FEBRUARY 27, 2007
IF you think you've finally secured your enterprise environment, sorry,
the game just changed. The internet and anywhere access has turned
information technology security on its head, industry heavyweights told
this year's RSA Conference in San Francisco.
The idea that you can defend your network perimeter and keep your data
in grand isolation, like a king in his castle, is dead. Like a king,
data needs to move around and has to be protected wherever it happens to
The new focus is on managing separate bits of information so each piece
is secure and available when needed.
"Let's be honest, the industry has been too self-righteous and smug,
intent on chasing the perfect technical solution, instead of trying to
address real business needs," RSA Security president Art Coviello says.
RSA Security is the recently acquired security division of EMC.
"We've focused on keeping people out, rather than giving them access to
expand their supply chains, sales channels and markets," Coviello says.
"We've built stronger and higher walls around data, but in a dynamic
world information is never static. It won't stay behind those walls."
Security has become more a matter of imposing limits, rather than
removing them "and it's time for that to stop", he says. "We should not
be motivated by the threats, but by the opportunities information can
bring," he says. "We need to step out of our comfort zones and
accelerate new ways of doing business."
In short, the information security industry is ripe for transformation,
and Coviello foresees the end of the industry as we know it.
"IDC reports that in 2006 alone, we spent $US38 billion ($48 billion) on
IT security, yet only one in five companies actually believes their data
is safe," he says.
"Clearly our approach is not working. A change is under way that will
bring the standalone products industry to an end in two to three years."
Big technology vendors such as Microsoft, IBM, Oracle, Cisco and EMC are
integrating security into their software from the outset.
Windows Vista is Microsoft's first release of a product based on its
secure design lifecycle.
IBM is integrating the Internet Security Systems "pre-emptive" security
and real-time intelligence into its enterprise platforms, and Symantec
is working with companies such as VeriSign, Accenture, Google, Juniper
Networks and Intel.
Microsoft chief Bill Gates says the initial reaction to the internet's
anything-can-talk-to-anything capability was to look back.
"The data centre, the glasshouse, was very isolated," Gates says.
"So the first idea was to create a boundary, and a perimeter was a
reasonable concept." These days, though, business partners, employees
and customers all need access to enterprise systems and data.
"There's no doubt that people want more flexibility," he says.
"You have consultants coming into your company, staff who need offsite
access. We can't think of the glasshouse, that kind of network topology,
Symantec chairman John Thompson goes a step further, saying people are
the new perimeter.
"They are connecting to networks through a variety of devices - laptops,
desktops and mobiles - all of which need to be managed and protected,"
Thompson says. "Today, the battleground for security isn't just the
device. It's also about protecting the information that is being shared,
and the interactions that are happening online."
And still the torrent of data grows.
More information has been created in the first six years of the 21st
century than was created since human history began, Coviello says.
"Today, 96 per cent of the world's data is being created digitally and
about three-quarters of the rest is generally converted to digital
within three months," he says.
IBM Internet Security Systems president and chief executive Thomas
Noonan points to the nightmare facing systems administrators. "Our
studies show that the average enterprise deals with more than 32
security vendors," he says.
"Security requires a continuous, integrated source of intelligence that
can never be realised if we're waiting on vendors to ship patches when
our network is under siege every day."
Thompson says there's no going back to a bricks-and-mortar business.
"Think of the cost," he says. "Sending a bill by snail mail costs double
what it costs to send electronically. Think about how you shop. Until
recently we went to the local market. Today, we buy essentials online.
Transactions once done by your employees, from money transfers to
subscription renewals, are now done directly by customers connecting to
the corporate network."
The lines separating enterprises and consumers have become blurred.
"Confidence is critical to making all of this work," Thompson says.
"Decades ago you trusted quality because you could see or test products
before paying for them. You had confidence in your bank because odds
were the manager sat beside you in church. Now that the whole world is
connected, it's much harder to have that degree of confidence."
What is the cost of a lack of trust?
Although US consumers spent almost $US22 billion in online shops at
Christmas, 26 per cent more than in 2005, another $US2 billion didn't
get spent online because people curtailed their shopping as a result of
security concerns, according to technology researcher Gartner.
Consumers must be given ways to protect their identity and to gauge the
reputation of the sites they visit, Thompson says.
"Enterprises have the responsibility to secure anyone who connects to
their networks, especially their customers," he says.
Symantec has unveiled a prototype of its Norton Identity Client that is
intended to provide users with one-time-use credit card numbers and
other means of interacting with sites without disclosing too much
personal information, and consumers will soon be demanding a certain
level of security before they're willing to connect, Thompson says.
For many, this won't come soon enough. In 2006, the US Federal Trade
Commission received more than 670,000 complaints about consumer fraud
and identity theft involving losses of more than $US1.1 billion,
according to a report released at the conference.
