Systems Security Industry Confronts Corporate Demands, Government Policies
BR Systems Security Industry Confronts Corporate Demands, Government Policies By John Makulowich From wide area networks to the World Wide Web, from the committees of Congress to the cubicles of corporate America, systems security is all the rage. Witness the plethora of products goaded by the promise of digitized dollars, corporate concern over information assets easily share
BR>
Systems Security Industry Confronts Corporate Demands, Government Policies
By John Makulowich
From wide area networks to the World Wide Web, from the committees of Congress to the cubicles of corporate America, systems security is all the rage.
Witness the plethora of products goaded by the promise of digitized dollars, corporate concern over information assets easily shared over local area networks, intranets and extranets, and the federal government's ongoing struggle to come to grips with issues like encryption.
WatchGuard photo Michael Martucci, WatchGuard's vice president of marketing |
"Now we see the use of the Internet to link agencies or to conduct commerce. The federal government has taken the lead on this. What has occurred is the realization of a potential security threat with so many people on the Internet, which is essentially a two-way street. Our system offers a simple and inexpensive solution that extends protection beyond the main office," explains Martucci.
He agrees with Wood's assessment of the need for qualified personnel, but feels Firebox is not only simple to manage, but easy to deploy.
"The stance we take is really along these lines. When you plug in the Firebox, the software guides you through by using the popular Windows wizards. The first time you boot up the software, everything is denied unless you specifically allow it. You must turn services on," says Martucci.
Basically, the product is built on the belief that unless a user is authorized to perform a particular activity, that user is denied connectivity.
Another approach to systems and information security is the use of tokens, such as those produced by Cryptocard of Toronto, Ontario, whose authentication server technology is in security products worldwide and is used for network access and Internet connectivity.
Tokens - credit card-size, self-powered, portable one-time password generators - rely on a challenge-response approach in which the user carries the token and knows a personal identification number or PIN. Such tokens are considered more secure than the conventional user name/password approach. Used with firewalls, virus checking software, encryption technology and other security measures, tokens increase system security.
When the user enters his or her PIN, the token generates and displays a random number. This number the user types into the computer. At the same time, a correlating server generates the same random number. If the two numbers match, the identification of the token owner is verified and he or she is permitted to connect to the network.
Recently, the company signed an agreement with Raptor Systems Inc. of Waltham, Mass., a firm involved in open-platform, integrated network security software and services. Cryptocard will embed its authentication server into the Eagle Firewall for NT and Unix. This allows Cryptocard's RB-1 Authentication Token to work directly with the firewall rather than with a separate authentication or access server. This in turn saves server software costs and streamlines the authentication process. In sync with the token-ready firewall, the RB-1 uses the challenge-response authentication to generate and display a one-time password each time a user attempts to enter the network. The company signed a similar agreement with Trusted Information Systems Inc. to provide and support a Cryptocard authentication server for the TIS Gauntlet firewall.
Stephen D. Seal, Cryptocard's vice president for technology and development, says the company takes an embedded technology focus, building security processes into existing products, because it is easier for organizations to make the leap into more advanced security technology from the server side.
"From the perspective of internal networks, we try to stay as close to the Internet cloud as possible," says Seal. "We authenticate at the firewall. Security is one of those activities that most people don't want to think about. But people are quickly starting to realize that networks are strategically important and so is information."
Another notch up the security ladder is the use of biometrics to control access to networked systems, for example, by Keyware Technologies, a Brussels, Belgium, company with offices in Woburn, Mass. Its integrated security system combines voice and facial verification for use over the Internet, intranets, LANs or even for physical access.
Biometrics is defined as the automated measuring of one or more physical attributes or features to identify one person from all others. The measurements include fingerprints, retinal patterns, facial appearance, signatures, hand geometry or voice prints.
Founded in July 1996, Keyware offers what it calls layered biometric authentication technologies for such applications as Internet commerce, financial transactions and the protection of sensitive data during exchanges such as e-mail.
Keyware partners with Excalibur Technologies Corp., Vienna, Va., for its Adaptive Pattern Recognition Processing (APRP) technology, which is integrated into its facial verification product. Keyware also partners with Lernout & Hauspie Speech Products of Burlington, Mass., which granted the company exclusive rights to its speech-verification technology.
For Francis Declercq, founder, president and CEO of Keyware USA, biometric authentication covers individuals who want to know through networking or access control that they are talking to the right person.
"The more society becomes increasingly impersonal, the more we need to confirm the identity of the people we deal with," says Declercq. "The identifying information that is gathered for an individual can be stored on a central computer."
Declercq is taking the technology a step further by working on a deal with a smartcard manufacturing company in Europe, whose identity he would not reveal. Basically, it involves placing a person's digitized vocal pattern and facial pattern on a smartcard.
While critical of token technology because of potential problems with stolen tokens, he also admits the need for threshold technology combining the different IDs in the case of biometrics. The reason is that any given pattern can be affected, for example, the vocal pattern could be modified by a cold or fingertips burned. He also sees retinal scans in the future as an addition to the collection of threshold data.
With the shift to client/server processing and the increasing importance of intranets, the desktop takes on added significance as a potential security hole. It's a market targeted by the likes of Deerfield, Ill.-based Information Security Corp.'s SecretAgent, a cross-platform file encryption and digital signature software utility that operates across DOS, Windows, Macintosh and a number of Unix operating systems and is marketed worldwide by AT&T.
A sign of the emerging interest, if not need, is that the product works with any application or e-mail program and ships with direct tie-ins for MS-Mail, MS-Exchange, Novell Groupwise and macros for MS Word and WordPerfect. It also offers the user a choice of the multiple standards, including DES (Data Encryption Standard), triple DES, a proprietary 56-bit exportable algorithm for bulk encryption and the ability to generate either RSA or DSA (Digital Signature Algorithm) keys for digital signatures.
Founded just this year, Entrust Technologies of Richardson, Texas, provides certification authority and public-key management products. Entrust's PKI (public-key infrastructures) technology combines encryption and digital signature capabilities with fully automated key management. The software offers a security solution across multiple platforms for desktops, corporate networks, intranets and the Internet.
Another offering comes from the Global Technologies Group Inc. of Arlington, Va. The company introduced a line of system security products that include CryptCard, a PCMCIA card for portable computers with boot protection and data encryption on all drives, and Elkey Security System, a smart card security system for desktop computers allowing boot protection, drive encryption and audit trails. The company also is marketing FastCrypt Card, a high-speed encryption card that can be used with the CryptCard and the Elkey Card to create a virtual private network.
In the midst of all this and serving as a drag on the market, however, is the continuing controversy over the constitutionality of the federal government's regulation of the export of encryption software.
Earlier this month, the Department of Justice announced it is considering further legal measures after the ruling by the U.S. District Court in San Francisco. The District Court judged that certain aspects of the government's regulations on the export of encryption software are unconstitutional. Another federal court previously upheld in August the export controls on encryption software.
President Clinton is on record through an executive order on Nov. 15, 1996, that the use of encryption products by parties outside the United States can endanger the foreign policy and national security interests of the United States as well as the public safety of American citizens.
Until the issue is resolved, export controls on encryption software remain in effect. Thus, individuals or companies that want to export encryption software must satisfy licensing controls before shipping it beyond the U.S. borders. Under current policy, U.S. manufacturers can export encryption products up to 56 bits only if they agree to develop so-called key recovery products, which allow the government to eavesdrop.
NEXT STORY: Washington Technology Online | Changes