In the last few years, most of the innovation in security has involved finding clever new ways to do things with existing technologies. Are there revolutionary changes in the wings?

Everyone knows seatbelts are a good idea, but when it comes down to it many of us just forget to put them on. The inevitable result, should we be caught in a prang, goes without saying.

Data security, amazingly enough, isn’t much different. Although malicious hackers have been perpetrating their nasty deeds for decades, it’s only recently that companies have quietly begun to take real ownership of the issue. Much of their action has been driven by September 11, which has focused the global spotlight on the issue of data security. Government officials continue to warn of global cyber-terrorists targeting key corporations and government systems with debilitating cyber attacks.

Thankfully, such threats for the most part remain unfulfilled. But enough businesses have been stung by security breaches—whether internal or external—that early perceptions of “it will never happen to me” have been replaced by more realistic and proactive approaches to security. And as chief executives collectively realise they’ve forgotten to fasten their seatbelts, they’re pulling out the chequebooks to buy better data security.

Gartner Dataquest, for one, has predicted spending on security software will grow by 18 percent this year to reach US$4.3 billion for the year. That’s a significant increase, particularly considering that most other areas of IT spending have been hammered by economic malaise.

Surveys confirm growing interest in security technologies. In a March survey of 225 Australian end users, research firm IDC Australia found interest in new security technologies: firewall appliances, for example, were installed in over 45 percent of sites and planned for installation in another 25 percent of respondents’ sites.

Data encryption and intrusion detection, by contrast, were each running in just over one-third of respondents’ sites, but only a few percent of those surveyed were planning to install those technologies. Smart cards, biometric security, and hardware authentication tokens were by far the most promising sector of the market, with fewer than 20 percent of respondents currently using them but over a quarter of those surveyed planning to implement them.

Plugging the gaps

Just because companies are finally willing to spend on security, however, doesn’t mean they’re getting revolutionary solutions. There have been few major advances in security since intrusion detection systems (IDSes), which monitor networks for signs of suspicious behaviour, appeared on the market en masse several years ago. When planning security, customers typically choose from integrators’ menus of security products that begin with firewalls as the entrée, IDSes and encrypted virtual private networks (VPNs) as the mains, and extras like public key infrastructure (PKI), smartcards, and directory services-based authentication offering additional spice as side dishes. They then work to patch those elements together, Frankenstein style, into a coherent whole.

Integrating those systems, however, is no easy task. Methods of protection vary from product to product, log files and reporting methods are inconsistent, and many products require constant attention and management effort. That has translated into additional heartache for systems administrators, for whom security often becomes an afterthought as they struggle to manage dozens of servers and hundreds of desktops.

The need for constant vigilance has been heightened, in today’s security systems, by the need to continually patch enterprise operating systems. All are vulnerable, as demonstrated by the recent high-profile spat over hackers that published an exploit for a hole in HP’s Tru64 Unix. So adequate security remains a moving target that few can hit.

Antivirus efforts are a great illustration of the futility of many security efforts. Once little more than a nuisance, viruses have become a major productivity issue as ever smarter payloads find new ways of propagating themselves via the world’s e-mail systems.

In March, TruSecure subsidiary ICSA Labs released the results of a survey of 200 US organisations and found they had experienced 113 virus encounters per 1000 machines per month during a 20-month sample period in 2000 and 2001; in 1996, the first such survey turned up just 20 encounters per 1000 machines per month. And that increase comes despite a strong awareness of antivirus and e-mail scanning solutions, which have become common across businesses of every size, but must be regularly updated.

Virus hunting remains a challenging sport, with vendors and hackers exchanging volleys over the heads—and at the expense—of innocent corporate bystanders. “One of the problems with predicting the future of viruses is that if you predict x is going to happen, invariably some of the virus-writing sleazebags will go make it happen,” says Paul Ducklin, head of global support with Sophos Antivirus. “Many customers feel they need to do something completely new because the problem has gotten out of control.”

Light reading

Just what that “something” is, however, is far from clear. Security experts, integrators, and vendors continue to think of enterprise security in terms of existing technology, and most new products are small enhancements to existing offerings. For example, Dutch company NAH6 last month launched a completely encrypted notebook PC that runs Windows on top of an encrypted Linux kernel. Japanese startup Scarabs, for its part, has produced a hard drive with both read-only and read-write heads; this means Web servers (and the hackers that might abuse them) can only read, not write to, the disks.

Such changes are window dressing, however, that do little to change the fact that today’s data security systems are generally based on encryption by obscurity. Their method of hiding data using keys and algorithms is often related to the very difficult mathematical problem of factoring extremely large prime numbers—a task that’s difficult given current technology, but becomes easier every day as computers grow increasingly powerful.

