'Fortress' security is medieval

Written by EE Times
(02/12/2007 9:00 AM EST)   
Original

There were puzzled expressions at the lavish opening production of last week's RSA Conference, where legions of dancing monks snapped their fingers to David Bowie's "Under Pressure." Since Leon Battista Alberti, the Renaissance scholar who developed the first polyalphabetic cipher in 1467, was the mascot for this year's event, RSA functions were dripping with themes from Renaissance Italy and those bad old medieval city-states that preceded the glorious era. The theme opened the door to some interesting analogies, as speakers

cautioned against a walled-fortress approach to security. Everyone from Symantec chairman John Thompson to Microsoft's Bill Gates derided the idea of an information vault that's protected through perimeter defense and demilitarized zones.

Online commerce, considered safe in the early days of Amazon and eBay, has been devastated from without by fraudulent efforts to mimic secure Web sites. ID theft and bank account misuse have become rampant, with phishing and pharming efforts developing a sophistication that indicates the involvement of international organized-crime networks.

With phony home pages of banking institutions almost indistinguishable from the real thing, citizens need to be told never to provide Social Security, home address or date of birth together online, unless they are absolutely sure of a site's authenticity. Some worry that ID theft could get so bad in a year or two that use of the Internet will decline, in favor of highly restricted intra- nets inside zones of trust--akin to the special harbors of medieval city-states like Venice and Genoa.

To cope with this dangerous world, security must be rethought. Art Coviello, president of EMC Corp.'s RSA group, predicted the standalone approach to security will die within two to three years. In its place will come an end-to-end framework in which OS vendors, software specialists and equipment OEMs will define comprehensive topologies that include authentication/authorization, ID management based on dedicated hardware tokens, fully integrated firewalls, embedded intrusion detection and prevention, and automated key management in a world where virtually all data and voice traffic is encrypted.

Is there a potential for civil liberties abuse? Yes. But with the security libertarians leading the way, we can hope for a transparent, fully embedded security environment that protects us from malicious abusers of the Internet, while preserving commerce outside the type of walled fortress that should remain a symbol of the Middle Ages, not the Internet age.

By Loring Wirbel mailto:[email protected], editorial director for communications for CMP Media's Electronics Group