Information Week: The New Security Solutions
Emerging security technology has several admirable goals: proactive, integrated, inferential
By Larry Greenemeier
These are some of tomorrow's security measures: Systems that integrate door locks and surveillance cameras with the logic and analytics of IT systems. Biometric devices that go beyond skin deep to verify identities. Network systems that infer the significance of pilfered data before the criminals do.
Fortunately, a lot of this work is going on today.
The trend that ties together these emerging technologies--the ones that will succeed, anyway--is their proactivity. As security threats evolve, systems and applications will have to know when they're under attack and be trusted to respond automatically, while at the same time keeping key IT and security personnel apprised.
Perhaps the greatest advance in security since the Sept. 11, 2001, terrorist attacks is linking physical and IT security technologies. One area where that trend is prominent is video surveillance.
Early next year, IBM will include its Smart Surveillance middleware as part of its Digital Video Surveillance services. Smart Surveillance, straight out of IBM's T.J. Watson Research Center, integrates analytical capabilities into camera, radar, chemical-sensor, and audio surveillance systems so that they can detect suspicious activity and send up red flags when necessary. With Smart Surveillance, a truck parked in the wrong area of an airport, an airline passenger attempting to enter through an exit corridor, or a customer removing an item from a shelf and walking past the cashier line would all initiate pages, text messages, and other security alerts. IBM's middleware also has a searchable index that will be able to link related items such as license plates, car color, and the driver's facial image.
The ability to store digital video on a hard drive, rather than analog footage on tape, completely changed the market for recording and managing video surveillance, says Stephen Russell, CEO of 3VR Security, a maker of video management systems, which pegged the global market for those systems at $3.8 billion in 2005. For one, digital video includes a time stamp that makes it searchable in ways that analog video isn't. 3VR takes that idea further by making digital video searchable by information that can be analyzed, such as biometric data or images. This is done by tagging video images similar to the way Google tags Web pages.
The most recent version of 3VR's Intelligent Video Management System includes a software developers' kit that lets companies integrate the searchable surveillance system with other systems, including those that control access to facilities and networks through, for example, fingerprint scanners or facial-recognition systems. The 3VR technology has been integrated with transaction systems used in banking environments, access control systems commonly used in buildings, and sources of data such as federal law enforcement watch lists, Russell says.
Within three years, technology will be available to load the digital images of employees and expected visitors and then match those images with surveillance video of people walking through a company's front door. But first, facial-recognition software must get a lot better than its less than 30% accuracy rate, says Jeff Platon, VP of Cisco Security Solutions marketing.
This integration of surveillance systems with IT networks is significant. Historically, security has fallen into two camps: information security on one side and the physical walls, locks, and the guys with guns on the other. Their convergence has been hampered by the inability to connect the physical and logical worlds--that is, until networked digital video allowed the two to come together.
Cisco is working to bring together network and physical security, having launched its Intelligent Converged Environment unit in April after acquiring SyPixx Networks, a maker of video surveillance software and hardware. In September, Cisco said it was working with lock vendor Assa Abloy to integrate Cisco's IP-based access control and identity management capabilities with Assa Abloy's "intelligent" badge readers and door-lock components. That integration would prevent someone who doesn't use an access badge at the front door, for example, from logging on to the company's local network.
Access management vendor Imprivata also is developing integrated physical and network security technology. Its OneSign Physical/Logical appliance works with security badge systems and considers a user's location before deciding whether to grant remote or local network access.
Because of this convergence, in a lot of companies physical and IT security leaders are starting to report to a chief security officer, says Bill Stuntz, CEO of BroadWare Technologies, a vendor of IP-based digital video surveillance systems and services. "The big move from analog to digital video means physical security is becoming the IT manager's domain, and [he or she] will ultimately be in control of the budget for this," Stuntz says.
MORE THAN A FINGERPRINT
Imagine a biometric finger scanner that checks your identity using not only your fingerprint but the tissue structure and hemoglobin levels in your finger as well. That's the vision of Nanoident Technologies, an Austrian company that specializes in semiconductors printed onto glass, plastic foil, or paper rather than written onto a silicon chip. Nanoident builds security features such as photonic and microfluidic sensors into its system-on-a-chip semiconductors, which means they could be embedded in cell phones or devices the size of a credit card without taking up much space or using much power.
