Sunday 28 October 2007

Spamalot

Well, I know security is cool enough to attract spam, but apparently I am also now popular enough to get it in my comments. Hoo-bloody-ray. Really, I'm probably not the best person to pick on, I got this in my comments box today:
"Don't forget to visit, http://securityrules.blogspot.com have fun"
From "Visitor" at IP 221.132.113.179. A quick look at the Whois for this site reveals it to have come from somewhere in Asia Pacific. A quick look at securityrules reveals it to be chock full of adverts and links to stuff you don't want to go to. The articles are an odd mix of pseudo-relevant and advertisement, but I wonder where they are from. Anyone recognise these as your own work?

I really don't understand why people do this, and certainly not why they target me if they do. Don't they know I'm going to bite them?

Saturday 27 October 2007

The less we write, the more they read...

...apparently, so I'll be keeping this short.

Thursday 25 October 2007

Features or scaled down products?

Chuck Hollis of EMC has posted an interesting article this weekend. The products versus features argument is one I'm only too aware of having worked in data circles for so long.

A point which Chuck manages to scoot over quite well is the fact that, whilst "every time I see some small company getting attention over some feature they've brought to market, a part of me is saddened by the ultimate reality that it's highly unlikely they'll make it alone", he still works as VP for Technology Alliances for EMC, so he kind of has the ultimate say in whether they will make it at all these days. I guess it's not surprising, the cream always rises to the top, and he's obviously got a great eye for the right products. This isn't really the point.

What interested me was his comments about Decru and Neoscale, two companies I have had direct and indirect contact and competition with over the years. Decru are a laid back bunch, no doubt aided by their recent(ish) acquisition by NetApp, which left all concerned with reasonable pay-offs and the chance to hang on to their old jobs. Apparently NetApp haven't spent much time working them into the company as a whole, but the technology is being adopted and built in to the existing filers. It will be interesting to see what becomes of "Decru - a NetApp company" when this process is finished. Will the feature become part of the product and therefore exist no more? Will the Decru guys and girls be overly concerned if/when it does? It was undoubtedly a good acquisition for NetApp at the time, but are they kicking themselves now that they didn't try and code it themselves?

Neo on the other hand don't have the luxury of acquisition investment, and there have been various reports pertaining to the fact that their product is also just a feature - a feature which companies like EMC can apply to their storage much more easily than a device out in the SAN fabric. There are no such questions surrounding their existence as part of another company then, so is it too late for acquisition on their terms?

There was a rumour going around at RSA which I am interested to find out the truth behind. Having said that, there was a rumour about Vontu recently, which I have straight from the horse's mouth (Kevin Rowney, founder and CTO who I am having lunch with the week after next in SF) is completely fabricated. Hopefully I'll have more on the Neo story in a few days time, but due to America's strict libel laws I will keep my mouth shut - I'm flying in on Saturday and Hoff has already threatened to put me on the no-fly list, I can do without a lawsuit too. :)

Tuesday 23 October 2007

RSA keeps it real

I've been at RSA this week, the conference, not the company. It's the first one I've attended, but the second conference I've been to at ExCeL in London - the Exhibition Centre London, way out in the East End's Docklands for those who haven't been. The first show I attended here was called Complitech, all about compliance and technology, sounds fun right? Well, it can't have been that appealing as I sat there for 2 days (I was exhibiting for Kinamik) and watched around 12 people wandering through the doors, and I'm sure 6 of those were looking for the stairlift conference (sadly I'm not making this up) next door.

Back to RSA then, and whilst there are more than 12 people (there are at least 1000 people manning the RSA stand alone) it's not as busy as other Information Security shows I've been to this year. This felt like the InfoSec shows of yesteryear, no nurses in short skirts, no gorilla outfits, Fortify had 2 men in suits - no giant from 'Hackistan' as in previous shows - but I couldn't help but look at the girl on their booth with the legs. She must have been chilly in those shorts. I wonder how much she knows about security? I'm meandering off the point for some reason... where was I?

