Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

2/17/2006
01:48 PM
50%
50%

The Argument To End All Security Arguments, Or Is It?

By now you've read much of the excellent coverage we've provided of the ideas, products, and personalities present at this week's RSA Conference in San Jose. But I've saved the best for last. The notion floated at the show by heavyweights such as Gates, Chambers, and

By now you've read much of the excellent coverage we've provided of the ideas, products, and personalities present at this week's RSA Conference in San Jose. But I've saved the best for last. The notion floated at the show by heavyweights such as Gates, Chambers, and McNealy that security requires a collaborative effort among technology providers is empty without a true roadmap for how this will happen. In fact, it's not as popular a notion as you might think. I spoke with some of the smartest people I could find at the show to get their perspective on the future of security. Here's what they had to say.Some experts see a collaborative approach, where Microsoft directories, databases, and protocols communicate seamlessly and securely with Cisco networking gear and management systems as well as Sun servers and storage devices, as, at best, a nice start, and, at worst, an unrealistic piece of marketing propaganda.

Who exactly will take the lead in this? Who will ultimately take responsibility for the security of the customer's IT systems and data? If you thought the finger pointing was bad today, just wait until you try to get answers from the IT vendor community when the latest spyware, virus, or worm has ground your users PCs to a halt, some say.

One of the greatest impediments to providing comprehensive IT security to businesses today is that there is no single forum in place to get technology providers to collaborate. "Security has been patchwork to this point," Richard DeMillo, dean of Georgia Tech's College of Computing and a former Hewlett-Packard chief technology officer, told me this week.

There are a few ways for this to change. One would resemble the way the semiconductor market gained steam two decades ago thanks to shared research, interoperability standards, and government funding, all of which culminated in the International Technology Roadmap for Semiconductors, which Intel, Texas Instruments, and other leading providers adhere to. Companies now design to standards and balance the need to bolster their bottom lines with the overall health of the industry.

Another is through efforts such as the Trusted Computing Group which at the RSA Conference unveiled a draft specification that will add a simplified version of the chip to storage devices, too. Intended mainly for hard disks and USB flash drives, it can be used for both and portable and networked storage.

Beyond the establishment of consortiums such as the Trusted Computing Group, there are other ways to drive a more collaborative, all-encompassing approach to security. Think of what Sprint did in the 1980's when it offered voice quality services for additional fees. The "pin drop" campaign was a hit. Pretty soon, all telecos were making voice quality guarantees to their customers and poor voice quality virtually disappeared as a problem, DeMillo says. At least until the spread of cell phones, anyway. Incidentally, my first-grade teacher tried the pin drop technique, saying that she wanted the classroom to be so quiet she could hear a pin drop. It doesn't work as well when applied to two dozen five-year olds.

DeMillo's not so sure best of breed is going to be a long-term solution for security. "Security has to be dead-on easy" in order to be successful, he told me. "You can't have 5 million devices patched together with different software and operating systems."

Others say best-of-breed would work if the technology was better designed with security in mind. It's been said by more than one IT vendor that technology isn't the problem with creating more secure computing environments, that it's more an issue of collaboration and standards. But when you look at how much effort these IT vendors have to put into patching their systems, you start to wonder where they're coming from. As Paul Kocher, president and chief scientist of Cryptography Research Inc., told me at RSA, "Bugs in Windows are a security problem."

Kocher and others think a move toward collaboration is premature, particularly when security-specific bugs are still such a big problem. "It would be nice to get to ubiquitous security, but right now there are greater security concerns, such as the assurance of individual technologies," he says. For now, technology companies should focus more on the quality of their software and other technologies than on simplicity and administration. Kocher adds, "If the technology systems aren't built properly, it doesn't matter what type of security you have at the user and administrator levels."

Bob Blakley, IBM Tivoli chief scientist for security and privacy, told me, "We've been working on end-to-end security for as long as I've been doing this," which is roughly 27 years. It's a monumental challenge when you consider all of the system components that a piece of data touches on its journey between the user and the database. The Web has only added to the complexity and created more places for something to go wrong.

Better to focus better securing individual system components, Blakley told me. Another thought, and one mentioned by RSA Security CEO Art Coviello and others this week, is to segregate security for different transactions, depending upon the sensitivity of each transaction. Such prioritization would help IT departments better manage risk and prioritize their security efforts. "The idea that we'll design a worldwide, publicly accessible packet-switched network of general-purpose computers that will have end-to-end security for significant transactions is pretty implausible," Blakley told me. "We don't have a systematic way of getting our hands around that level of complexity." Security, he added, is like water tightness: a leak anywhere in the system lets in water.