That means any encryption algorithm becomes slightly less secure with every day that passes. Even worse, the security of today’s methods could become entirely irrelevant with the eventual creation of quantum computing systems capable of churning through decryption methods far faster than current systems.

Researchers have long been looking for an absolutely unbreakable method of encryption, and it’s only this year that it has become a reality. Steeped in quantum physics—the esoteric realm of science that deals with the often surprising behaviour of light particles—quantum cryptography relies on the innate characteristics of quantum particles to resolve a nagging problem with conventional cryptography.

Namely, no matter how secure an encryption algorithm is, it’s still theoretically possible for snoopers to intercept encryption keys and use them to decrypt or spoof data transmissions. This has particular implications for the security of the public key infrastructure (PKI) authorisation systems critical to all online encryption, since PKI is all about trust. And if the security of the data can’t be trusted, the whole system loses its value.

The best solution appears to lie with quantum cryptography, a technique that has its roots not in the limits of computing power, but in the immutable laws of nature. In quantum theory, the behaviour of photons—the constituents of light—is described based on their alignment, or polarisation. That polarisation is measured in terms of three aspects: rectilinear, circular, and diagonal measurements. All three are inextricably linked, so if one element is changed, the other two will also change.

Unlike in conventional physics, quantum theory suggests the characteristics and behaviour of any quantum particle actually change when that particle is interacted with. That’s different from electrons, which work the same no matter how they’re shuttled around. And it means that any change to a photon—which includes simply observing it—will change the alignment of that photon. Therein lies the basis of quantum cryptography. Such systems use polarisation to align the photons in correlation with the zeros and ones of the computer data. Those photons are transmitted over fibre-optic cable and received by the observer, and the results are compared with the sent data to ascertain data integrity. If the results don’t match and error rates are too high to be accounted for by random noise, it’s clear that the data has been intercepted in transit.

Quantum cryptographic systems emerged in the early 1970s and were codified when Bennett and Brassard developed BB84, a formal protocol for the exchange and verification of secure data through such a system. However, the technology was not actually demonstrated until 1991, when a lab system succeeded in making BB84 work over just 32cm of fibre-optic cabling.

The distance over which the method works has gradually increased in the intervening decade. Several months ago, University of Geneva spinoff id Quantique (www.idquantique.com) released the first commercially available quantum key distribution system. Able to transmit data over distances of up to 60km, the system is an important step forward in the decades-long quest to turn quantum encryption into a practical reality.

Sixty kilometres is enough to potentially link a corporate customer with a secure PKI provider, offering the potential for completely secure encryption with no chance of interception. But the system currently delivers just 1000 bits—just over 100 bytes—per second, hardly enough to suit large-scale security applications. For now, businesses will need to live with the current security methods taken by more conventional PKI providers.

Computer, heal thyself

Researchers have expended considerable effort devising ways to model the human immune system in the design of tomorrow’s computers. Just as a body’s immune response depends on its ability to quickly recognise and defeat intruding pathogens, computers need to be able to recognise changes in a system’s behaviour and proactively move to remedy the situation. Methods for doing this, however, are not intuitive: computers lack the inherent self awareness necessary to continually monitor themselves and perform their normal tasks at the same time.

Work in artificial immunology, however, promises to change this, particularly with respect to intrusion detection systems. Such systems have typically relied on matching observed behaviour with well understood patterns that indicate malicious activity. But hackers who are familiar with IDS techniques have proven extremely persistent at working around the systems; to foil them, developers want to give the systems the ability to identify potentially dangerous network activities by observing them and judging their nature.

IBM offered a glimpse of this technique with the recent release of the latest version of its DB2 database. DB2, which once sat passively by waiting for applications to request that it store or retrieve information, has now been designed to continually monitor—and optimise—its own performance.

If DB2 detects that a configuration error is slowing down performance, it can automatically tweak the setting or notify its human administrators of the problem. If it senses that a different data structure could improve its ability to return meaningful results, it can restructure the data on the fly.

Extrapolating this approach to the security field requires a similar sense of self-awareness on the part of the application—although in this paradigm, that self-awareness must stretch far across the enterprise to meaningfully integrate all manner of point security products. Just how to make that happen has been a point of much deliberation on the part of security vendors keen to turn the digital immune system into reality.

Making sense of it all

In the shorter term, technologists are facing the far more pressing challenge of managing the data already being produced by the various components of the security system. Dr Tim Cranny, senior consulting engineer with managed security provider 90East, believes implementation of such monitoring systems will be the next major step in the consolidation of enterprise IT security systems. “We don’t need more data,” he says. “We just need the intelligence to analyse it better. At the end of the day, it often comes down to having a human being in the loop. But that’s expensive and imperfect, and responds at a human time scale. That’s the problem everyone is facing: we need expert systems, neural networks, and genetic algorithm type systems that can fill the same role as a medium-level trained human being.”

