In the last few years, most of the innovation in security has involved finding clever new ways to do things with existing technologies. Are there revolutionary changes in the wings?
Everyone knows seatbelts are a good idea, but when it comes down to it many of us just forget to put them on. The inevitable result, should we be caught in a prang, goes without saying.
Data security, amazingly enough, isn’t much different. Although malicious hackers have been perpetrating their nasty deeds for decades, it’s only recently that companies have quietly begun to take real ownership of the issue. Much of their action has been driven by September 11, which has focused the global spotlight on the issue of data security. Government officials continue to warn of global cyber-terrorists targeting key corporations and government systems with debilitating cyber attacks.
Thankfully, such threats for the most part remain unfulfilled. But enough businesses have been stung by security breaches—whether internal or external—that early perceptions of “it will never happen to me” have been replaced by more realistic and proactive approaches to security. And as chief executives collectively realise they’ve forgotten to fasten their seatbelts, they’re pulling out the chequebooks to buy better data security.
Gartner Dataquest, for one, has predicted spending on security software will grow by 18 percent this year to reach US$4.3 billion for the year. That’s a significant increase, particularly considering that most other areas of IT spending have been hammered by economic malaise.
Surveys confirm growing interest in security technologies. In a March survey of 225 Australian end users, research firm IDC Australia found interest in new security technologies: firewall appliances, for example, were installed in over 45 percent of sites and planned for installation in another 25 percent of respondents’ sites.
Data encryption and intrusion detection, by contrast, were each running in just over one-third of respondents’ sites, but only a few percent of those surveyed were planning to install those technologies. Smart cards, biometric security, and hardware authentication tokens were by far the most promising sector of the market, with fewer than 20 percent of respondents currently using them but over a quarter of those surveyed planning to implement them.
Plugging the gaps
Just because companies are finally willing to spend on security, however, doesn’t mean they’re getting revolutionary solutions. There have been few major advances in security since intrusion detection systems (IDSes), which monitor networks for signs of suspicious behaviour, appeared on the market en masse several years ago. When planning security, customers typically choose from integrators’ menus of security products that begin with firewalls as the entrée, IDSes and encrypted virtual private networks (VPNs) as the mains, and extras like public key infrastructure (PKI), smartcards, and directory services-based authentication offering additional spice as side dishes. They then work to patch those elements together, Frankenstein style, into a coherent whole.
Integrating those systems, however, is no easy task. Methods of protection vary from product to product, log files and reporting methods are inconsistent, and many products require constant attention and management effort. That has translated into additional heartache for systems administrators, for whom security often becomes an afterthought as they struggle to manage dozens of servers and hundreds of desktops.
The need for constant vigilance has been heightened, in today’s security systems, by the need to continually patch enterprise operating systems. All are vulnerable, as demonstrated by the recent high-profile spat over hackers that published an exploit for a hole in HP’s Tru64 Unix. So adequate security remains a moving target that few can hit.
Antivirus efforts are a great illustration of the futility of many security efforts. Once little more than a nuisance, viruses have become a major productivity issue as ever smarter payloads find new ways of propagating themselves via the world’s e-mail systems.
In March, TruSecure subsidiary ICSA Labs released the results of a survey of 200 US organisations and found they had experienced 113 virus encounters per 1000 machines per month during a 20-month sample period in 2000 and 2001; in 1996, the first such survey turned up just 20 encounters per 1000 machines per month. And that increase comes despite a strong awareness of antivirus and e-mail scanning solutions, which have become common across businesses of every size, but must be regularly updated.
Virus hunting remains a challenging sport, with vendors and hackers exchanging volleys over the heads—and at the expense—of innocent corporate bystanders. “One of the problems with predicting the future of viruses is that if you predict x is going to happen, invariably some of the virus-writing sleazebags will go make it happen,” says Paul Ducklin, head of global support with Sophos Antivirus. “Many customers feel they need to do something completely new because the problem has gotten out of control.”
Light reading
Just what that “something” is, however, is far from clear. Security experts, integrators, and vendors continue to think of enterprise security in terms of existing technology, and most new products are small enhancements to existing offerings. For example, Dutch company NAH6 last month launched a completely encrypted notebook PC that runs Windows on top of an encrypted Linux kernel. Japanese startup Scarabs, for its part, has produced a hard drive with both read-only and read-write heads; this means Web servers (and the hackers that might abuse them) can only read, not write to, the disks.
Such changes are window dressing, however, that do little to change the fact that today’s data security systems are generally based on encryption by obscurity. Their method of hiding data using keys and algorithms is often related to the very difficult mathematical problem of factoring extremely large prime numbers—a task that’s difficult given current technology, but becomes easier every day as computers grow increasingly powerful.
That means any encryption algorithm becomes slightly less secure with every day that passes. Even worse, the security of today’s methods could become entirely irrelevant with the eventual creation of quantum computing systems capable of churning through decryption methods far faster than current systems.
Researchers have long been looking for an absolutely unbreakable method of encryption, and it’s only this year that it has become a reality. Steeped in quantum physics—the esoteric realm of science that deals with the often surprising behaviour of light particles—quantum cryptography relies on the innate characteristics of quantum particles to resolve a nagging problem with conventional cryptography.
Namely, no matter how secure an encryption algorithm is, it’s still theoretically possible for snoopers to intercept encryption keys and use them to decrypt or spoof data transmissions. This has particular implications for the security of the public key infrastructure (PKI) authorisation systems critical to all online encryption, since PKI is all about trust. And if the security of the data can’t be trusted, the whole system loses its value.
The best solution appears to lie with quantum cryptography, a technique that has its roots not in the limits of computing power, but in the immutable laws of nature. In quantum theory, the behaviour of photons—the constituents of light—is described based on their alignment, or polarisation. That polarisation is measured in terms of three aspects: rectilinear, circular, and diagonal measurements. All three are inextricably linked, so if one element is changed, the other two will also change.
Unlike in conventional physics, quantum theory suggests the characteristics and behaviour of any quantum particle actually change when that particle is interacted with. That’s different from electrons, which work the same no matter how they’re shuttled around. And it means that any change to a photon—which includes simply observing it—will change the alignment of that photon. Therein lies the basis of quantum cryptography. Such systems use polarisation to align the photons in correlation with the zeros and ones of the computer data. Those photons are transmitted over fibre-optic cable and received by the observer, and the results are compared with the sent data to ascertain data integrity. If the results don’t match and error rates are too high to be accounted for by random noise, it’s clear that the data has been intercepted in transit.
Quantum cryptographic systems emerged in the early 1970s and were codified when Bennett and Brassard developed BB84, a formal protocol for the exchange and verification of secure data through such a system. However, the technology was not actually demonstrated until 1991, when a lab system succeeded in making BB84 work over just 32cm of fibre-optic cabling.
The distance over which the method works has gradually increased in the intervening decade. Several months ago, University of Geneva spinoff id Quantique (www.idquantique.com) released the first commercially available quantum key distribution system. Able to transmit data over distances of up to 60km, the system is an important step forward in the decades-long quest to turn quantum encryption into a practical reality.
Sixty kilometres is enough to potentially link a corporate customer with a secure PKI provider, offering the potential for completely secure encryption with no chance of interception. But the system currently delivers just 1000 bits—just over 100 bytes—per second, hardly enough to suit large-scale security applications. For now, businesses will need to live with the current security methods taken by more conventional PKI providers.