The typical "swipe" fingerprint sensor, with which a finger is rubbed across a sensitive metal plate so that its image can be captured and compared against a fingerprint database for authentication, is 15 millimeters long by 2 millimeters wide. The size of such swipe sensors makes them popular with PC makers: Hewlett-Packard alone ships 250,000 PCs a month with embedded fingerprint readers.
Such sensors have potential in the mobile phone market, says Nanoident CEO Klaus Schroeter, where size, price, and cool features drive sales. Nanoident's finger scanners would be small enough for a cell phone but large enough to fit an entire fingerprint.
For fingerprint authentication technology to be widely deployed, it will have to get more accurate, says Schroeter. He puts fingerprint biometrics at 98% accurate but says that needs to be increased to 99.9% for businesses to feel comfortable deploying the technology. "It's easy to fake a fingerprint today," Schroeter says, explaining that when someone touches a piece of glass and leaves behind a fingerprint, it can be photographed and made into a stamp that's 95% accurate.
Nanoident's technology is more accurate, Schroeter says. "We capture the structure beneath the fingerprint using red and infrared light to penetrate the finger up to several millimeters," he says. "We measure the skin parameters and hemoglobin content of the blood so we can then say if this is a live finger, as opposed to a fake fingerprint."
Nanoident claims to include all of the technology for acquiring fingerprints, extracting data, matching against a database, and storing the information on the semiconductor itself. The complexity of manufacturing printed semiconductors with light-sensitive photonic sensors has kept the company from releasing its technology sooner, Schroeter says, but with advances in manufacturing processes, Nanoident plans to open a printing facility in Austria in January.
Nanoident subsidiary Bioident Technologies positions its technology as a disposable photonic lab-on-a-chip that can be used to detect and analyze chemical and biological agents in the air, food, or water supplies. Bioident's microprocessors will let scientists, researchers, and first responders carry devices that let them check for contamination out in the field. A sample of potentially contaminated water could be dropped on a chip containing a microfluidic sensor, which would create a chemical reaction that provides information about what's in the water. Since these printed microprocessors would be inexpensive, they could then be discarded and replaced with a new processor. "Imagine if I could just carry a chip that could do all of my diagnostics [work] rather than taking it back to a lab," says Bioident CEO Wasiq Bokhari.
Mistletoe Technologies sells a chip that includes an embedded VPN, a firewall, and denial-of-service prevention features. It already partners with network appliance makers such as BroadWeb and Viking Interworks to embed VPN and firewall chips into their devices.
ARE YOU TRUSTWORTHY?
The Trusted Computing Group, a not-for-profit organization formed in 2003 by HP, IBM, Intel, Microsoft, and other IT heavyweights, is developing standards for securing systems and data from external attacks and physical theft.
The fruits of the group's efforts are most visible in its Trusted Network Connect standards, the basis for network access control technology offered by almost every IT vendor except Cisco, which prefers to have networks operate primarily on Cisco technology. Another of the group's successes has been the Trusted Platform Module, a microcontroller affixed to a PC's motherboard that's used to store encryption keys, passwords, and digital certificates separate from the hard drive. TPMs have been embedded in more than 40 million PCs shipped since 2003.
Advocates say trusted computing is the future of security. "Ten years from now, you won't have a user name and password," says Steven Sprague, CEO of Wave Systems, which is on the Trusted Computing Group's board. "You will authenticate the human being to the machine, and the machine will authenticate you to the network."
Sprague and others predict the TPM's capabilities will be expanded so it becomes the first component in a "chain of trust" by storing logon and password information about a PC's authorized user, as well as by defining the types and versions of applications that should be running on the PC. Any inconsistencies between the TPM's directory and what's found on the PC would keep the PC from booting. Critical applications and capabilities such as e-mail, Web access, and local protection of data are thereby made much more secure, says Tony Redmond, VP of security and CTO of Hewlett-Packard Services.
Working groups within the Trusted Computing Group are looking for ways to create TPM chips that can be used on peripherals and storage devices. The goal is to give devices the ability to pass a user's credentials automatically so the user doesn't have to authenticate to every application, network, and Web site throughout a workday. Devices based on the Trusted Computing Group's new Mobile Trusted Module specification should start showing up by the middle of next year.