One early entrant into this race is Sydney startup Tier-3, whose flagship Huntsman product is built around an artificial intelligence engine for picking out correlations between data streams emanating from all manner of security products. By cross-tabulating log entries showing suspicious events, Huntsman is proving remarkably adept at weeding out the flood of false positives that often obscure visibility of real attacks against a company.

“We see companies with access to technology, and expertise to use it, get hacked every day of the week even though they have all this technology and have the right people to do it,” says Tier-3 products director Mike Collins, one of a small group of security consultants who founded Tier-3 several years ago in an effort to facilitate more proactive security.

“Any hacker that’s any good has probably covered his tracks, so 95 percent of the time all we could do was recommend things our clients could do to prevent it happening again in the future. We see the problem as an issue of managing the infrastructure and putting context around the security information you collect. We’ve seen hundreds of thousands of alerts per day, and [Huntsman] has tuned that down to hundreds per day.”

That’s far more manageable for security staff to sift through. And just as a security guard must watch monitors covering all different areas of a building, so too must those charged with information security find a way to observe goings-on across the entire infrastructure. Given that solutions like Huntsman support a broad range of third-party logging formats from various security platforms, applying artificial intelligence and pattern recognition technology to their output will finally consolidate the security mechanisms companies have installed.

Community interest

The need to add expert analysis and self-healing capabilities may ultimately drive many companies to involve external firms offering managed security services. Customer timidity has so far limited these companies to relatively small roles such as responding to firewall and intrusion detection system alerts.

However, growing recognition of the need for companies to up their security game should drive increasing reliance on outside parties. IDC, for one, has projected the market for managed security services will grow from US$720 million in 2000 to US$2.2 billion by 2005—a healthy 25 percent compound annual growth rate. In the future, security will clearly be a group effort—particularly amongst smaller companies that don’t have the resources to hire and keep security-savvy employees.

Hardware providers will also play a more active role in enterprise security. By building firewall capabilities into high-capacity network switches, infrastructure equipment vendors will allow telecommunications companies to make security services an integral part of their service offerings. Nortel Networks, for one, recently launched a firewall-based, VPN-capable appliance capable of managing 3.2Gbps of aggregate throughput and 500,000 concurrent connections per second.

“We’re looking to make sure security does not mean a huge performance trade-off,” says Atul Bhatnagar, Intelligent Edge vice president and general manager with Nortel Networks. “In the next two to three years, these appliances will come back into the switching fabric in a more meaningful manner.”

Hardware will also play a critical part in Microsoft’s Palladium initiative, the company’s much-discussed but so far little-detailed strategy for building a network of trusted systems online. Palladium is clearly designed to facilitate Microsoft’s push towards Web services, since ensuring the identity of online systems is key to building a trusted Web services infrastructure.

But Palladium could well end up dead in the water: it depends on PC users to turn on a system that currently offers them no real benefit, but would force a major re-engineering of application infrastructures and security methods. Given the almost universal uproar that came when Intel dared to put just a serial number in its processors, there is likely to be even stronger opposition to Palladium. And without a compelling business case, it’s likely that the corporate community may be equally sceptical.

Short-term solutions

Practical or not, even Microsoft concedes that initiatives like Palladium are years away. Completely new methods such as quantum cryptography will take equally long to become practical. For now, companies will continue to couch their security initiatives in terms of existing technology.

But is that enough? As malicious hackers have demonstrated time and again, the patience of an attacker cannot be under-estimated. The steady stream of Web site exploits, server vulnerabilities, and buffer overflow problems has failed to slow despite widespread awareness of security problems and a culture that’s become far more accepting of hackers’ sharing their findings with the general public. Meanwhile, most companies are still struggling to make effective use of the security technologies they’ve already bought.

True security requires continual revisiting, both of technological protections and of corporate policies that must be created to match. It also, like it or not, will require continual funding and a commitment to the firefighting that has become a way of life for anyone involved in security. This will be the primary way of minimising the threat from software vulnerabilities until radical change can be effected. And that change doesn’t come easily.

“It’s become clear in the past year that what we need isn’t going to be built out of the things we’ve had,” says Calum Russell, solutions marketing manager for IT infrastructure with Microsoft Australia. “You cannot say that security is just about patching software, and making passwords ever more complex is not the quantum leap that we need. But we’re not going to see it out for a while. It’s an evolution, and it’s going to take some time.”

Security: plan for the here and now

1. Obscurity is not a defence. The “it can’t happen to me” syndrome means many businesses have seen data security is someone else’s problem. But on the Internet, everybody is an equal target. Small businesses need to think about these issues as much as anybody else.

2. Diversity is a necessary evil. Security research has been widely distributed around the world, meaning that individual tools typically do just one thing. That means a complete security defence requires multiple products—and that raises the spectre of integration. Find out how well your security products work together, and consider a higher-level solution that can analyse output from many subordinate products.

