Home » Data Protection » Network Security

In Depth

The World Is Your Perimeter

The castle-and-moat era of information security is over: Now it's described as woven cloth, submarines, onions and Snickers bars. How will CISOs translate nutty metaphors into secure worldwide systems?

By Christopher Lindquist

Page 3

Charles Palmer, head of security research at IBM, agrees that tipping today's model on its head makes sense. "Try to write down how many people have access to your house. You can do it because there are a limited number of people to whom you have given access rights," Palmer says. "If you walk into my house and you don't punch in the magic code [on my alarm system], you obviously shouldn't be there."

Today, however, many security systems attempt to keep a list of everybody who shouldn't be inside corporate walls—and that will never work, says Palmer. With new people being born every day and yesterday's good people sometimes going bad, "you are never going to have a complete list," he says.

Such a shift in approach will require some technological changes, of course. Whale Communications promotes secure sockets layer virtual private networks and related tools as steps along the path to universal secure remote access. And today's identity management systems certainly can solve part of the problem, but ultimately, security needs to be intrinsic in every system and every user in order to maintain control and keep the bad guys at bay. If everyone carried their security with them, any connection they made would be automatically more secure. And new technologies on the horizon could make that model a practical reality in just a few years.

"I think the model that you need to go to is security technology that's identity-enabled," says Bernie Cowens, vice president of security services for Rainbow eSecurity. "You may have something like a key that fits on a key ring; we're all used to that paradigm. We have this key; we can plug it into this PC or my PDA or my workstation at home," says Cowens. "When you're using hardware or a smart-card-based technology, we have a higher assurance already because we're not relying on a password." Better yet, Cowens adds, people have much experience protecting physical keys. "That's the beauty and value of hardware—you know when it's gone," he says. "And people are used to protecting their car keys or their house keys." And while many people tape their passwords to their monitors on a regular basis, very few would consider taping their house keys on the front door.

IBM's Palmer touts an even more encompassing approach proposed by Trusted Computing Group (TCG), an industry organization consisting of IBM, Microsoft, Intel, Sun and many others. Under TCG's plan, most computing hardware would contain a chip that would allow for simple, secure authentication. "The idea is to come up with this chip, this little island of trust that will make you feel better," says Palmer. "It's not just a place to store your passwords; it can use cryptography to do mathematical proofs about who you are. So you put some secrets in this little chip and do the mathematics to say, 'This is Charles's laptop.'" The chip could also perform even more functions, such as securely identifying what machine produced a given word-processing document or e-mail message. (These same features, of course, have caused some observers to decry TCG's potential to limit privacy and free-speech rights.)