http://www.amcity.com/twincities/stories/1999/02/08/focus1.html
Minneapolis/St. Paul CityBusiness
February 8, 1999
Security just got tighter
Henry Breimhurst Staff Reporter
Computer security used to focus on the network; today it gets down to the
desktop and disk
While in a waiting area in the Los Angeles airport, a local executive felt
the need to powder his nose. So he got up and headed off for the restroom
-- leaving his laptop computer open and running on the waiting-area seat.
When he returned, the laptop -- and all of its confidential, unprotected
files -- were gone.
Such incidents are the stuff of nightmares for Darlene Tester, manager of
the security-risk management group at Minneapolis-based Net Access. Tester
was working at the time for the executive's company, and feared that a
major security breach had just occurred.
Fortunately, Tester said, the story ended as happily as it could have when
pieces of the dismantled laptop began turning up in the marketplace. The
thief had been more interested in the value of the hardware than the
documents stored in the computer's memory.
But issues like this underscore an often-underappreciated segment of
network security: the individual machines, disks and even files that are
the smallest parts of the network. As a result, consultants and
manufacturers are coming up with new, more deeply layered security
measures than ever before. Net Access, which does network integration
consulting for clients with an eye always towards security, has grown as
interest in security has grown.
The situation is analogous to a bank: Even though the front door to the
bank is locked, the money is still kept in a vault within the building.
With computer networks, the emphasis in the past few years has been on
firewalls and security against intruders via the Internet -- locking the
front door. But with major security problems possible at the smallest
level of the network, there is a resurgent interest in deep security
layers.
"I've been in security for 20 years, and it has ebbed and flowed," said
Tester. "Fifteen years ago they were more concerned about workstation
security, because often they were stand-alone machines. As it developed
into LANs, WANs and the Internet, there was more interest in firewalls,
but now it's starting to move back to more granularized security."
When consulting with a client on security, Tester said, Net Access often
discovers that the largest openings in the network are at the smallest
level. Many companies, if not most, do not employ simple security measures
such as requiring employees to have their workstations protected by a
power-on password (a password needed to turn the machine on); encrypting
files and e-mails on the hard drive; or setting up a regular schedule for
changing passwords. "These are forms of security that are pretty cheap,"
said Tester. Net Access works with its clients to develop and draft such
policies, establishing security from the ground up.
(Sometimes the cheapest security is laughably ineffective, however. Tester
mentioned the password feature on Windows 95, where a user is asked for a
password. But if the user hits "cancel," the password challenge goes away
and the user is in free and clear.)
Tester also noted that the need for individualized security is on the rise
now because of the increasing mobility of the workforce. An employee might
take data that is under the tightest security at work and bring it home on
a laptop or disk. Anyone who gets that piece of equipment then gets the
data with a minimum of effort. The answer Net Access recommends here is
encrypted files, which require passwords and other encryption keys.
Imation Corp. of Oakdale has a solution of its own, the recently released
encrypted Superdisk. This is a variant of the high-capacity Superdisk,
which is the same size as a normal floppy but holds 120 megabytes of data,
compared with 1.44 megabytes on a standard disk. Superdisk competes with
Iomega's Zip and Jaz products for high-capacity storage.
With the new encryption feature, files saved on a Superdisk cannot be
accessed without the proper password. The encryption is hardwired into the
disk, and will be recognized by any Superdisk drive, eliminating the
concern of having compatible encryption on multiple machines. Such
encryption can be used in different ways; in addition to protecting files
that are on the move, for example, Imation told of one case in which a
personnel director has taken to saving all review files onto an encrypted
Superdisk instead of keeping any on the hard drive or the network, where
they might be more accessible. The downside is that if the password is
lost or forgotten, there isn't a back door into the data.
"Its most obvious use is in areas where there is a high security concern,"
said Jim Judge, Imation's marketing manager for the Superdisk media.
Government, law and financial services have been among the first to make
use of the technology, he said.
The mobility issue also played a role in the development of the encrypted
Superdisk. One of the areas where Superdisk has had successful penetration
is in the laptop market, so coming out with a product that added to the
peace of mind of all those laptop users seemed a natural next step, said
Judge.
Imation is using 64-bit encryption on its Superdisks, which it claims
would take 585,000 years of brute force to crack. While no one has
actually confirmed this number empirically as yet, it is notable that the
federal government won't allow 64-bit encryption to be shipped out of
North America, as it could provide a security advantage to outside
interests.
"We pitch the Superdisk first, and then this feature becomes the frosting
on the cake," said Judge. "The encoded disks cost more, a premium of $3
per disk more. That's small change compared to the security you get."
Superdisks cost between $10 to $15. Imation is throwing a free encrypted
disk in with its multipacks to get people using it.
Superdisk is likely only the beginning for Imation's encryption business.
Judge said that there are efforts underway to introduce encryption
features into other Imation desktop-storage products.
When it comes to securing files, another Twin Cities company has spent
years developing ever-more-foolproof ways to make sure only the right
people have access to certain things. Datakey Inc. of Burnsville offers a
security system built around actual physical keys or other so-called "hard
tokens" which have the holder's electronic signature on it. This
electronic signature, coupled with passwords and other security devices,
help to eliminate any doubt about who is getting access.
"We say that software [security] in most cases is not good enough," said
Alan Shuler, vice president and chief financial officer of Datakey. A
password does not encrypt, for one thing. Once an intruder gets past it,
all the data is free and clear. For another, the physical key makes
security breaches easier to detect. "If someone learns my password, I
don't know it. The physical possession of the card can tip the holder of
security problems." The card or key can also be programmed to shut down
after a set number of failed attempts to guess its password.
Shuler said that the same groups identified by Imation have been the early
adopters. In fact, passkey encryption was developed by the military to
secure the transmission of data.
Datakey's system involves the key or card (the key is only superficial;
the actual unlocking system is based on reading a code, not a mechanical
unlocking) and a device that plugs into the computer; the key or card is
then inserted into that device. The key has the user's electronic
signature, which can be purchased from a number of signature certificate
vendors, and that is where some difficulty creeps in.
Datakey and other encryption systems use what is called a "public key"
system. When sending an encrypted e-mail, for example, the public key or
code will be sent in the clear. The receiver will have a private key that
interacts with the public key to decode the message, but only if using the
same verification system as the sender. This incompatibility between the
different security vendors has slowed the acceptance of the public key
system. Until more people and companies buy electronic signatures, they
won't have a need for hard-token systems like Datakey's.
Net Access' Tester said that the different certificate vendors are
starting to set some standards for interoperability, which may help
encryption become more popular. As it is, different vendors have different
standards for selling their certificates. Those used by banks often
require a person to physically come in and confirm who they are before
being assigned a certificate, while others take orders over the Internet
and don't confirm them.
There likely will be some resolution of the certificate issue as companies
get more interested in deeper security, always egged on to a certain
degree by none other than the security experts themselves. "We're Chicken
Littles with attitudes," said Tester. "The sky is always falling, and
that's what makes us money."
-o-
Subscribe: mail majordomo@repsec.com with "subscribe isn".
Today's ISN Sponsor: Internet Security Institute [www.isi-sec.com]
Received on Thu Mar 11 17:21:15 1999