Oh yes, the hall was embarrassingly empty when I arrived, like it had been at Complitech for the full 2 days. I was beginning to think that maybe ExCeL just isn't the right place for a show. But then "Stairlifts and Chairlifts" had been well attended, maybe all the reduced mobility domestic assistance salesmen in the UK live in East London? I couldn't prove otherwise thinking about it. Then the keynote speeches finished - shame, I would have liked to have seen Bruce Schneier's "Security 101" lecture - and the hall became modestly full. By lunchtime it was buzzing, and in the afternoon there were people chatting all over the place, deals being struck, and drinks being drunk. This is how I remember conferences in the old days, before it all became commercialised, and I'm grateful to RSA for keeping it like this. It's less noise, more signal, and I for one, as a serious security professional for a moment, appreciate this.

I managed to miss lunch altogether by getting completely engrossed in conversation with Brian Honan, over from Dublin for the duration of the conference. An interesting man with plenty of practical knowledge and a gentle yet wicked sense of humour that only the Irish seem to be able to pull off convincingly. I rather lost track of time, but I think we chatted for about 2 hours before surfacing and the conference seemed to have almost finished without us. I think today is going to be busier, and I'm looking forward to meeting some other people today too. I find people in suits less intimidating that girls in short skirts to strike up a conversation with. I'll always be the little geek at heart - despite being a rugged and handsome young man now...

[Thanks to Karen Friar for the write up and massive picture.]

Saturday 20 October 2007

Closing the gap

I haven't seen anything really new and interesting recently. I love seeing new technologies, and especially new security technologies. I was really happy at InfoSec this year when I saw Secerno, AppGate and Centrify. I hope I'll come across them again at RSA next week, but I'm really looking for something more.

I have an article being printed in Computer Weekly soon (I'll let you know when it hits) about US and UK security markets, and why there's such a gap. I won't spoil the surprise by discussing it here, but most people who read this will already broadly know. The outcome of it is that there is usually a space of 4 or 5 years between something becoming popular in the US, to becoming popular in the UK.

My current position is a case in point. I was at a reseller who tried to bring Ingrian into the UK 5 years ago or so, and we had real problems getting broad interest. We are now inundated with work. This isn't an Ingrian advert however.

No, what I'm looking for now are the things that are interesting, up and coming, and tearing up the market in the US right now. I don't know if I'll get to see these at RSA Europe, because of the very fact that most technologies take 4 or 5 years to become popular over here once they are established in the US. It's a bit of a Catch-22 really, but since I've won a trip to RSA2008 in SF, I'm thinking I can probably wait a few months.

Of course, there's always the chance that I'll come across some badly informed companies who are trying to break into the market here before it's taken off in the US, in which case I will do everything I can to encourage them. It's about time the UK started to encourage security a bit more, ignored the channel and encouraged new and exciting ideas. I'll be in SF in 2 weeks and I want to see some seriously good technology, but it's a hell of a long trip, I'd rather have it on my doorstep.

Friday 19 October 2007

Swindon Communists

It's not often that I listen to something an American tells me, but a couple of weeks back I had the fortune to travel the highways and byways of Southern England with a guy from Orange County, CA. He told me various stories, many of them centering on his cousin, of whom he is obviously very fond, who lives in Swindon. Poor sod.

Said Swindoner was a mover and shaker of some sorts in the British Computer Society, one of those acronyms I've heard of and keep hearing of more regularly, and have even considered joining to the point of downloading the application forms. Then it all got a bit tricky and I gave up.

So instead of being a characteristically lazy bugger, I sat on my fat behind and emailed this chap. He got back to me quickly and I ended up talking to another geezer from Swindon about how great the BCS truly is. He then said the magic words "online application form" and I was hooked. I even got a 10% discount for my troubles.

The BCS does have some serious points to make, and this is something I took on board whilst talking to my wife again on a recent jolly back over in Spain. She was lamenting the lack of good computer teaching in schools. She trained as a teacher and never entered professionally because the kids (in Swindon - ironically and circularly) were a nightmare. I told her that I couldn't do it, and wouldn't because it wouldn't pay me anything close to what I get now.

