|
||
|
|
|
              |
|
 |
 |
|||||||||||
|
 |
|
|||||||||
By William Van Winkle |
|||||||||||
Rather than grapple with the magnitude of today's security problem, a lot of people would rather pay the topic lip service, stay content, and hope that disaster strikes "somebody else." But for an increasing number of folks, sticking one's head in the sand is no longer an option. Spyware and spam are too pervasive, hackers too sophisticated and automated, and, for businesses, it's becoming increasingly more difficult to win contracts and avoid penalties unless you can demonstrate having exercised due security diligence. |
|||||||||||
Take the case of Insurance Technolgies, a home-based effort started a decade ago that today boasts 140 employees. Insurance Technologies designs software tools for agents to help guide prospective clients into the right policy choices. Over time, Insurance Technologies' wares and records have become increasingly dependant on the Internet. In order for the company to grow beyond its start-up phase, it had to take a massive leap in how it safeguarded data. After poor results with one solution provider, the company went to Advanced Internet Securities (AIS), a Symantec Platinum Parter, and ultimately deployed a multi-tiered defense system founded on Symantec Gateway Security appliances able to tackle antivirus, intrusion prevention/protection, anti-spam, content filtering, VPN communication, and much more. With its firewalls properly configured, Insurance Technologies sailed through the SQL Slammer crisis and, since deployment, hasn't had a single network security incident. The company has found that the VPN functionality alone can reduce operational costs with remote offices by up to 45% since there's no longer a need for a dedicated line.
Having been trained on security through Symantec's channel education programs and other sources, AIS took measures to guard Insurance Technologies against internal threats, such as closing off POP3 accesses (which employees used to check Web mail) and shutting down some unnecessary system services that posed a potential perimeter risk. Insurance Technologies remains compliant with HIPAA, Sarbanes-Oxley, and other mandated requirements, and all told the company estimates that it saves roughly $100,000 each year in hard costs because of its security deployment. Lest you think Insurance Technologies is a rare opportunity that's already been snatched up, consider the broad market. Despite roughly two decades of the industry harping on the need for computer security (one could argue that consumer awareness didn't even start until 1983's popular movie WarGames), the scope of today's opportunity is vast. Last July, research firm Gartner estimated that in 2005 only 5% of organizations could be classified as having a high degree of security. Gartner defines a "mature information security management system" as having four components: vulnerability management, intrusion protection, network access control, and identity and access management. Gartner estimates that for 2006, the number of highly secure organizations will rise to 10% but will only sit at 20% by 2008. Clearly, this signals two things: There's a lot of security investing afoot today, and this market will do nothing but grow by leaps and bounds for the foreseeable future if only out of necessity. "By mapping architecture and security controls against four key processes," says Gartner research vice president Ant Allen, organizations can ensure compliance with regulations and increase security effectiveness and efficiency. Organizations must also improve how they work with vendors to select and implement those technologies that will give them most security benefit for the least cost. It's a matter of implementing the technology efficiently and effectively so resources can be focused on new threats. Organizations that are still impacted by everyday routine threats must ramp up to become more mature in their approach." To an outsider, the security market is a sprawling, disorganized, impenetrable mess. Where does one start and finish? How much security is enough? There are no clear answers. However, there are some strategic ways to tackle the field, certain points at which resellers can enjoy special success with higher market need and lower learning curves. Given our observations and many discussions with industry insiders, it seems the two hottest activity areas in computer security right now are at the client foundation—the motherboard and its essential surrounding components—and the network edge/gateway. At the Foundation Consider diseases and imagine that in order to prevent yourself from getting sick, you have taken every vitamin and antibiotic and yoga class under the sun. Without question, you're much better protected than you would be normally...and yet one day you still fall ill. Why? Because you've only addressed the high-level weaknesses in your health's security. The basic mechanisms of how your cells bond with outside agents and the ability of threats to morph into forms not addressed by your present protection regimen still leave you vulnerable. In essence, if your body can't distinguish friend from pathogen, your physiological security has a gaping hole.
