Systems Security Industry Confronts Corporate Demands, Government Policies
Systems Security Industry Confronts Corporate Demands, Government Policies By John Makulowich
From wide area networks to the World Wide Web, from the committees of Congress to the cubicles of corporate America, systems security is all the rage.
Witness the plethora of products goaded by the promise of digitized dollars, corporate concern over information assets easily shared over local area networks, intranets and extranets, and the federal government's ongoing struggle to come to grips with issues like encryption.
Then there are the workshops, seminars and conferences. One recent announcement bellowed its come-on in bold type, "Cybercrime." Leaving no breach undetected, the two-day International Cybercrime, Electronic Commerce and Information Warfare Conference sponsored by Oceana Publications Inc. in Washington Oct. 30-31 promised speakers who would cover the gamut: electronic commerce and banking, corporate, bank and computer security, financial crimes and information warfare.
Taking the topic to the other extreme by proclaiming the coming "death of the intranet" as a stand-alone network and the advent of a "universal infraware," Sun Microsystems Inc. of Palo Alto, Calif., is pushing its own network security solution, which includes its SunScreen products line. This will serve as the means for corporations to use the Internet with full assurance of safety, "making the Internet secure enough to be the backbone of business communications," according to its corporate materials.
Overall, the critical importance of security technology was reinforced last month with the announcement of a new partnership by the National Security Agency and the National Institute of Standards and Technology, a part of the U.S. Department of Commerce. Seeking to assist U.S. information security technology producers in achieving international competitiveness, the agencies plan to set up the so-called National Information Assurance Partnership. Ultimately, NIAP should provide "independent evaluators and product producers with objective measures for evaluating the quality and security of these products," according to the agencies' news release.
The partnership will provide evaluators and product producers with "a common language to define the security features and assurance of products as well as a defined common test methodology to evaluate products," says James P. Cavanaugh, NSA deputy director of policy. The common language as well as the test methodology "will be based upon the International Common Criteria for Information Technology Security Evaluation," he adds.
A major factor in setting up the partnership at this time, he says, was the recent adoption of the Common Criteria by governments of six of the major world producers of information security equipment - the United States, Canada, United Kingdom, Germany, France and the Netherlands.
With security stretching its tentacles to the other end of the geopolitical spectrum, the Maryland State Department of Transportation is in the process of implementing an online vehicle registration system. This will allow all Maryland residents to register their vehicles from their homes, work or interactive kiosks that the state will set up in malls. The Maryland DOT will protect the mainframe database with a Gauntlet firewall produced by Trusted Information Systems Inc. of Glenwood, Md.
Despite all the attention focused on computer and network security issues in congressional wrangling, media coverage and professional society and trade association gatherings, there is a large gap between words and action when the conversation turns to preparing policy statements and pursuing implementation projects.
Just ask Charles Cresson Wood, president of Baseline Software Inc. of Sausalito, Calif., and author of "Information Security Policies Made Easy." Wood, whose consulting work includes risk assessments, network security architecture design, custom secure application specification and security policies and standards writing, says a large part of the problem in today's computer security revolves around what he calls the "curse of complexity and large volume."
Examples abound, including the much maligned Internal Revenue Service and its efforts at revamping its systems and the Social Security Administration and its misguided attempt to post retirement benefits on its World Wide Web site.
"The underlying issue in the information security field is complexity management," says Wood. "It's been accentuated with the advent of all the new technologies as well as the different versions of hardware and software available at the same time. What's needed now are complexity management tools and network management systems."
According to Wood, the complexity management issue is made much more difficult for government workers because of the so-called Mosaic theory, which originally applied specifically to defense. Simply stated, the theory holds that several unrelated pieces of information from separate sources, each of which is not sensitive, can be combined to create new information that is sensitive.
This became apparent with the benefits information available on the Social Security Web site. Bits of information about an individual when combined could allow an unauthorized person to access benefits data. The Internet highlights the problem in bold strokes since it not only brings together such a diverse array of disparate information, but also allows any given individual to quickly gather a broad range of personal data.
"Agency staff now have to ask themselves, 'Could this information be the one piece that will make a difference?'" notes Wood, profiling the Mosaic theory during a recent phone interview.
Yet, right alongside the issue of complexity management is the irony of inadequately trained staff and poorly designed and implemented policy, according to Wood and other experts. The critical question of staff surfaced earlier this year in another context when a key phase of the Electronic Freedom of Information Amendments of 1996 kicked in. At that point, many agencies realized they did not have individuals qualified to meet the demands within the mandated time frames of those from the public requesting information from the government.