It's true, sadly. Those who can, do, and sod the rest. I've thought about setting up schemes with Universities to share knowledge, but I just don't have the spare time. A blog is about as altruistic as I get. My ideal would be to get the pros talking to the Unis and the Unis talking to the schools, then everyone magically living in my little communist utopia happily ever after. I don't think I could make that work - certainly not with my selfish money-grabbing attitude.

The BCS are nicer than me though, probably because they've had to suffer in Swindon for so long. I'm sure there are many people in the BCS outside of Swindon who are nice too. They are aiming to share knowledge, create professional standards, and set up an infrastructure like most other long standing professions have. It's great that computerists can finally be recognised and support by their peers. Maybe it'll stop all the cliqueyness in IT? Maybe not, but I'm sure they have made Swindon a happier place.

[Disclaimer: The BCS has offices all over the UK, I just happened upon Swindon for personal reasons. Swindon is one of the loveliest places in the UK, nay the world.]

PCI project blues

I've just been talking to the PCI project manager of one of the largest retailers in the UK. I won't go into any more details in case I give away too much, but the content of the discussion was very interesting.

First of all his assertation that he didn't care about PCI was no revelation - he just wanted a tick in the box. That he said it didn't bring any benefit to the corporation - "We just want to sell things" - was also no big shakes. He'd had resellers and QSAs crawling all over him like a rash, which is sad, but hardly surprising. I expect he's paid well enough to put up with that.

What surprised me was the advice he was getting from his QSA, that all of his branch offices needed IDP/IDS. I must have reacted in the same way as he had done when told that because he smiled wrily at my furrowed brow and said: "That's bollocks isn't it?"

Well, yes, I'm afraid it is. Please correct me if I'm wrong, but no-one needs to have intrusion prevention systems installed at every branch location. Especially not when they're putting encryption in place, practically unbreakable, centrally-managed encryption at that (yes, that would be Ingrian Networks, of course). Not when they have things like firewalls in place. At head office, where the processing is done on the cards and they are stored in databases, perhaps this is valid, but at branches where they are held safely encrypted until they are sent offsite, this is just a waste of money.

I don't think the US is this stringent yet, and the UK certainly isn't. I'm sure VISA and MC would jump up and down shouting hurrah and huzzah if everyone did this, but they would have to recover from the shock first. It just doesn't happen, especially when other retailers are shelving their PCI projects altogether because they can prove they've started them when the auditors come round, and that's all that's required to be compliant right now.

Come next audit of course the latter company will have to show that they are moving again, so effectively all they are doing is making their PCI project more urgent, probably squeezing it into 6 months at the end of next year, when the aforementioned will be compliant by June '08 and squeaky clean - just in time for a change in the rules no doubt.

I have heard no more about the requirement for FIPS being introduced into PCI DSS, but it seems so unnecessary that it is almost destined to happen. Any light that can be shed on this would be much appreciated. I've got another meeting to get to.

Thursday 18 October 2007

Traveling again

I'm sitting in a hotel room in the North of England, several hundred miles away from home, comtemplating the past few days and weeks. I haven't blogged much, certainly not daily like I used to, because I'm just so bloody busy, and I really miss it. I used to use my blog as a method of getting my randomly organised ideas down and hopefully get people to give me some feedback and/or input. I've really missed that input recently. So I'm going to be more disciplined, just like I am with the gym - ahem. Well, I'll maybe start with once a week and build up then.
Today I have finally booked my trip to the US. I will be in San Francisco from 4th to 10th of November. I am already booked out from 5th-7th at Ingrian Corporate, but I'm really looking forward to meeting up with a few others (non-Ingrian related) as well. I just extended an invitation to Mike Dahn over on PCI Compliance Demystified to take me out to dinner like I did him last time he was in London, generous as I am.
I want to meet as many US based security types as possible in my short week out there, as I won't be back until RSA 2008, and that's months away.
Who knows, I may even write something about security again if I get inspired...

Sunday 14 October 2007

I've got a little behind

OK, it's a cheap headline, but I wanted to see this come up in the SBN feed and it made you read this didn't it?

