Identity-based encryption (IBE) was first proposed by Adi Shamir over 25 years ago, developed by Dan Boneh and Matt Franklin in one scheme, and Clifford Cocks in another. If these names don't mean much to you, Adi Shamir is the S in RSA (Rivest and Adleman being the R and A). Dan Boneh founded Ingrian Networks and Voltage Security, as well as advising for many other important crypto companies on the West Coast. Clifford Cocks is a Brit who invented the RSA algorithm before Rivest, Shamir and Adleman at GCHQ in the UK, but wasn't allowed to divulge anything about it because it was owned by the government. In short, they are the biggest names you can get in cryptography.
So, you'd think that IBE was a bloody good idea then. Well, yes, it's a cracking idea... and as an idea, it will remain cracking. As a practical implementation of encryption, it's nothing short of impossible however. Trust me, I've tried. There are 2 products you can do this with currently, Voltage and Trend Micro.
I've been assured that Voltage's approach to database encryption is a good one (by Voltage), and from what I know about IBE, I can imagine that it might work, but they don't push much on email (or didn't when we last spoke - I see they are talking about ING Canada on their website now). Trend Micro of course bought Identum, the email encryption company out of Bristol University. Basically a student project which ended up being bought by a company which thought they were getting a cutting edge, fully developed product.
I spent a long time trying to install this product, and never got it working how I wanted it to. There are just too many mandatory requirements for it to be practical. You may think I'm saying this because I'm more interested in PGP, but actually, this is the reason WHY I'm backing PGP.
Until I came across Trend I had kind of ignored email encryption - email is an inherently insecure method of sending information, why encrypt it? Choose another method if you want to exchange or send information. However, I've always had faith in people's ability to learn new things, and apparently that is misplaced. People in finance and law are too busy or too helpless to use anything other than email apparently. The smartest and richest people in our country are simply too stupid to learn how an FTP server works, so secure mail we must.
That was basically how Trend presented it, and it apparently started to get some traction, so much so that I got to work on a secure email project recently in one of these places. It didn't work, and I've heard of others where it didn't. I never heard of one which did. At this point I took matters into my own hands and found PGP through some friends of mine.
Why isn't PGP bigger? Why isn't it everywhere already? Well, simply because they haven't pushed it onto everyone, but let people pick it up as they need it. I'd love to show it to everyone in the financial industry in the UK and let them see just how good it is for encrypting mail. Many of them have it already, for Whole Disk or File Encryption, some already have a Universal Server holding their keys, and a policy server holding policies. Adding mail encryption is barely any work, or cost, in these environments.
Saturday, 4 July 2009
Friday, 3 July 2009
Cheap as chips, safe as... chips.
I'm constantly amazed at how little strategy there is in most organisations. It doesn't matter how big or how small, I have rarely come across an organisation that has a fully joined up security strategy, which makes sense.
If you think you are one of these people, please set me straight, invite me in. I might stay.
I have been speaking to some people recently who have a large say in standards throughout financial services. I'm not going to name them as it would be embarrassing for them. They have created products in the past which are poor to say the least. Now they are backing an even poorer choice. I wonder how much of this is based on a friendship between directors, or a financial reward already spent.
Sadly there is still far too much of this going on in security. When will people learn that the cheapest solution WILL LET YOU DOWN. There are project processes like Prince, RUP, etc. for a reason. You NEED to know requirements before you install a product. Just because you get the licenses for a pound, doesn't mean it's the best solution to your problem.
I'm shaking my head whilst I write this, because that looks even more ridiculous when I write it down, and yet that's exactly what Safeboot did to the NHS. The NHS was using PGP for Whole Disk, now they are using Safeboot because it was £1 a license. Of course the support budget next year will make up for the massive losses they made, when they jack the prices back up again + the extra for license costs.
The sad thing - the NHS now needs secure email, which would have cost them just another £10 per seat with PGP, and they're stuck having to go back through the whole process again, back to tender, and will come out with another product, probably one which is the cheapest, and it won't do exactly what they want.
