Modernizing Authentication — What It Takes to Transform Secure Access
Even while companies are struggling to come to grips with security requirements for existing e-commerce applications, a couple of key technology shifts are presenting additional challenges.
First is the wireless revolution, which is thoroughly upon us. The research firm Dataquest, Inc. says by the end of the year there will be more than 45 million Web-capable wireless phones in use. Nearly 1 billion people will subscribe to some form of wireless service by 2003, the company estimates, and nearly 800 million of them will be using Web-capable phones.
Security for wireless devices, including phones and personal digital assistants (PDA) like the Palm device, lag behind their adoption rate. There are myriad problems to contend with, from the sheer number of different devices to their relative lack of processing power and the immaturity of wireless security standards.https://o1.qnsr.com/log/p.gif?;n=203;c=204634421;s=15939;x=7936;f=201702151714490;u=j;z=TIMESTAMP;a=20304455;e=iAnother shift is the movement to an application service provider (ASP) computing model. Under the ASP model, companies hand off ownership of various applications to a service provider.
The idea is that, because of its economies of scale, an ASP will be able to operate applications more economically than a company can on its own.
But the ASP concept requires a company to be comfortable with handing off sensitive corporate data to an outside firm, and therein lies the security challenge. How do you know the ASP will keep your data safe from prying eyes, theft, or perhaps worst case, your competitors?
The threat is real. By 2003, 30 percent of ASP customers are likely to experience a security incident that results in the compromise of sensitive data, according to John Pescatore, research director for network security at the Gartner Group consultancy in Stamford, Conn.
The issues facing the two areas are quite different.
On the wireless side, a key issue is that the security standards that exist for PCs and other wired devices won't work well with wireless devices. The reasons are myriad, says Guy Singh, product manager for Baltimore Technologies plc's Telepathy wireless security products, but it essentially comes down to the fact that wireless devices are far smaller than PCs.
"All the things that normally go on a PC can't fit on a phone," he says. "In addition, the wireless pipe is constrained; you can't send over as much data."
Another issue is the diversity of the installed base of wireless phones and PDAs. Whereas roughly 90 percent of personal computers are based on a version of Microsoft's Windows operating system, no single wireless device so dominates the market. Likewise, there is no single type of wireless network that dominates like the Internet does for wired devices.
Verne Meredith, vice president of sales and marketing for Diversinet Corp., a provider of wireless security products based in Toronto, expects at least four wireless platforms will evolve. "While one may dominate with 40 to 50 percent share, we don't see any with 90 percent like Windows has," he says.
There are standards that purport to address these sorts of problems, most notably the Wireless Transport Layer Security (WTLS) protocol, which is essentially a wireless version of the Secure Sockets Layer (SSL) technology used for wired connections. WTLS is included in the Wireless Application Protocol (WAP), a set of technologies for making Web applications accessible from various types of wireless devices.
But the U.S. has been slow to implement WAP, especially as compared to Europe, says Christian Byrnes, vice president for global security in the La Jolla, Calif. office of the META Group consultancy. Most implementations in this country are based on an early version of WAP, and will have to be upgraded.
Additionally, while the first version of WAP supports some security in the form of WTLS, there are plans for much stronger security in the next version, with support for public key infrastructure technology.
"The second version of WAP is the one that has real security built in. So we're still two versions away from secure wireless in the U.S.," Byrnes says. "The result is we will have stolen information and people tapping data transfers and viruses and everything else in this [wireless] environment, because the vendors add security on later instead of building it in in the first place."
In the mean time, wireless data flows are at risk. At some some point in each wireless transaction, data passes through a gateway that transfers the transmission to a wired network. At that gateway, data is decrypted, then encrypted again using the SSL protocol. That leaves an instant in time when the data is unencrypted, and thus vulnerable to intruders.
Wireless in practice
All these issues create a burden for companies that want to provide wireless access to applications.
One such company is Vigilance, Inc., based in Sunnyvale, Calif. Vigilance offers Web-based software that helps companies track supply chain issues. Part of its offering includes the ability to send notifications via email, Web page, pager, or PDA when certain predefined events arise, such as when an order will be late or a piece of equipment fails. Customers have the option of taking action on that event in an effort to resolve it, says Subhash Tantry, co-founder and executive vice president of Vigilance.
That's where wireless security plays a role. If you're sending a message saying that an order to a large customer is going to be late, you don't want that information getting into the hands of your competition. Similarly, if you're going to allow someone with a PDA to transmit actions that will affect your supply chain, you need to be able to verify who is giving that order and that they are authorized to do so.
Vigilance currently handles those security issues through the use of a service provider, Aether Systems, Inc., Owings Mills, Md., which operates a secure wireless network. Aether uses various security technologies, including PKI, to establish secure links between Palm PDAs used by Vigilance customers in the field and corporate Web servers running Vigilance applications, Tantry says.
So far, Vigilance has enabled wireless access from Palm V and Palm VII devices, but the company is looking to eventually support others, including handhelds from Psion PLC and those based on the Microsoft Windows CE operating system. "We'll have to be very careful when we implement our applications on each one of these operating systems because some of the issues can be different," Tantry says.
Likewise, it's a different story implementing the applications for a wireless phone as compared to a PDA. The smaller interface on the phone and limited data entry capability make it hard to support the same kind of interactive applications as with the PDA.
"We'll have to provide some type of interactive voice response technology on the wireless phone so people can collaborate with the back-end application to trigger actions," he says.