Suffice to say:
  1. Business is booming like I had never believed it could
  2. I've won a trip to the RSA Conference in San Fran next year for a piece I wrote on ZDNet
  3. The ISC2 have asked me to write some stuff for Computer Weekly, the first of which I've just zipped off to the editor
  4. I'm starting another blog over on WordPress concentrating on datacentric security (datacentric.wordpress.com if you haven't guessed!), and hoping to get some really interesting people involved (if you're an interesting person, do drop me a line if you want to get involved)
All of which means I've got no time to write about security... sorry.

(If you're one of the many people I've promised a phone call, email or date in the diary, I apologise profusely - call me if you see me online and give me hell.)

Wednesday 10 October 2007

Evolution

A long long time ago, when I was in short trousers and sandals, a spotty bespectacled youth named William invented some software named Windows. Or he stole it from his friend Stephen, depending on the version of events you prefer. Whatever, he made a bundle from it, and his vision of a computer in every home was well on its way to bearing fruit. Now, there may not be a computer in every home, but on average, we must be approaching it. I can count 6 from where I'm sitting (in my home), and there are others in other rooms. Those are just the PCs. There are computers in our phones, watches, cookers, boilers and cars. In short, they are everywhere. They have always grown up in the most convenient way possible.

In the 50s and 60s, computers filled whole buildings and data was kept in vast underground storage facilities on reel-to-reel tape. In the 70s and 80s cassettes and disks were born, and in the 90s and today, hard disks, optical disks, etc... The capacities are increasing as the size decreases. The same goes for memory, Moore's Law stating that the capacity of chips doubles every two years - and whilst we're almost at a stage where that can't possible keep happening due to physical limitations, quantum computing is now very much a reality. It's all pretty amazing how far we've come in such a short time, but that's mainly due to the vast sums of money to be made - young William now being the richest man in the world and everything.

At around the same time as Bill Gates brought computing to the masses, a company in San Francisco was switching on to the fact that these computers needed to be connected to each other. At first, Cisco Systems built dedicated Unix devices to take the routing load off machines passing messages around the internet. Where one machine had been sufficient for a whole department, government or university, now multiple machines were to be found in each physical location, and routing was becoming more complex. If each machine was to figure out it's own routing, it would detract from its core function. Routers were a prime example of a technology of its time. Routers are still used everywhere on the internet, even in my house I have one - I need it to connect my many PCs and servers to the internet.

Routers have become much smaller over time of course. I wonder if we couldn't build them back into the machines again now they are so trivial, but Cisco has cleverly made their functions suitable for devices which sit at the perimeter of networks - controlling ingress and egress, and sometimes even access. Quality of service is a neat idea which keeps routers firmly in and of the network. Spanning-tree, although horrible, also keeps them out there. VLANs, BGP, you name it, if it appears on a router, it's there not just as a technical feature, it's a business ploy too.

This is the reason I believe there is no lasting reason for firewalls in our networks, or many other network devices in fact. I hesitate to say this having had a nice couple of messages from Richard Stiennon this week, but this has always been my stance and I'm sticking with it. Firewalls can be built into routers, so could IDP, and any other UTM type features. The hardware box which sits at the perimeter, your router, can handle all of this on very little hardware. With your routers and switches properly linked and managed, you shouldn't really need any firewall capabilities anyway.

Eventually then, these devices could be part of every machine, controlled from a central point - I wonder if there's a new William who will do that one day? Could it be possible to have such security at the heart of an operating system? The guess the point of this is, every device we put in our network runs on a computer. Every computer we put in our network could run the devices, and if it were powerful enough to do so without slowing down, it would be a far better way of protecting a machine. It's only software after all.

With this kind of thinking, taken to its logical (or illogical maybe) conclusion, we can see that the perimeter disappears. This makes communication between networks far simpler and safer. Imagine a secure DNS server in every machine. No reason it couldn't happen. Firewalls managed by a network administrator from a central point, firewalls which reside on every machine - just an interface on the admins desktop to apply rules. Again, no reason why not. No device is needed to achieve this.