OK, I know it's easy to point out mistakes after the event, but is there really any excuse for this sort of behaviour from so-called security companies? Is this really the way to encourage "strategy"? Wake up people... the government of this country is already a laughing stock, don't feed them ammunition.
If you think you are one of these people, please set me straight, invite me in. I might stay.
I have been speaking to some people recently who have a large say in standards throughout financial services. I'm not going to name them as it would be embarrassing for them. They have created products in the past which are poor to say the least. Now they are backing an even poorer choice. I wonder how much of this is based on a friendship between directors, or a financial reward already spent.
Sadly there is still far too much of this going on in security. When will people learn that the cheapest solution WILL LET YOU DOWN. There are project processes like Prince, RUP, etc. for a reason. You NEED to know requirements before you install a product. Just because you get the licenses for a pound, doesn't mean it's the best solution to your problem.
I'm shaking my head whilst I write this, because that looks even more ridiculous when I write it down, and yet that's exactly what Safeboot did to the NHS. The NHS was using PGP for Whole Disk, now they are using Safeboot because it was £1 a license. Of course the support budget next year will make up for the massive losses they made, when they jack the prices back up again + the extra for license costs.
The sad thing - the NHS now needs secure email, which would have cost them just another £10 per seat with PGP, and they're stuck having to go back through the whole process again, back to tender, and will come out with another product, probably one which is the cheapest, and it won't do exactly what they want.
OK, I know it's easy to point out mistakes after the event, but is there really any excuse for this sort of behaviour from so-called security companies? Is this really the way to encourage "strategy"? Wake up people... the government of this country is already a laughing stock, don't feed them ammunition.
Monday, 15 June 2009
Not on crack
No sooner do I start up on the old blog again than Mike pitches in and pushes me off my training wheels. Thanks Uncle Mike. No, I'm not really being a whining limey/pom bastard or whatever you call us these days. But Mike, you aren't in the UK, and, with respect, you are the one on crack.
The only people doing any projects at all at the moment are government departments. They have all been handed down mandates to encrypt their data. Every financial institution in the country has suddenly realised that they are incredibly vulnerable. The world is a different place. The UK doesn't always follow the US, not when the drivers are different.
[By the way, the reason I've been 'away' for 9 months is because I was on a top secret assignment inside one of these institutions. You think everyone's got data security sewn up already? Not by a long chalk.]
Oh, and as to your "it's too damn hard and costs too much money" - maybe if you're still in 1995. I've been in the encryption game for coming up to 10 years now, and the market is more buoyant than ever, despite the fact that money is being cut elsewhere.
Come forward to the 21st century, and we don't have to use PKI any more. We don't even have to know much about keys unless we're installing. PGP didn't become the standard for encrypting email by accident my old mate. Cheap, usable and really so simple that even a Senior Vice President could install it. :)
The only people doing any projects at all at the moment are government departments. They have all been handed down mandates to encrypt their data. Every financial institution in the country has suddenly realised that they are incredibly vulnerable. The world is a different place. The UK doesn't always follow the US, not when the drivers are different.
[By the way, the reason I've been 'away' for 9 months is because I was on a top secret assignment inside one of these institutions. You think everyone's got data security sewn up already? Not by a long chalk.]
Oh, and as to your "it's too damn hard and costs too much money" - maybe if you're still in 1995. I've been in the encryption game for coming up to 10 years now, and the market is more buoyant than ever, despite the fact that money is being cut elsewhere.
Come forward to the 21st century, and we don't have to use PKI any more. We don't even have to know much about keys unless we're installing. PGP didn't become the standard for encrypting email by accident my old mate. Cheap, usable and really so simple that even a Senior Vice President could install it. :)
Friday, 12 June 2009
Is encryption finally going to have its day?
I think so, for a number of reasons:
The Government is handing down mandates.
After a number of high profile incidents, including an MoD laptop left on a train, the rules are being tightened across government departments. Despite the NHS being told that they have to strip budgets back to the bare minimum, they are still being told that encryption of sensitive information is a priority. This is nothing short of amazing for encryption.
