RSS
  Villains in the Vault By David W illis Firewalls. Encryption. Digital signatures. Public keys. Security tokens. With products like these, your network should be about as secure as the crown jewels of England, right? Don't bet the business on it.  There are thousands of tools that focus on some aspect of security; they may check for operating system configuration errors, reveal easily guessed passwords, detect intrusion, scan for viruses, authenticate users, examine system logs or block access to Internet sites. Encryption products work at any level you want--driver-level products can scramble an entire desktop or server, end-user applications can safeguard individual application files or e-mail messages and link encryptors protect the physical or virtual channels betwe
en sites. A few devices even encrypt at the ATM cell level.
But even with this arsenal of security products, it's often impossible to answer the simplest questions: Who has access to this piece of information, and from where? Who accessed this data, and what did they do with it? What are people doing right now? The proliferation of tools highlights the fact that there are basic flaws in the systems we install, and the way we deploy them. Security can't be tacked on after the fact; it has to be built-in--from common security subsystems in the OS to intelligent applications using those systems to procedural and policy decisions made during the planning stages. We're still exploring ways to ensure security in a distributed environment. Applications must handle integrity, confidentiality and authentication with progressively finer granularity, operating systems must enable secure applications through standard subsystems and application programming interfaces (APIs) and disparate security subsystems need to blend into a consistent, manageable entity based on the enterprise directory--but this fundamental infrastructure has yet to fall into place. The operating system, lon g the core for user account databases and file systems, no longer serves as the basis for information sharing; the e-mail system, relational database management system and Web server have taken over that position. These often have their own security mechanisms and may be at least partially managed by users themselves. The incredible communications flexibility of today's software makes it nearly impossible to track people, especially if they deliberately avoid leaving a trail. Even in legitimate uses, sophisticated users learn to jump among hosts with a combination of telnet sessions, FTP and LAN-based remote-control packages. In our assessment of the state of security, we found most implementations lacking. Fortunately, new solutions are always on the horizon. We'll direct you to the most essential standards and highlight several products that are on the right track, such as Funk Software's Steel-Belted Radius, Internet Security Systems' Real Secure and Technologic Software Concepts' RAS Enterprise. A common goal in any installation is enforcing accountability for individual actions. To accomplish this, you'll need to identify users clearly, through the most appropriate authentication technique. We'll outline the most important of these, and examine the protocols, products and strategies that provide manageable encryption and authentication services. |
 |
by Bruce Boardman with David Willis Updated January 10, 1997 |