"The information security field is suffering a profound dearth of talent. Staff are getting assigned duties without adequate background. Clearly, there is significant need for good people in the field of information security," admits Wood.
Indeed, most surveys about information security done with Fortune 1000 companies find that little more than half have written policies in place and many of those are out of date, he says. Further, the lack of information security policies that are current is juxtaposed with the fact that top management wants such policies. Thus, it appears that the information systems departments are either unable to implement such policies or lack the interest to do so.
Wood sees security implementation as a three-stage process: clarifying the business objective or mission; defining what information is needed; and deciding what information security measures are needed to support the information systems architecture.
For those seeking to create an operational framework for systems security, Wood profiles what he considers the five essential policy positions. The first is risk assessment, in which the organization looks at its own unique circumstances and the value, criticality and sensitivity of its information. Next is contingency planning, where you have an ongoing effort to look at how you will, for example, back up and restore your system, recognizing you need to be able to roll back to a prior version and abandon unlivable circumstances.
The third essential policy is documenting applications developed in-house as well as testing them. Wood admits he is often amazed at the state of an organization's documentation; in many cases there is none. Fourth is change control, that is, a formal proposal for initiating change. For instance, an organization can't reconfigure its system in the middle of the day. The final step is establishing a level of need and defining access to the systems based on this need to know.
"I'm currently investigating an espionage case for a large firm," says Wood. "We know it is somebody inside, but anyone in the firm can go in and access logs. Thus, anyone could retrieve information and erase the records of their visit. It's a clear case where levels of need-to-know should have been set up initially."
Among the different systems security approaches, including Internet-based, developed by a number of competing firms are the use of so-called firewall appliances, tokens, biometrics and PC-based software like Information Security Corp.'s SecretAgent.
WatchGuard Technologies Inc., Seattle, formerly known as Seattle Software Labs, produces the Firebox, a dedicated network security "appliance" that replaces the conventional embedded firewall. (A firewall is a combination of hardware and software that prevents unauthorized users from accessing an intranet or local area network.) Containing a real-time firewall operating system, it allows users to be up-and-running out of the box by simply plugging in. The appliance resides between the router and trusted network.
According to a recent report from the Stamford, Conn.-based market research firm Gartner Group, by 2002, at least 40 percent of firewalls shipped will be low-cost, minimal-configuration firewall appliances.
Michael Martucci, WatchGuard's vice president of marketing
Michael Martucci, WatchGuard's vice president of marketing, sees the company's product appealing to government agencies and businesses that have invested increasing resources in networking field workers, known as remote users, field force computing or telecommuters. Other potential clients include those involved in publishing information and increasing staff access through the World Wide Web.
"Now we see the use of the Internet to link agencies or to conduct commerce. The federal government has taken the lead on this. What has occurred is the realization of a potential security threat with so many people on the Internet, which is essentially a two-way street. Our system offers a simple and inexpensive solution that extends protection beyond the main office," explains Martucci.
He agrees with Wood's assessment of the need for qualified personnel, but feels Firebox is not only simple to manage, but easy to deploy.
"The stance we take is really along these lines. When you plug in the Firebox, the software guides you through by using the popular Windows wizards. The first time you boot up the software, everything is denied unless you specifically allow it. You must turn services on," says Martucci.
Basically, the product is built on the belief that unless a user is authorized to perform a particular activity, that user is denied connectivity.
Another approach to systems and information security is the use of tokens, such as those produced by Cryptocard of Toronto, Ontario, whose authentication server technology is in security products worldwide and is used for network access and Internet connectivity.
Tokens - credit card-size, self-powered, portable one-time password generators - rely on a challenge-response approach in which the user carries the token and knows a personal identification number or PIN. Such tokens are considered more secure than the conventional user name/password approach. Used with firewalls, virus checking software, encryption technology and other security measures, tokens increase system security.
When the user enters his or her PIN, the token generates and displays a random number. This number the user types into the computer. At the same time, a correlating server generates the same random number. If the two numbers match, the identification of the token owner is verified and he or she is permitted to connect to the network.
Recently, the company signed an agreement with Raptor Systems Inc. of Waltham, Mass., a firm involved in open-platform, integrated network security software and services. Cryptocard will embed its authentication server into the Eagle Firewall for NT and Unix. This allows Cryptocard's RB-1 Authentication Token to work directly with the firewall rather than with a separate authentication or access server. This in turn saves server software costs and streamlines the authentication process. In sync with the token-ready firewall, the RB-1 uses the challenge-response authentication to generate and display a one-time password each time a user attempts to enter the network. The company signed a similar agreement with Trusted Information Systems Inc. to provide and support a Cryptocard authentication server for the TIS Gauntlet firewall.