The Business Software Alliance says losses are even higher. President
Robert Holleyman cites a US survey showing an estimated 8.4 million
Americans were victims of identity fraud during 2006, resulting in
losses of almost $US50 billion.
Holleyman says the BSA is urging Congress to update the US criminal code
to allow prosecutions over cyberthreats such as malicious code and
zombie networks used to steal identities, spread spyware and attack
Meanwhile, common internet nasties are not declining. According to
VeriSign, more than 300 new worms and viruses are released every month.
Art Coviello says the trend towards "a security ecosystem" is a response
to more serious threats. "Not long ago, our adversaries mostly wanted to
show off," he says. "Today's attacks are completely motivated by profit,
and that changes everything.
"Identity fraud, phishing and social engineering are now profitable
activities for criminals, foreign spies and those involved in industrial
Microsoft research chief Craig Mundie says part of the problem of
building and administering secure systems is that "humans are human, and
they make mistakes. We have to deal with the fact that errors do
As well, the world "is a lot more connected than it ever was". People
want constant access to their cellphones, televisions, car systems and
all sorts of "smart widgets".
"But the mechanisms that we developed to create security really came
from the enterprise environment, where there was formal administration
of activities," Mundie says. "Even there we've struggled.
"Now there are not just hundreds of millions of PCs, but billions of
phones and other devices. These clearly aren't in an administered world,
yet people want to use them to access increasingly sensitive information
such as health records.
"It's incumbent on the industry to come up with some strategy to deal
For Microsoft, one starting point is the internet protocol, and the
"fantastic capability" of IPsec that is part of the forthcoming IP 6.0.
Bill Gates recalls that "in the bad days of the Slammer virus", a
customer wanted to isolate factory floor applications from those used by
consultants and engineers. "There was no way for them to do that. They
couldn't use the firewall because the factory floor was not a separate
company," Gates says. "They needed an explicit set of access
capabilities from the rest of the network into those systems.
"By providing tools that determine who can connect to this machine using
this IPsec, we can have this kind of isolation, we can gain this level
of access control."
Gates also points to digital rights management tools for flagging
sensitive documents or emails and restricting access to authorised
personnel. He has embraced encryption: BitLocker locks down information
on a laptop so files cannot be read if the laptop is lost or stolen.
Passwords are still the weakest link, and the problem becomes hugely
complex when you're trying to provide access for business partners,
suppliers and customers.
"We see digital certificates as the way to go for authentication," Gates
says. "We're putting out products that will allow enterprises to start
the migration from passwords to credentials on smartcards."
Mundie says the CardSpace capability in Vista gives people the
opportunity to create their own credentials. "It should be no more
difficult for someone to identify themselves online than it is to
produce a credit card or a driver's licence in the real world," he says.
"Each credential conveys a certain amount of information, and you can
make a rational choice to disclose enough to suit the situation."
Mundie says the connected world will demand more co-operation. "The new
enterprise network has a seamless boundary out to the internet", he
says. "Data protection and identity mechanisms obviously require
contributions from many in the industry."
Karen Dearne attended RSA Conference 2007 in San Francisco as a guest of
Home-grown tools for the world
THE Brisbane lab of security company RSA is selling products to
blue-chip IT companies in the US and Japan for use in mass-market games
consoles, cameras and other digital devices.
"If you turn over the Nintendo Wii, you'll find an RSA brand on the
back. The security was done by us in Brisbane," says Glenn Dickman, the
lab's engineering director. "It's the same with Sony's PlayStation.
"Most of the big companies, such as Hewlett-Packard, Sanyo, Panasonic,
Oracle, Cisco and Konica Minolta, buy our BSafe security toolkits rather
than using OpenSSL, because we can guarantee the quality."
RSA doesn't mind people using the open source encryption software tool
because it's based on work done by two of their own.
"RSA labs started up in 1999 when Eric Young and Tim Hudson developed
the SSLeay cryptography library, which has become SSLC, BSafe and
OpenSSL," Dickman says. "We have some talent in Australia, and a lot of
us have moved to Brisbane. We've probably picked up the cream of local
Java programmers as well."
Dickman says the team focuses on "using agile methods" to improve
The lab has produced RSA's Key Manager, which centralises provision and
management of the encryption keys used to secure data across
This tool is hot, particularly in the US, where the payment card
industry is required to protect consumer information. RSA, now the
security division of EMC, is working to integrate its encryption and key
management technology into EMC's storage range. EMC has also acquired
Valyd Software, based in Hyderabad, India, for its innovative database
Dickman hopes Australian banks will start taking some interest in the
new security tools.
"To date, they've tended to focus on authentication. Security doesn't
drive as well here as it does in the US," he says.
"Some of our products will become more interesting to local banks. I'd
like people to come up to Brisbane to see what we're doing."
Subscribe to the InfoSec News RSS Feed