well here as it does in the US," he says.

"Some of our products will become more interesting to local banks. I'd 
like people to come up to Brisbane to see what we're doing."

Subscribe to the InfoSec News RSS Feed

This archive was generated by hypermail 2.1.3 : Tue Feb 27 2007 - 00:30:44 PST