3. Use the Net when you can. Encrypted Virtual Private Networks (VPNs) are being successfully used for all manner of secure communications across the Net. One US nuclear power station recently began using VPNs to transmit secure status information to a central monitoring point. If it’s good enough for them, it’s good enough for you: VPNs are the most cost-effective security technology for the near future.

4. Good authorisation is crucial. Security systems handling user access are a common weak point for many companies; passwords just don’t hack it. Consider biometrics, smartcards or other hardware tokens that add an extra level of security to user authentication. Also consider backing these with an enterprise-wide directory service that allows for enforcement of consistent security policies.

5. Policies are everything. Security technology without policies is like a sailboat without a sail. To make sure you don’t get sunk, work with business leaders to identify and formalise necessary policies for data security. These include people, technology, and business policies.

6. The biggest threat lies within. Stories about malicious hackers peering through your windows and pushing through your gates may make great press, but surveys consistently show that internal employees—who often abuse legitimate access to cause extensive data damage—are the biggest threat. Management, not technology, is the solution here: know your people well, and know what they’re doing even better.

7. Speed counts. Good security is mathematically intensive, particularly at high volumes. While users won’t mind waiting a little bit for a secure network connection, undue delays can hinder productivity. Make sure your security products have room to move; security appliances are good for this reason, because they don’t have to share processor cycles with other applications.

8. Seatbelts can hurt you if you don’t wear them right. And simply installing security products isn’t going to do much for your overall security if they’re not configured correctly. Many security products ship with intentionally broad settings that can leave your network open for attack. Make sure every door they provide into your network has been closed, and monitor every pathway you retain.

9. Don’t skimp on people. You pay security guards handsomely to make sure nobody breaks into your offices; why do anything different for your data? Technicians with proven skills in building and enforcing security policies are few and far between, but can mean the difference between good security and none at all. Don’t be afraid to pay well to lure the best security talent.

10. Security panacea is a long way off. The need to prove new security technologies work means a long lag time between when they’re invented and when they actually matter to your company. Keep one eye on future security trends, but don’t lose focus on the here and now; future security won’t help you if data loss makes your business go bust in the mean time.

BB84's new approach to encryption

Distance has always been a factor in the efficacy of light-based transmission, and BB84 was no exception. When it was first demonstrated in 1991, BB84 ran over just 32cm of fibre-optic cablingââ,¬"far too little to be of real commercial value. Improvements over the years, however, have gradually extended this to the point that today's equipment can work over fibre-optic cable runs of up to 60km.

In a BB84 implementation, a sender and receiver, usually called Alice and Bob for simplicity's sake, want to securely exchange an encryption key. Alice uses a laser or LED to produce short bursts of low-intensity light. This light is randomly polarised so it aligned either rectilinearly (horizontal and vertical) or circularly (left-circular or right-circular), and transmitted along the fibre.

Bob randomly samples the transmitted beam of light, randomly choosing his own polarisation so he only receives data when the polarisation matches that sent by Alice. Bob then tells Alice what sequence of polarisations he used. Alice compares this sequence to the actual sequence she used to encode the beam.

Alice and Bob then discard any observations of the data that were conducted where the polarisations did not match (and therefore did not produce the right result). Once Bob has confirmed he has an accurate copy of the data sent, it is translated back into computer data: left-circular or horizontally polarised light equals a 0 bit, while right-circular or vertically polarised light corresponds to a 1 bit.

By adding some additional steps, Alice and Bob can check whether their transmission has been affected by noise or eavesdropping. This is done by splitting the stream into blocks small enough that each block would not normally be subject to many errors. A parity bit is calculated for each block, and the last bit of each block is discarded. For every block for which calculated parities are different between Alice and Bob, each side searches the block to spot the error.

Because the data is embedded in what is effectively random noise, only Alice and Bob know the correct sequence necessary to identify the real data. BB84's high level of communication between nodes limits its speed significantly, however: contemporary systems only offer around 1000 bits per second of transmission speed. That's enough to support extremely low-volume research work but is far too slow for commercial-grade applications.

The concept becomes clearer when illustrated graphically. This explanation was adapted from a helpful tutorial by Dartmouth College PhD student Jamie Ford, located at www.cs.dartmouth.edu/~jford/crypto.html. Frederick Henle, a peer of Ford's, offers an interactive demonstration of the BB84 protocol at www.cs.dartmouth.edu/~henle/Quan tum. Both are worth a look to better understand the concept.

Subscribe now to Australian Technology & Business magazine.

Copyright © 2009 CBS Interactive, a CBS Company. All Rights Reserved.
ZDNET is a registered service mark of CBS Interactive. ZDNET Logo is a service mark of CBS Interactive.