But trusted computing is hardly a quick fix. It could take eight or nine years to transform the IT infrastructures to the point where people can identify themselves from wherever they log on to the network, Redmond says. Another key is the emergence of operating systems that acknowledge the presence of TPMs, something Microsoft's Windows Vista promises to do. There are several groups working on Linux and other open source code to leverage TPM capabilities.
MORE THAN VIRTUALLY SAFE
Virtualization software, which carves up the assets of a PC or server into smaller virtual machines, is seen as a way to consolidate hardware and software, but its security implications are undeniable. For example, the hypervisor that's used to manage these virtual machines is in charge of the system before the system is; it gets loaded early and can make sure any software being loaded is free of security problems and provide alerts when the software behaves erratically.
When Intel introduced vPro in April, it touted the technology as providing PCs with built-in manageability, proactive security, and energy-efficient performance. VPro consists of Intel's Conroe processor, Pro/1000 network connection, and Q965 Express chipset, as well as active management and virtualization capabilities.
By the middle of next year, Intel and Symantec will offer security for vPro that defends against malware specifically designed to shut down a computer's security defenses, such as antivirus and anti-spyware applications. Symantec's Virtual Security Solution will use vPro's hardware-assisted virtualization capabilities to contain any malware threats on a given virtual machine within the PC, so that other virtual machines can't be infected.
But the hypervisor can become a new place for attackers to hide malware, warns Paul Kocher, president of Cryptography Research. "Virtualization has huge benefits from a management perspective, but it creates as many problems as it solves," he says. "You can move a firewall to a virtual layer, but it's not clear that this makes the firewall more effective at protecting the PC."
A NETWORK APPROACH
Toward the end of the decade, companies will not only be able to better monitor the contents of data sent over the network, they'll also be able to determine whether seemingly innocuous bits of information about customers, employees, and partners can be pieced together by criminals to gain access to more sensitive information. Call it an inferential data threat.
"Given the amount of information out there, you need some at least semiautomated way of figuring out what information you can and can't release," says Jessica Staddon, area manager of the Palo Alto Research Center's security and privacy research group.
PARC has created prototype privacy monitoring software designed to understand the inferences in data, the meaning of a name, address, or other piece of data, so it can be removed--or obfuscated, in the case of an electronic document--before it's sent out across the network. For example, if the privacy monitor determines that only one person in a database has a certain combination of attributes--female, born in 1969, lives in the 94061 ZIP code--then it would prohibit those three pieces of data from being accessed together unless the person accessing it had specific permission to do so. This would help protect databases accessed through Web applications from being pilfered via SQL injection attacks, which try to trick Web apps into extracting information the attacker has no right to, data that can be used later to acquire more sensitive information.
Staddon and her team at PARC, a subsidiary of Xerox, envision a network security application that sends the end user--whether it's a blogger, HR manager, or CFO--a warning if data in a file could be used as part of a larger inference. Another option is to integrate this capability into Word, Excel, or whichever tool is used to create the file or e-mail. However, this type of use is much more difficult to develop than examining inferences that can be made against data extracted from a database. Data contained in documents is usually unstructured, and the number of inferences could be much greater as the number of people with access to information grows.
Part of PARC's work on data inference emerged from technology it was planning to develop through a grant from the Defense Advanced Research Projects Agency for its Total Information Awareness project. In 2002 Darpa presented TIA as a way to detect, classify, identify, and track terrorists to prevent attacks. The thinking was that law enforcement could use a combination of biometric, database, natural language processing, evidence extraction, and inferential technology to collect information about transactions made by terrorists before an attack, and thus head off trouble.
Public concern about the misuse of data forced the government to discontinue funding TIA the following year, but PARC's research has continued. "We did deliver some code to Darpa, but we didn't go as far with the project as we would have if the funding had continued," Staddon says. PARC is hoping that it can work with Xerox to bring an automated content inference application to market.
The goal of much of the laboratory work at PARC and elsewhere is to "get to the point where computers are doing a lot more work to check to see what's happening, and any abnormal conditions would be responded to automatically," HP's Redmond says. Computers looking out for computers--now there's an idea with potential.