Protecting information from would-be intruders

Security and the risks to knowledge management

Computer security has always been a matter of balance--access to information on the one hand, and protection of it on the other--but for knowledge management, the stakes are especially high. Information is the business. A crash is the equivalent of an assembly line shutdown in manufacturing. Whether the destruction was accidental or malicious, the effects can be paralyzing. Moreover, the publicity surrounding such events can do more damage to a company than the compromise itself.

Knowledge management has some qualities that pose special challenges for security. Information usually resides in many different locations, from mainframes to network servers, and supports multiple applications. Also, a great deal of knowledge management activity is now taking place over the Internet, which poses additional security challenges.

E-businesses are clearly at risk. Many of the high-profile compromises have been related to either denial of service caused by viruses or violation of customer privacy through unauthorized access to information such as credit card numbers or health records. The pull between access on the one hand and protection on the other is particularly strong for those online businesses. Customers need a smooth path into the services, staff need ready access to information for customer relationship management (CRM) and strategic planning, the supply chain needs to tie easily into data warehouses and other information sources. Yet the barriers that protect the data must be high enough to discourage would-be intruders.

Where are the risks?

The most potent security tool is neither hardware nor software, but rather a clearly stated security policy. It defines priorities for protecting information and services. It also provides a means for comparing what should be happening to what actually is happening, and therefore the basis for detecting problems.

"Security should be designed around the business for a complete solution," says Mike Jones, business line manager at PGP. PGP is a business unit of Network Associates Inc. , and produces a line of network security products, including CyberCop network monitoring software and several encryption tools. Jones notes that only a very small percent of companies actually have a security policy in place.

Unless an organization goes through the process of developing a policy, it does not have a way of identifying all the possible threats and how to counter them. Jones emphasizes that the majority of attacks come not from outside, but from within the corporate network. With that scenario in mind, organizations might well reconsider how they invest in security, given the reality of finite resources.

"Security needs to be integrated into the application development life cycle," says Chris King of Greenwich Technology, a company that designs and develops secure network infrastructures. "Usually the process breaks, not the technology. You need to step back and see what you are trying to protect, and the value of its loss or compromise."

He zeros in on one of the key conflicts within an organization: The people who define the security policy and the people who want it modified so their applications will run are not the same people.

Another struggle is that in the rush to get applications up and running in today's competitive environment, companies do not always give security the priority it deserves. The policy provides guidance to staff on what really needs to be done by the end of each day. It also delineates what actions to take in the event of a major security breakdown, right down to who should answer questions from the press.

A security policy can make explicit such often-heard--but frequently ignored--guidance as updating software with "patches" that close security loopholes and turning off services that are not being used. It can also encompass broader principles such as the use of multiple layers of security. In today's tight labor market, the individuals responsible for security may not have extensive background in the field, so consider the alternative of hiring experts to help develop a policy that can also double as instruction. A poorly configured firewall or outdated antivirus software can create the illusion of protection while leaving the information at risk.

Supporting Internet security

As a provider of e-business connectivity software, IPNet Solutions has a strong interest in making the Internet a safe environment for business transactions. Its eBizness 3.2 Suite includes eBizness Collaborate, eBizness Order and eBizness Transact. Each of those tools performs a different role in creating a virtual trading community through which companies can quickly integrate their business partners. eBizness 3.2 incorporates the new AS2 standard for electronic data security, as defined by the Internet Engineering Task Force (IETF), which includes secure socket layer (SSL) connections and other security features. eBizness can also use digital certificates to authenticate user identity.

"The most common misconception in assessing security," says Kian Saneii, senior VP of worldwide marketing, "is to think that value-added networks (VANs), which have been used for electronic document interchange (EDI) for many years, are secure because they use a dedicated line." Often the phone line is not secure, the data in transit is not encrypted, and the data on the server is not encrypted. IPNet's product can encrypt up to 2-GB files, such as catalogs, large image or sales forecast files, as fast as the data can be read from the drive.

Recognizing that concerns about security are inhibiting the growth of e-business, companies that support the Internet infrastructure are taking significant steps to enhance online security. EpicRealm, for example, recently announced its secured content service, which provides access to SSL-enabled applications and content on the Internet. EpicRealm's flagship product, priorityRealm, optimizes Web site performance by dynamically caching data to a server located near the user. That sophisticated system also addresses another inhibitor of Web use--slow response times. The combination of speedy and secure communication should prove attractive to organizations that want to deploy high-performance Web applications.

Protecting applications

Somewhat neglected in the past, application-level security is now receiving more attention. An important part of maintaining a smooth path to e-business applications is removing hurdles such as multiple passwords to address different services. Securant Technologies offers ClearTrust SecureControl, an access management system that provides multiple security services, including a single sign-on solution that works across multiple Web servers. It provides centralized control, but at the same time, detailed setting of permissions anywhere from the server level down through directory, application and Web page levels. The system can be used with passwords and also supports private key infrastructure (PKI), token cards and biometric authentication methods.