So what of my precious data-security? Can we do that without devices? No, I don't think so, because there are legitimate reasons for having secure, locked, tamper-evident, tamper-proof boxes for keeping keys in. Computers will probably never be that safe. However, by the same argument, will computers ever be built that we will want to run a bunch of security 'device' software on as well as our business processes? What will stop this convergence is the very thing that started it, economics. There will be a point when it is viable to stick personal firewalls on every desktop and have them centrally managed - we are probably there already. What is Anti-virus if not a personal IDP?

If everything that runs at the perimeter can be bundled up tightly enough, we could see the devices disappear. If this pushes the price of computing up too high however, economics will bring devices back up again. So, if the device manufacturers keep the cost of implementing the software high, devices stay, if they devalue, or open source becomes more popular, they go. Of course, when something becomes so popular, open source inevitably becomes a contender. These are the guys to watch out for. Microsoft can then snap them up and build them in, saying how great they are for supporting open source all the way. (Note Oracle doing this with Berkeley DB recently too - in a similar vein).

It seems to me that device based perimeter security is in danger of disappearing because of its own popularity, and it feels like we're on the cusp of this right now. A turning point where we will go one way or the other, and inevitably so once the market picks up in one direction.

I'd hate to see Microsoft monopolise the security market like they have done the OS market, but it would make things a lot tidier, and we could all get on with REAL security, data-centric like.

Tuesday 9 October 2007

The Keys of Encryption

Every so often, someone else writes something which makes me want to write a bit more down my own avenue. Often that person is Rich Mogull, and yesterday he wrote "you should write some more", which makes me want to write some more. Bad intro to what I hope is a familiar subject.

Everyone involved in security in any way at all, except maybe the bloke in the uniform in Tesco's car park, knows about CIA. We are taught to think about every situation in terms of Confidentiality, Integrity and Availability. I've talked before about how business thinks in terms of "Availability, Availability, Availability, confid... ooh, look, I can make money out of Availability."

But I'm not here to go 'ptchah' and 'humbug' at the business people, not this time anyway, not when I am one. No, I'm here to talk about the right way of doing things. Rich talked recently about encryption, a subject close to my heart. I commented that encryption is only about one thing - confidentiality.

This is true, and it's all it ever can be about. This is why I don't understand why there are so many companies (competitors of mine now I'll admit) trying to do new things in encryption, when really, there's nothing to it. No-one cares how you build a better mousetrap. They care how easy it is for them to forget about it and make sure it does its job.

My analogy

The only way encryption will ever do its job, however, is surrounded by proper controls. I have a very clear picture in my head when it comes to data security. Think of a block, a plain wooden block, the colour of pine perhaps, nothing special or fancy. That is my data. When I encrypt, I might chop it up, re-arrange it, paint it blue, chop it another way, paint it yellow and end up with something that is rather different to that which I started with.

Confidentiality

My block, although now no longer a block, nor pine coloured throughout, is still my block. If I chose to clean off the paint and reassemble in the original order, I would still have my block left. Indeed, if I leave my block out in the street in such a configuration, the chances are that an infinite number of monkeys will come along, and one will solve the riddle of the block.

Availability

Crazy? Yes, of course. The point being that encryption alone will not keep you safe forever. Not with all those monkeys out there. No, what you need is a physical control. So, I put my chopped and coloured block in a lockable box, and allow only one key to open that box. Ah, grand, it's all safe and sound. The only time I open the box is when I get my key out and look inside. Then I can build the block and look at it without anyone else being party to my beautiful block, and its blockness. Bliss.

Integrity

BUT... what if I fall asleep, and one of the monkeys rifles through my pockets? What if I just leave the key out on the mantelpiece for anyone to come and pick up? Yes, the monkey gets the block again. Actually, in reality, the situation is rather worse as the action of being a legitimate user applies access controls, which control the decryption key. So, just being able to open the box means the monkey can see the data. My beautiful block is exposed to the world.

The best way to ensure against all of this is to manage your keys properly of course, but key management also requires good user controls. User controls require not only good authentication, authorisation and accounting, but audit, and immutable audit trails at that.

Reporting and management

All the reporting and management gubbins around these important security systems are just a way to sell to the business. I say 'just', obviously security wouldn't go anywhere if we couldn't sell it. More's the pity.