Stephen D. Seal, Cryptocard's vice president for technology and development, says the company takes an embedded technology focus, building security processes into existing products, because it is easier for organizations to make the leap into more advanced security technology from the server side.
"From the perspective of internal networks, we try to stay as close to the Internet cloud as possible," says Seal. "We authenticate at the firewall. Security is one of those activities that most people don't want to think about. But people are quickly starting to realize that networks are strategically important and so is information."
Another notch up the security ladder is the use of biometrics to control access to networked systems, for example, by Keyware Technologies, a Brussels, Belgium, company with offices in Woburn, Mass. Its integrated security system combines voice and facial verification for use over the Internet, intranets, LANs or even for physical access.
Biometrics is defined as the automated measuring of one or more physical attributes or features to identify one person from all others. The measurements include fingerprints, retinal patterns, facial appearance, signatures, hand geometry or voice prints.
Founded in July 1996, Keyware offers what it calls layered biometric authentication technologies for such applications as Internet commerce, financial transactions and the protection of sensitive data during exchanges such as e-mail.
Keyware partners with Excalibur Technologies Corp., Vienna, Va., for its Adaptive Pattern Recognition Processing (APRP) technology, which is integrated into its facial verification product. Keyware also partners with Lernout & Hauspie Speech Products of Burlington, Mass., which granted the company exclusive rights to its speech-verification technology.
For Francis Declercq, founder, president and CEO of Keyware USA, biometric authentication covers individuals who want to know through networking or access control that they are talking to the right person.
"The more society becomes increasingly impersonal, the more we need to confirm the identity of the people we deal with," says Declercq. "The identifying information that is gathered for an individual can be stored on a central computer."
Declercq is taking the technology a step further by working on a deal with a smartcard manufacturing company in Europe, whose identity he would not reveal. Basically, it involves placing a person's digitized vocal pattern and facial pattern on a smartcard.
While critical of token technology because of potential problems with stolen tokens, he also admits the need for threshold technology combining the different IDs in the case of biometrics. The reason is that any given pattern can be affected, for example, the vocal pattern could be modified by a cold or fingertips burned. He also sees retinal scans in the future as an addition to the collection of threshold data.
With the shift to client/server processing and the increasing importance of intranets, the desktop takes on added significance as a potential security hole. It's a market targeted by the likes of Deerfield, Ill.-based Information Security Corp.'s SecretAgent, a cross-platform file encryption and digital signature software utility that operates across DOS, Windows, Macintosh and a number of Unix operating systems and is marketed worldwide by AT&T.
A sign of the emerging interest, if not need, is that the product works with any application or e-mail program and ships with direct tie-ins for MS-Mail, MS-Exchange, Novell Groupwise and macros for MS Word and WordPerfect. It also offers the user a choice of the multiple standards, including DES (Data Encryption Standard), triple DES, a proprietary 56-bit exportable algorithm for bulk encryption and the ability to generate either RSA or DSA (Digital Signature Algorithm) keys for digital signatures.
Founded just this year, Entrust Technologies of Richardson, Texas, provides certification authority and public-key management products. Entrust's PKI (public-key infrastructures) technology combines encryption and digital signature capabilities with fully automated key management. The software offers a security solution across multiple platforms for desktops, corporate networks, intranets and the Internet.
Another offering comes from the Global Technologies Group Inc. of Arlington, Va. The company introduced a line of system security products that include CryptCard, a PCMCIA card for portable computers with boot protection and data encryption on all drives, and Elkey Security System, a smart card security system for desktop computers allowing boot protection, drive encryption and audit trails. The company also is marketing FastCrypt Card, a high-speed encryption card that can be used with the CryptCard and the Elkey Card to create a virtual private network.
In the midst of all this and serving as a drag on the market, however, is the continuing controversy over the constitutionality of the federal government's regulation of the export of encryption software.
Earlier this month, the Department of Justice announced it is considering further legal measures after the ruling by the U.S. District Court in San Francisco. The District Court judged that certain aspects of the government's regulations on the export of encryption software are unconstitutional. Another federal court previously upheld in August the export controls on encryption software.
President Clinton is on record through an executive order on Nov. 15, 1996, that the use of encryption products by parties outside the United States can endanger the foreign policy and national security interests of the United States as well as the public safety of American citizens.
Until the issue is resolved, export controls on encryption software remain in effect. Thus, individuals or companies that want to export encryption software must satisfy licensing controls before shipping it beyond the U.S. borders. Under current policy, U.S. manufacturers can export encryption products up to 56 bits only if they agree to develop so-called key recovery products, which allow the government to eavesdrop.