Security’s next steps

See correction below

If the multifaceted computer attack threats and surprises of the past year are any indication, 2003 could shake out to be as tumultuous and unpredictable as its predecessor.

Luckily, a host of next-generation security technology advancements, ranging from encryption and physical biometric identification to revamped perimeter protection, may arm end-users with a new arsenal of security tools to defend against the unknown.

“[Software providers] still don’t get it. We still see a lot of solutions proposed to us that don’t have security controls put in. It’s still a problem,” says Carrie Jensen-Badaa, global information security manager at San Francisco-based Barclay’s Global Investors (BGI).

Making current security options even less palatable, according to Jensen-Badaa, is that security-embedded solutions often arrive disabled, impeding performance. “I think most buyers today would prefer to have to turn security off rather than turn it on.”

Jensen-Badaa would like to see next-generation security integration with enterprise monitoring tools, such as Hewlett-Packard OpenView and Computer Associates’ Unicenter, as well as those from IBM/Tivoli and BMC Software. This would create a centralized alerting and monitoring platform, thereby eliminating redundancy (see “Managing it all” ).

“Things that are out there now are so complicated and complex they’re really not feasible. And I see more of those products falling back and taking simplistic approach and fine-tuning their feature sets to be more simplistic,” says Raleigh Burns, a security administrator at St. Elizabeth Medical Center for Northern Kentucky. “I’d like to see more things integrate. That’s where [security] is heading.”

Firewalls heat up

Firewall vendors have closely followed computer attackers who have shifted tactics away from the network and instead are targeting Web server applications through Port 80 or Port 443, as well as mail server applications attacks through Port 25.

Nir Zuk, CTO of Sunnvyale, Calif.-based NetScreen Technologies, says his company is merging ID (intrusion detection) protection technology it absorbed from its 2002 OneSecure acquisition with its firewall platform. The security appliance maker expects to have full application layer security in a stand-alone product by mid-2003.

Microsoft is also poised to push the security integration envelope with last week’s release of Feature Pack 1 for ISA server. Downloadable from the Web and installed on top of Microsoft IIS (Internet Information Server), Feature Pack 1 heavily favors Microsoft’s desire to incorporate application-layer security into its firewall to create intuitive security management, says Lucian Lui, ISA product manager at Redmond, Wash.-based Microsoft.

“Customers are telling us, ‘We don’t understand what’s going on in the firewall; what the rules are doing. It’s a black box,’ ” Lui says. “There are some clever things we can build into firewalls to get smarter about logs and filtering, … thinking about how online services and Web services interact in this space.”

Microsoft will build future versions of ISA server to manage threats beyond the network edge, enabling SOAP and XML filtering as well as .Net Framework integration. The goal is to address the next stage of application security, such as Web services, and existing customer pains — such as directory traversal over the firewall and DMZ, IM issues, and SQL server attacks.

Encryption’s quantum leap

While firewalls beef up, cryptography will get a quick lesson in physics. Quantum cryptography, which uses principles of quantum physics to encrypt data and track attempts to steal it, is one next-generation security technology attracting more attention.

MagiQ Technologies’ quantum-key distribution hardware box, Navajo, pushes this technology toward business use. Designed to flip randomly generated digital keys once a second to keep prying eyes away from data traveling over fiber-optic lines, Navajo allows users to implement any encryption method to guarantee a message has been securely delivered between two parties — and that no copy exists.

Based on the laws of quantum mechanics, the technology works on a series of triggers: Once someone reads quantum-encrypted information, the data is altered on a molecular level. After a correction procedure is conducted by the sender and receiver, the high error rate found in comparing the original and received messages will produce eavesdropper evidence and outline the form of attack used to steal the information, explains Bob Gelfond, CEO and founder of New York-based MagiQ.

“Quantum cryptography does not use mathematical complexity; it relies on laws of physics to guarantee its success,” Gelfond says. “You can’t clone or copy a photon in any way and don’t have to worry about a message being compromised.”

Despite its benefits, quantum coding faces obstacles. In the case of Navajo, which will be available later this year, the box can only extend its coverage over a 30-kilometer radius between two specific devices. Gelfond expects a range of 100 kilometers to be reachable in over a year’s time.

Further impeding its progress, the strong encryption technology’s elegance may not be applicable to most enterprises outside the U.S. government, says Ray Wagner, research director of information security strategies at Stamford, Conn.-based Gartner.

“The main problem with quantum-key distribution is the current method for key distribution is good enough for most enterprises,” Wagner says. “There’s not a lot of organizations that can afford to put in private fiber optic, then protect that private optic.”

MagiQ’s Gelfond disagrees, countering that the existing glut of laid fiber allows Navajo to become even easier and less costly to use. The proliferation of quantum repeater devices is expected to boost quantum signals much the same way optical boosters are needed for long-haul networks.

Sonar at your fingertips

Boosting the abilities of biometrics to attract enterprise interest is also in the works. To improve conditions and accuracy for biometric fingerprint scanning, the use of high-frequency sound waves is surfacing as one option to eliminate surface-contamination variables, which could impair scanned-image processing.

Ultra-Scan is proffering one solution, a biometrics input device insensitive to challenges posed by dirt, grime, skin pigmentation, and oil on a finger, as well as a dirty scanning lens and platform after multiple uses. Ultra-Scan bounces sound waves off a finger and its ridges to record its “echo.” To secure identification, that mapped reading is then authenticated against a profile.

“Unlike most scanning devices, [which read] a few times, we take that first image,” says Dr. John Schneider, CTO and president of Amherst, N.Y.-based Ultra-Scan. Schneider foresees sonar biometric technology playing a definitive role in mission-critical, performance-verifiable applications for painless and immediate access control, such as health care or retail uses.

Existing biometric readers predominantly use three types of imaging technologies: optical, thermal, and capacitance, which measures the electrical charge of a finger. Vendors such as Identix, Visionics, and Digital Persona are all vying to push biometric acceptance to a skeptical marketplace.

Concerns about accuracy hinder the technology’s acceptance but could be the key to its future, says Susan Scamurra, an administrator at the Buffalo Technology Transfer Center in Buffalo, N.Y. Scamurra’s organization is researching the uses of biometrics in a patient-oriented fashion for hospital settings. It will soon begin testing them to make biometric recommendations for nearby health care facilities.

Scamurra deems Ultra-Scan’s accuracy as “quite good” and notes that it may circumvent acceptance issues largely unexplored by many biometrics applications and products.

“If you understand what some of the major human factors are and work toward making something very usable and user-friendly and have it be accurate very quickly, you can get by a lot of the concerns people have of using these products,” Scamurra says.

One challenge that continues to drive the security industry is how to combine human factors with new technology to plug the gaps that might leave information and systems vulnerable. As threats grow and change, pushing the envelope on security technology is also critical; users must keep on their toes to shore up defenses. The search continues for technology that will be more than just an evolution of what’s already available — a complete leap toward a new security approach.

“Real revolution is a very rare event. Development of PKI might be one. I don’t think we’re seeing — or, really, seeing the need for — any revolutions on the near horizon at this point,” Gartner’s Wagner says. “Our needs are relatively simple. Architecting solutions for them is where the difficulty is introduced.”

Correction

In this article, Bob Gelfond’s name was originally misspelled.