Further to this, read Rich's posts on DLP/ILM, etc., they are fantastic. I sometimes feel like he's writing them just for me they are so good.

Sunday 7 October 2007

Coming to America

I never travelled much as a youngster (not that I'm a particularly old man now), apart from the odd holiday to France and Italy, even as far as Greece and Turkey, but never really that far out of Europe. When I reached studenthood - the time when typically people are spreading their wings and seeing more of the world for themselves, I got as far as Hong Kong, once, but nothing as exciting as America. I didn't get to the US until well into my 20s, when I started working with US companies, and every time I leave I feel like I've barely touched on a great country.

For all my ribbing of my American cousins, I feel a great kindred with them. A couple of years ago a work associate came over from LA and we spent a week travelling around Europe together. I've rarely enjoyed myself as much in a work situation. Just recently an SE from Orange County, CA came over to the UK and we spent a week traveling the UK (including Swindon and Exeter) and hardly got on each other's nerves at all. He then flew to Norway for the weekend for a cleansing of the spirit and wallet. I sadly didn't get there as I was hoping to catch up with Kai Roer. Next time Kai...

However, when I got back to base one day last week, I forget which, it's all been a bit of a blur, there was a mail in my inbox which caused quite a proud stirring. I wrote a blog entry on ZDNet, for a competition to win tickets to RSA Europe 2007, in London. Now, my reasons for entering were primarily because I'd screwed up the registration process, and had already written most of the content for the article in a post here. To my everlasting surprise, I won. Not only did I win a ticket to RSA Europe 2007 however, I have tickets and hotel (economy of course) to RSA San Francisco 2008 in April. Woohoo!

So, after months of speculation as to when I would be coming out to the West Coast, I can finally commit to a date, and to where I will be - RSA Europe 2008, April 7-11 at the Moscone Center in San Fran - with a full conference pass. I would love to meet you all (y'all) there. I should actually be coming out for a few days next month too, but I think I'll be pretty much heads down in Redwood City HQ. Don't let that stop you coming to see me (and that means you Mike D.)

Now for the freaky bit. I had a dream last night that I worked with Richard Stiennon at my old company. We were thoroughly nice to each other and I woke up feeling I had wronged him for taking the opposing stance on network security (my old company sold network security devices, if that helps in your analysis Dr. Freud?). What does this mean? Do I have some sort of deep desire to atone for my past sins of device-based deception? Do I have a secret yearning to work with Stiennon? Do I need therapy? Perhaps all of the above... maybe I just need another holiday?

Saturday 6 October 2007

Smart customers

So much for my 'series of posts' about getting back to basics that I promised last week. I hadn't realised quite how much my new position would take out of me in the first few weeks. I had a customer meeting yesterday with one of the UK's largest internet banks, they are being pressured by their acquirer to become PCI compliant by the end of next year, but don't want to fail any audits this year. In the meantime another customer has announced a complete security budget freeze because they think they can show they are making progress on their PCI compliance when the auditors come round. This is a big mistake in my opinion, but I expect they will get away with it, because they are a very large retailer - that doesn't mean they won't be breached.

So I'm back in the land of the customer, and REALLY enjoying talking about security again. I'd forgotten what it feels like to have a room full of people asking questions that I actually know the answers to. I guess some time in product management has taught me how to think on my feet, or rather like a product manager when faced with the inevitable 'when are you releasing an agent in Fortran77?', 'what is the enryption overhead on my z/OS/COBOL/AS400 mainframe likely to cost me in terms of network latency?' type curveballs.

The thing which is impressing me about these initial meetings is how much MORE people seem to know about security these days. There were 6 people around the table, 4 customers, 1 reseller and 1 me. Reseller and I listened with 2 ears and 1 mouth, the 4 customers asked some very intelligent questions - all the ones I had prepared to be asked, and some I had hoped wouldn't come up.

The thing which struck me was that although this was a meeting about addressing PCI compliance, they knew about security, and asked about security. The ONLY compliance question I was asked was 'do you have a list of the PCI boxes this ticks?' Which of course we do, but we do a hell of a lot more than that, and the customer knew it. They asked about future proofing, key management for distributed heterogenous systems, separation of duties, application integration, the works.