The Vigilance experience highlights some of the issues in the nascent wireless security market. Its use of Aether Systems, while a plus in that it provides the kind of security that is otherwise lacking in the wireless realm, limits customer choice in terms of service providers. And Vigilance itself has a development chore if it wants to make its applications available for the various types of PDAs and phones available.
But the opportunity is a potentially large one. Tantry says about half of Vigilance's customers express interest in the wireless capabilities. While customers in the Far East have embraced wireless capabilities, no U.S. companies are yet employing the technology in production mode.
"They have internal corporate policies and procedural issues to resolve," he says. "I'm not sure the IT departments and security administrators have fully thought through the issues on how to enable this technology corporate wide."
The vendor challenge
For their part, security vendors are indeed thinking through wireless security issues. Companies including IBM's Tivoli unit, Certicom Corp., Baltimore and Diversinet are at work integrating their security tools with wireless devices.
Baltimore, one of the leading PKI software vendors, in January launched its Telepathy line of wireless security products. As companies develop applications for handheld devices, they can use Baltimore toolkits to add security capabilities to those applications, Singh says.
One key function the toolkits enable is a digital signature, which he says does two things: provides authentication that the person using the device is who he says he is, and an integrity check, such that you can tell if any data was changed in transit. That's the kind of security required if wireless devices are to be used for sensitive transactions or those with a high monetary value. Additionally, digital signatures don't rely on WTLS or on SSL and thus are not subject to the translation issue that leaves data unencrypted for an instant in time.
Like Vigilante, Baltimore has to deal with the vagaries of rolling out its toolkits for various platforms. It will address Palm devices first but has also announced a partnership with Motorola, Inc. to address security for Motorola wireless devices and gateways.
At least until better standards are in place that are truly interoperable, getting security implemented on the full range of wireless devices will require companies to, like Baltimore, establish a series of partnerships.
"It will be late 2002 before the wireless Web is at the same security level as the wired Web was in 1997 because of the immaturity of the standards and the complexity of the wireless world," Gartner's Pescatore says.
Another wireless issue that gets less attention than handhelds do is wireless local-area neworks (LAN), in which radio-frequency technology is used instead of wires to connect PCs in an office or campus network. Wireless LANs promote the idea of mobility, enabling people to carry a laptop from their offices to a conference room, for example, and immediately plug into the corporate network.
"Wireless LANs open up huge holes in a company's perimter," Pescatore says. "Radio frequency waves don't respect the firewall, they just keep going through the atmosphere."
He tells of a government agency client that installed a wireless LAN in its building, which was near that of another agency that had its own wireless LAN. An employee of one agency took his laptop into the parking lot and was able to tap into both agency's networks.
Hosting a security issue
Wireless LANs can make it hard to determine the boundaries of a network, but so can a shift to an ASP model of computing. If an ASP is providing at least some of your computing resources, it becomes harder to draw a definitive line around your network and protect it accordingly. In essence, you're trusting the ASP to secure your data and applications for you.
Not all ASPs deserve your trust, Pescatore says.
"We've seen a land rush into the ASP market," he says. "There are a lot of good, solid players, but there are also many Joe's Awning Co. and ASP House." He expects many ASPs will turn to other providers, such as AT&T or Exodus Communications, Inc., to help out with the day-to-day business of operating and securing the servers that run their applications.
In a recent research note he wrote for Gartner Group, Pescatore lists 16 questions customers should ask an ASP about security. The list covers issues ranging from the type of authentication and encryption the ASP uses to the policies and procedures it follows to ensure it maintains a high level of security.
META Group's Byrnes sees the ASP movement as analogous to the more general trend toward outsourcing of various IT functions that has been going on for years. "As the ASPs begin to understand that what they're doing is just outsourcing, and their customers start to understand that there is a body of knowledge about how to set up a contract for outsourcing, things are maturing rapdily," he says.
Security requirements can be detailed in a service level agreement, he adds, which is a document that outlines expectations and requirements. Companies should also insist on an audit of the ASP's infrastructure aimed at finding any security holes.
"We've found the ASPs to be very receptive to this," Byrnes says. "Once they understand what the requirement is and what their customer is going to do, they're generally very supportive."
While ASPs are one form of hosted computing environment, there are others, including Management Service Providers (MSP), which are companies that manage networks and computers for their customers, ensuring everything is running smoothly. Even e-commerce exchanges can be considered a type of hosted service provider, since they hold lots of valuable information about their customers.
GE Global Exchange Services (GXS), for example, operates a business-to-business network for more than 100,000 trading partners, each year handling 1 billion transactions representing a total of $1 trillion in goods and services. The vast majority of those transactions occur using older, message-based technology called electronic data interchange, but the company recently launched a series of Web-based exchanges, including generic trading exchanges and others targeted at different vertical industries.
"In any given exchange, particularly an independent trading model, competitors are there together; that's the nature of it," says Guy Fisher, manager of product integration in the marketing operation of GSX. "So we have very stringent security to make sure trading partners can't inadvertently see somebody else's data."
To do that the company uses a directory program from Netscape and security tools from Netegrity, Inc., Waltham, Mass., that together enable GSX to authenticate user identities and ensure that each user sees only data they are specifically authorized to see. The Netegrity tool also allows GSX to push much of the decision-making regarding who can see what out to its customers.
When a company signs on to become part of a GSX exchange, it chooses some information by which to identify itself and posts background information for other companies to see. It is up to the other users of the trading network to determine whether they want to trade with each other, a process that Fisher argues requires a deeper, "out of band" kind of communication than can be accomplished online. This kind of two-tier identification process, "takes us out of being the trusted agent in the sky," he says.