For many years, leading PC manufacturers have realized this flaw in the computing space. You can minimize threats from the OS level out to the network edge, but without some sort of protection from the moment power hits the system, risks remain considerable. This is in part why you see growth in the number of threats slowing over the last several years but not declining. Trusted Computing Modules (TPMs) The Trusted Computing Platform Alliance came together in 1999, comprised of 200 major industry companies, in an effort to devise a foundation-level remedy. This proved to be a much more complex and controversial task than anyone had anticipated. The TCPA devised plans for the Trusted Computing Module (TPM), sometimes known as the "Fritz Chip." The name refers to former U.S. Senator Ernest "Fritz" Hollings, chief promoter of the failed Consumer Broadband and Digital Television Promotion Act (CBDTPA), which would have required DRM functionality in all "digital media" devices and services and essentially killed the few remaining vestiges we have of fair use. It's worth noting that Intel was one of the key voices opposing this bill. With debate raging over the CBDTPA in 2002, it was no surprise that the TCPA, which gave all 200 of its members veto power, was paralyzed by political discord. Finally, in 2003, the best elements of the TCPA migrated to a new entity called the Trusted Computing Group (TCG), which only gave veto power to a handful of "promoters:" AMD, HP, IBM, Intel, Microsoft, Seagate, Sony, Sun, and VeriSign. Trusted Computing Module in fact refers to a published specification, but in use it generally means a discrete microcontroller built onto a motherboard that gets integrated into the boot routine. The TPM generates cryptographic keys and securely stores these along with passwords and digital certificates. The silicon also includes a Random Number Generator. The TPM serves as an integral part of critical security processes, such as digital signature and key exchange. Because data access may be restricted if the boot sequence doesn't follow the proscribed order, email, Web access, and local encryption can be made more secure. VPNs, 802.1x wireless authentication, password management, and many other operations can also benefit from TPM-enabled security. These chips serve to improve the functionality of other security devices and services, not replace them. So far so good. But like any major new technology, TPMs have their potential pitfalls. Trusted Platform Modules can become an integral part of DRM technology. With a TPM feature called remote attestation, a unique and impossible to replicate snapshot of a system's software set is captured. Music services, for example, might link this snapshot to purchased downloads in order to verify that the DRM has remained intact. Some consumer advocates mount the same argument against this that they did with Windows activation, alleging that it sacrifices user privacy. In the same vein, other TPM facets can be used to require that encrypted files only be decrypted under very specific conditions, something that has DRM foes up in arms. The TPM spec allows for loopholes, such as anonymous signatures, but these only work if the outside applications accept anonymity. You get the idea. TPMs can help protect data; the unresolved question that will keep recurring is whom exactly is being helped. Either way, the Trusted Computing Group has done its job properly this time around. By the end of 2003, over one million OEM desktop and mobile systems had shipped with TPM 1.1 components. The channel has been able to offer TPM-enabled solutions since Intel's release of the D865GRH motherboard, which is now obviously long in the tooth. Expect to see TPMs become far more common with the release of boards based on Intel's Q965 chipset, which should hopefully be shipping about the time you read this. These will be common in Intel's Executive Series motherboard line, which also included TPM 1.2 chips in the D945 generation. Of course, TPMs are only effective if you have software taking advantage of them. Predictably, TPM-friendly applications are still scarce, but the industry is starting to pay attention. Adobe, for example, introduced TPM support for safeguarding PDF files in Acrobat version 6. Ultimaco (www.ultimaco.com) has its SafeGuard Easy title for TPM-backed full disk encryption. Intel ships all of its TPM-enabled motherboards with Wave Systems' EMBASSY Trust Suite (www.wavesys.com). Wave makes several TPM-based applications, but the EMBASSY Trust Suite offers a tantalizing sampler of functions, including password and key management, secure Windows logon, securing email, document protection, digital signatures, TPM management, and hardening of smart card and biometric device deployment. The suite also enables tools for remote management by a central administrator. Also note that TPM-enabled whitebooks are starting to appear in the channel. The first of these was ASUS' Z62F Centrino Duo barebones. A great selling point for companies equipping their mobile employees is that TPM-enabled notebooks stand to benefit more from coming security products and services. If they want their data to be safe, why not be really safe—at no extra cost? Yes, there are several tier-one notebooks outfitted with TPMs, but call their 800 numbers and see how many reps are pitching TPM security. You now have another differentiator. Obviously, the same holds true for desktop systems and should be one of the key elements in your approach to corporate accounts needing to adhere to security regulations. ...more |
|||||||||||
 Back to top
|
|||||||||||
Copyright © 2007 RAM Magazine. All rights reserved.
Do not duplicate or redistribute in any form. |
|||||||||||