I'm disappointed for compliance, but tend to think of this as a victory for common sense and security. I rather think it's natural selection. Maybe because this is such a large bank they can afford the bright sparks, but these weren't security guys, they were DBAs, Project Managers and Technical Business management. This makes me pleased, and encourages me to keep spreading the good word.

I have been having some exciting conversations over the past week with a couple of guys who will already be familiar to many of you. Without giving the game away too much, there is a new project in the pipeline which I hope to be able to give more news on in a couple of weeks time. As always, watch this space.

Tuesday 2 October 2007

Encryption and Key Management

I'm pretty busy this week, last week I was traveling around, meeting and greeting new customers, busy, but not having to think too much. This week I've had to re-learn some stuff I haven't done for a little while, and unlearn some stuff that I've worked with up until now.

I don't want to go into detail on things you can look up on Wikipedia. Encryption is done using algorithms, symmetrically in streams or blocks, or asymmetrically. In fact, talking of Wikipedia, there is a very good diagram of the different types of ciphers available here which saves me going into any more detail on this point too. Another area I don't really want to get into are the modes of block cipher operation, although they are a very interesting introduction to the next level of encryption for those who are interested.

So what do I want to talk about then? Well, I've represented a number of companies in this area in my time. I've worked with RSA, nCipher, Vormetric and currently Ingrian Networks. They all do it differently, apart from when they do it the same. I've also partnered with Utimaco and recently spoken with some of the team at Voltage, so you could say I've tried to cover encryption as broadly as possible, if not in depth, as this post probably proves.

If any of you know anything about any of these companies you will know that each of them concentrates in one particular area. It's not my position to criticise, nor to compare. Other than to say that I've ended up in a position where my skills are best placed in a market with great momentum, I will not comment on the strength of various solutions by name.

What none of these solutions has managed to do is create an all encompassing encryption solution. What most companies would like to do is buy one system of encryption for laptops, desktops, servers and email. They would also love this to achieve full data protection. If you've read any of Rich's posts recently, you'll know this doesn't work, you need the full works. Rich is doing a far better job of explaining this at present than I can hope to, so I'm going to stick to my little corner of data centric security and bow to his superior experience in these matters. I'm also planning to speak to him about it sometime this week, perhaps I should record the call and post it here.

What works well for laptops does not work well for desktops. Laptop encryption cannot rely on a central repository of keys for encryption, because they are mobile. A key must be kept on the local machine, and the only way to protect it is with a password. Therefore, laptop encryption can only ever be as strong as a password. In a fixed desktop and server environment, encryption can be administered centrally, and we can use asymmetric encryption to protect files.

In a database environment, file encryption does not protect from internal RDBMS users, i.e. the 'rogue DBA' we hear so much about. Row and column encryption is a far more effective way of protecting databases and applying proper controls. None of these solutions can protect email, and a special email encryption gateway is required for this, which brings up all the issues of end point protection, data leakage, and everything Rich has been talking about recently.

The method of encryption rarely matters, if the maximum strength algorithm and a large enough key are used, any method should be as good as another. The keys and algorithms are not the whole story for these methods however. Laptop encryption relies on a password, but the business drivers tend to be around speed of encryption, so algorithms are closely guarded. Desktop/server file encryption relies heavily on access controls and policies, as does database encryption. These are usually client-server encryption solutions, an agent residing on the machine to be encrypted on, keys kept on a key management hardware device - usually FIPS compliant, or available in a FIPS compliant option.

Email encryption has all of the issues of access control and key management, policies, plus the added complexity and overhead of having to encrypt, store and decrypt a large number of small files. I wrote about elliptic curve cryptography recently, and this looks like a great solution in this area, but not something that scales back to databases or file encryption, or laptops.

The real key to encryption is... just that, the key. With a symmetric key, if it is discovered, data can be breached, so asymmetric keys are preferable, where the private key can be protected. The private keys then become extremely important to an organisation, and very tough to manage, however any algorithm can be used, any method of encryption or access control/policy can be used. Key management is the killer app in the encryption space.

MadKasting