Rules for controlling user access are set through a feature called SmartRules, which grants or denies access requests without administrator intervention by comparing the business rule to information contained in the user's account profile. ClearTrust SecureControl also provides threat detection. If unauthorized activity is detected, such as multiple unsuccessful log-on attempts within a specified time period, the user's account can be locked up, the account owner and the systems administrator notified, and the activity logged for auditing. The software also provides the desirable feature of delegation. That capability allows user accounts to be maintained by departments, business partners or users, while access rules are managed centrally by system administrators.

Another single sign-on option is offered by Passlogix. Its v-GO SSO allows enterprise users to sign on to virtually any Windows, Web, proprietary or host-based application with one graphical or text-based password. The graphical password, in which the user manipulates an image on the screen, is stored as a series of mouse actions rather than characters, making it difficult to hack.

Sanctum's AppShield secures Web sites by blocking any type of application manipulation through the Web. It monitors and responds to unusual or unauthorized behavior anywhere on the Web site. A companion product, AppScan, searches for vulnerabilities and potential security loopholes.

VPNs extend the network

Use of a virtual private network (VPN) is a fast-growing solution that offers security to users who are geographically dispersed, and is ideally suited to telecommuting or traveling employees. Indus River Networks, recently acquired by Enterasys Networks, provides the RiverWorks Enterprise VPN. The solution is being implemented by Andersen, which sells windows and doors, to accommodate its traveling sales force and business partners. VPNs also support the use of authentication and encryption techniques such as PKI, which can be used to augment the security intrinsic to the VPN, and are a cost-effective, secure alternative to wide area networks (WANs).

Biometric authentication

Biometric techniques use unique physical characteristics of individuals to verify their identities. Fingerprint, voice and face recognition are among the most common techniques. Use of biometrics provides a greater level of security than passwords or smartcards because individual physical traits cannot be duplicated by unauthorized users, and will not be forgotten or lost. Those techniques are not well-suited to authorizing outside access to e-business applications, but they provide a high level of protection behind the firewall where many security violations occur.

NEC Technologies, active in biometrics for 30 years, introduced TouchPass 2.0 last year. TouchPass converts finger images into mathematical algorithms that are stored for user authentication purposes.

Saflink produces a suite of biometric tools that support authentication with a number of physical user identification traits.

AuthenTec has developed TruePrint, a solid-state technology that scans an inner layer of skin to avoid the "noise" that can result from using an outer layer that may be contaminated by dirt or calluses. The company offers an evaluation kit that can connect to USB and serial ports, so that prospective users can test the products, FingerLoc or the newly introduced EntréPad, before deploying enterprisewide.

A clean sweep

Many people know that files can be recovered after they are deleted, but fewer are aware that they can also be recovered after a disk is reformatted. AccessData, which has worked with law enforcement organizations on computer forensics since 1987, has developed SecureClean to ensure that deleted files are completely removed. It is intended for use when a computer is reassigned to a new user or proprietary information needs to be deleted. The product can be set up to run in the background on a scheduled basis, or by request from the user. The company also sells password recovery kits that help retrieve data that has been made unavailable by the departure of an employee or other unexpected event.

Seeing the big picture is as important for security as it is for knowledge management.

Eric Olden, CTO of Securant, says, "Sometimes companies focus on a limited aspect of security such as access control, but they almost always need a combination of approaches. Our view is that there is no such thing as absolute security--just risk management."

Security goals

Availability: Can information and services be accessed as intended?

Identification and authentication: Who is the sender of a message, and can the identity be proved?

Confidentiality: Is access to data limited to authorized individuals?

Integrity: Is the data in its original form, complete and uncorrupted?

Non-repudiation: Can the sender and receiver of a message prove that it arrived, and can the receiver be sure of the sender's identity?

Security tools

Firewall: Software or a software/hardware combination that filters incoming packets according to a set of rules, and rejects those that do not comply. Application/proxy firewalls prevent direct access to secure resources and hide network IP addresses from Internet visitors.

Encryption: The encoding of data to make it unreadable by unauthorized individuals.

Lightweight directory access protocol (LDAP): Protocols for accessing information directories, important in Internet security because it is an open protocol available to all types of servers, supports TCP/IP and allows access by nearly all applications and platforms to directories that contain information such as public keys and e-mails.

Virtual private network (VPN): Creates a private "tunnel" for data over a public network such as the Internet. VPNs may also use data encryption and authentication.

Public key infrastructure (PKI): Use of a set of protocols, services and standards to support public key cryptography, a method of authentication by which the sender encrypts data with a private key and the receiver decrypts it with a public key.

Secure socket layer (SSL): A session layer protocol that provides authentication and confidentiality to applications.

Auditing: Examining records and activities maintained in a log and comparing them to those defined in the security policy.

Intrusion detection: Monitoring user profiles for deviation from usual activity, or monitoring patterns of use to see if they match a known hazardous pattern.

Biometrics: Use of biological information unique to an individual to verify identity (e.g., fingerprint, retinal scan).