Others reject both the best-of-breed and collaborative security product suite approach. During his keynote, Internet Security Systems president and CEO Tom Noonan envisioned the future of security as an on-demand service that draws upon the "information, assets and unique functions of any network-connected device to create automated and intelligent security."

Noonan is pushing for "security platforms," which are "an enterprise system blueprint, architected from the ground up, to operate as a unified system, ensuring that all threats and vulnerabilities are preemptively addressed, and leveraging best-of-breed components that today exist only as islands of automation and that are left to be integrated and optimized by our customers." A more organic example would be the human immune system, Noonan said during his RSA keynote. As such, security platforms aren't dependent upon which infrastructure, or which applications, are used in a given company, but rather are designed to protect uniformly across a heterogeneous infrastructure.

DeMillo likes the ideas that Noonan floated during his keynote. The on-demand model for security may not be fully developed or feasible at this time, but in theory it gives the security provider an incentive for success or threatens with a penalty for failure. "It's a good model, but the technology isn't there yet," DeMillo added.

On-demand, of course, isn't a new idea. In fact, it's not even a new idea for security. DeMillo told me that while he was CTO at HP, between 2001 and 2003, then-CEO Carly Fiorina was working with then-Intel chief Craig Barrett and Vint Cerf, who at the time was senior VP of technology strategy for MCI, to develop a quality-of-service model for ensuring the integrity of systems that run the country's critical infrastructure. In the wake of 9-11, "government and industry started to see security as a quality-of-service issue, but they didn't have the infrastructure to deliver it at that time," he said. Time took its toll on these efforts, as Fiorina left HP, Barrett stepped down at Intel, and Cerf moved on to Google.

So, who's in the best position to move the on-demand security model forward? Microsoft, through its MSN network, certainly has the infrastructure to deliver and back such a security service if it wants to. DeMillo also singled out Sun as a company that could, through a partnership with a company like Google, deliver on-demand security. Sun has certainly bought into the notion that the network should handle most of the security responsibilities and this week added encryption technology to the mix. The company has been pushing its smart-card-enabled Sun Ray thin clients for years. Sun Rays operate on the premise that the user keeps their valuable security data on a smart card, making the desktops irrelevant as a target for attackers. Hey, isn't Vint Cerf at Google now? Hmm ...

 

Recommended Reading:

Comment  | 
Email This  | 
Print  | 
RSS
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/3/2020
Pen Testers Who Got Arrested Doing Their Jobs Tell All
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/5/2020
'BootHole' Vulnerability Exposes Secure Boot Devices to Attack
Kelly Sheridan, Staff Editor, Dark Reading,  7/29/2020
Register for Dark Reading Newsletters
White Papers
Video
All Videos
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Back Issues | Must Reads
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-16192
PUBLISHED: 2020-08-05
LimeSurvey 4.3.2 allows reflected XSS because application/controllers/LSBaseController.php lacks code to validate parameters.
CVE-2020-17364
PUBLISHED: 2020-08-05
USVN (aka User-friendly SVN) before 1.0.9 allows XSS via SVN logs.
CVE-2020-4481
PUBLISHED: 2020-08-05
IBM UrbanCode Deploy (UCD) 6.2.7.3, 6.2.7.4, 7.0.3.0, and 7.0.4.0 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 181848.
CVE-2020-5608
PUBLISHED: 2020-08-05
CAMS for HIS CENTUM CS 3000 (includes CENTUM CS 3000 Small) R3.08.10 to R3.09.50, CENTUM VP (includes CENTUM VP Small, Basic) R4.01.00 to R6.07.00, B/M9000CS R5.04.01 to R5.05.01, and B/M9000 VP R6.01.01 to R8.03.01 allows a remote unauthenticated attacker to bypass authentication and send altered c...
CVE-2020-5609
PUBLISHED: 2020-08-05
Directory traversal vulnerability in CAMS for HIS CENTUM CS 3000 (includes CENTUM CS 3000 Small) R3.08.10 to R3.09.50, CENTUM VP (includes CENTUM VP Small, Basic) R4.01.00 to R6.07.00, B/M9000CS R5.04.01 to R5.05.01, and B/M9000 VP R6.01.01 to R8.03.01 allows a remote unauthenticated attacker to cre...