One startup, Datasynapse, says built-in encryption, firewall via its WebProc offering is the answer
Peer-to-peer computing may be finding a home in the enterprise, but the rush to apply the Napster model to things like anti-virus networks, online collaboration, file sharing and, now, processor- power sharing has some fearing that security is being left behindâ€"again.
As myCIO.com rolled out its peer-to-peer anti-virus updating software, called Rumor, its sibling company, McAfee, sent out an anti-virus update file that crashed Windows PCs. Had that corrupted anti-virus file been sent to a Rumor network, the file could have proliferated exponentially faster. The lesson: Architects mapping out a peer-to-peer platform must make sure the security is rock solid. Otherwise, mistakes or hacks will spread faster and with more damage.
As it currently exists, peer-to-peer technology of any sort is "a big ... hole in your network," said Mike Prest, security administrator at Allstate Insurance. "The more peer-to-peer you see, the more you're inviting hackers to attack this whole new area. It will take a lot to secure it. Any time you turn a client into a server, you're creating a potentially big problem."
To help address those concerns, a peer-to-peer upstart, Datasynapse, will launch its distributed computing software this week that has the kind of security enterprises will demand built-in.
Datasynapse's take on peer-to-peer isn't application or file sharing. Rather, its WebProc product shares processing power. The company's software taps idle clients' CPUs for complex computations, cutting down exponentially the time it takes to do complex tasks. WebProc clients locate idle peers and instruct them to do some calculations. As soon as a user activates his or her computer, WebProc takes the work that computer was doing and moves to another idle client.
Datasynapse is initially targeting financial services, which have large accounting and analysis transactionsâ€"and a high demand for security. Company CEO Peter Lee says the com pany will meet that demand through built-in encryption and authentication in WebProc. Datasynapse is also partnering with Zone Labs Inc., maker of the ZoneAlarm firewall, offering every WebProc client a personal firewall as well.
But it's easier said than done. And observers point out that the addition of encryption will slow the normally quick pace of nonsecure peer-to-peer technologies.
"You have to limit the scope of what an application can do; that takes engineering," said Zone Labs Vice President Fred Felman, in San Francisco. "You have to make sure the PCs are used appropriately; that takes policy. And you have to create a system where all the peers are who you trust them to be and doing only what you want them to. That takes both engineering and policy. This will take work at every level of security to get it right."
Another peer-to-peer venture that is struggling early with security is Groove Networks. Developers are learning how to control access and document versioning without a central repository for managing keys and documents. Groove ran into a particularly thorny version of this problem during the development of its new platform, which lets users share documents and other data.
To address security, Groove plans to roll out a "managed client" early next year that will enable some central administrative functions and the ability to set user policies from a central console.
That, however, seems to chip away at the decentralized architecture that makes peer-to-peer appealing in the first place. And it calls into question whether this first generation of peer-to-peer enterprise applications is secure enough.
Nimisha Asthagiri, principal engineer at Groove, talks as if peer-to-peer, in its current state, is not ready. Groove's managed client "[is] what IT managers really need to make a platform like this work," Asthagiri said.
"[Security] is a big oversight in this first generation of peer-to-peer," said Frank Bernhard, an analyst at Omni Consulting Group.
"If you're really going to share files across a peer-to-peer network, you need more than password authentication first. And then, how does encryption fit in? It's a lot of overhead, but isn't it necessary? I don't think we've answered these questions yet."
