In recent years, enterprise security spending has focused primarily on firewalls, intrusion prevention, spam filtering and antivirus products, all designed to protect organizations’ IT boundaries.
Security priorities are now evolving from creating fortified stand-alone islands, to enabling heterogeneous networks to store and securely exchange data with internal and external parties across distributed computing platforms. This shift in emphasis from solely perimeter-based security has been noted by industry analysts. Gartner predicts that, "By 2006, 40 percent of enterprise security spending will be directed toward content security issues, not perimeter security."
Aside from the need to protect proprietary information, organizations must also contend with a growing list of regulations that have far-reaching implications. Regulations such as Basel 2 and Sarbanes Oxley drive a need for ensuring the integrity of financial data. Other regulations, such as the Data Protection Act, require certain information to be kept confidential.
These regulatory drivers, combined with the continuing exponential growth of online B2B transactions, have resulted in renewed interest by IT Security directors in data protection solutions. According to another Gartner report on the cost of compliance with regulations governing corporations, "By 2005, enterprises that don't encrypt stored sensitive data will spend 50 percent more than enterprises that do, because of a failure to comply with regulatory or contractual data protection requirements."
A useful metaphor for considering your data security needs is to consider equivalent information security requirements for physical-world transactions. In the physical-world, trust is built through the personal interactions and confidence gained through "real world" infrastructure and processes including lock-boxes, identification cards, signatures, and physical storefronts.
The digital world requires the same levels of trust as the physical world, but it is accomplished through different means. Approaches for enabling online identification, integrity and confidentiality range from simple passwords to pin numbers to public key cryptography, each of which has its own merits and issues.
Usernames and passwords are widely used for online identification and securing sensitive information. However passwords, particularly if left to the devices of the user to determine and manage, can be susceptible to dictionary or brute force attack.
It is human nature to minimize complexity, and many people will use the same easily-remembered password for multiple business and personal accounts. A recent survey indicated that up to a third of all passwords being used today are simply the word "password". To counter this, many organizations have developed password enforcement policies governing minimum lengths and character combinations.
Unfortunately, many users who are forced to use a password that is not easily remembered will simply write it down and keep it close to their PC. Other issues include secure distribution of passwords for encrypted transactions as well as support for users that forget them.
The other end of the data security spectrum employs the use of public key cryptography to enable key distribution, encryption and online authentication. Public key cryptography involves two distinct "private" and "public" keys that are mathematically related to each other. The private key is held only by the owner of the key-pair, while the public key is made freely available to anyone. Each key-half can perform a cryptographic operation that can be decrypted by the other half.
Authentication of the relying parties to a transaction is accomplished through digital certificates, the electronic equivalent to a passport, which a Certificate Authority issues to bind a person's or organization's identity to a public key. The certificate authority could be an internal entity utilising software from vendors such as RSA or Entrust, or utilising a service provided by an external "trusted third party" such as BT Trustwise or VeriSign. Public Key Infrastructure (PKI) is the embodiment of public key cryptography and Certificate Authorities.
Digital signatures, enabling transaction non-repudiation and data integrity, are created by "encrypting" data with a private key. Because only one individual has access to the private key, anyone who has the sender's certificate (containing their public key) can be assured of the sender's identity and that the data has not been altered during transit.
Whether using digital certificates or passwords, confidentiality can be accomplished by encrypting files, typically using symmetric key algorithms such as 3DES or AES. The recipient of the encrypted "blob" would then use his private key or password (delivered by the sender out of band) to "unlock" the symmetric session key, which is in turn used to decrypt the file itself.
Putting Theory into Practice
There is no perfect solution for key distribution and management. Passwords have their issues, and PKI has gained a bad reputation with certain industry observers because of difficulties experienced by some early adopter organizations. Issues include interoperability between different applications and between PKI and non-PKI enabled parties, as well as usability and supportability issues. These complexities have even caused some industry pundits to proclaim that PKI is dead.
In reality, digital certificates are in wide use today with certain types of applications. Any website selling goods online has a SSL (secure sockets layer) organizational certificate that authenticates its identity to the visitor and enables encrypted credit card transactions. And software patches downloaded from Microsoft and other major vendors are typically signed and authenticated using a digital certificate that identifies the developer. But certificates have not gained wide-spread adoption for desktop usage as once hoped.
To further complicate matters, organizational data is stored and transferred across a wide variety of users, computing platforms, and typically exchanged with external partners and customers. Doing this securely requires a solution that can protect information both in storage and in transfer, can be implemented across different computing environments, is easily supportable across different classes of users, and is able to transcend different IT security infrastructures that may encompass both PKI and non-PKI support.
It's important to keep in mind that security is simply an infrastructure that supports policies, users, business processes and applications. As with any effective infrastructure, data security solutions are at their best when they blend into the background of the application being used or business process taking place.
Ensuring a successful deployment requires that you first answer some key questions to determine your data protection requirements, before investing in a solution.
Once the top-level requirements have been established, the next step is to define a set of realistic and achievable goals. The project's schedule should be designed to enable the achievement of early successes and experiences. All too often security initiatives try to take on too much at once, and as milestones slip and little is shown for the investment, support and funding begin to dry up.
Finally, it's important to remember that a good security solution is like a three legged stool. These three legs are security technology, security policy, and end-users. If any of these become out of proportion or neglected, then the overall security implementation will be out of balance. This means that an organization cannot focus solely on the technical aspects. Instead, organizations must ensure that they have in place a sound and realistic security policy. Finally, this policy needs to be accompanied by the proper training and awareness programmes – in addition to addressing usability and support considerations – to ensure adoption by internal and external users.
The author is chief marketing officer of PKWARE