Networks are maturing to the point where encryption really makes a difference.
5 years ago encryption didn't really make any difference. If you encrypted information, you felt safe, but anyone gaining access to your systems (normally an insider with a legitimate user account anyway) could take the information along with the keys. So all you were encrypting was the infiltrator's route to your valuable data. These days networks have intrusion detection, application firewalls, database protection, security policies that actually make sense (OK, not ALL networks!). In this situation, encryption really is valuable and not just a feel-good factor.
Regulatory bodies are catching up with the meaning of encryption.
Leading on from the previous point, where the networks are catching up, possibly due to the regulations they have to comply with in many cases, the regulatory bodies are also understanding the ramifications of what they have previously mandated. Where PCI made sure that people were securing their networks, many people have also noted that to encrypt huge databases of information is often impractical. OK for the big retailers, but for level 4 merchants to use the same kit is frankly preposterous. A more pragmatic approach has allowed people to follow compliance without meaningless application of rules, allowing the security to catch up first before the compliance drowned it out.
So all things are converging towards encryption being a) required by law, b) required for compliance, and c) actually very useful. Maybe later I'll explain the choice of product I'm backing.
The Government is handing down mandates.
After a number of high profile incidents, including an MoD laptop left on a train, the rules are being tightened across government departments. Despite the NHS being told that they have to strip budgets back to the bare minimum, they are still being told that encryption of sensitive information is a priority. This is nothing short of amazing for encryption.
Networks are maturing to the point where encryption really makes a difference.
5 years ago encryption didn't really make any difference. If you encrypted information, you felt safe, but anyone gaining access to your systems (normally an insider with a legitimate user account anyway) could take the information along with the keys. So all you were encrypting was the infiltrator's route to your valuable data. These days networks have intrusion detection, application firewalls, database protection, security policies that actually make sense (OK, not ALL networks!). In this situation, encryption really is valuable and not just a feel-good factor.
Regulatory bodies are catching up with the meaning of encryption.
Leading on from the previous point, where the networks are catching up, possibly due to the regulations they have to comply with in many cases, the regulatory bodies are also understanding the ramifications of what they have previously mandated. Where PCI made sure that people were securing their networks, many people have also noted that to encrypt huge databases of information is often impractical. OK for the big retailers, but for level 4 merchants to use the same kit is frankly preposterous. A more pragmatic approach has allowed people to follow compliance without meaningless application of rules, allowing the security to catch up first before the compliance drowned it out.
So all things are converging towards encryption being a) required by law, b) required for compliance, and c) actually very useful. Maybe later I'll explain the choice of product I'm backing.
Thursday, 11 June 2009
De facto
Always good to pad out a post with a bit of Wikipedia:
Basically, it's stuff which happens because people want it to happen like that, and they vote by doing. It is often said that RSA SecurID is the 'de facto' standard for two-factor authentication, and I would concur that there is really very little competition. Cisco is the de facto standard for switches and routers, Microsoft for Operating Systems, Google for search engines and so on.
I've worked with encryption for a loooong time now (yep, 4 'o's worth), and whereas RSA BSafe is de facto for browsers, there hasn't really been anything you would call widely accepted as 'the way forwards in encryption'. I should know, I've worked for most of them at one time or another, and none of them has been able to gain the market share or trust they want.
But, without me noticing, and that's often the way, there was always someone there in the shadows, waiting quietly, lurking in my emails, and on bulletin boards, in forums and in applications. Using exactly the same principles of key exchange as SSL - the only other real 'standard' in encryption (ok, "key exchange", you pedant) techniques - PGP have actually been there for years.
So much so that the UK government have just announced that they are using PGP for their whole disk encryption, and email. That's a pretty big deal when pretty much every government department has been told to encrypt everything from now on, or else. More on this later... for now I have more reading to do on PGP. As the bandwagon rolls into town, I'm jumping on to see if I can't ride it through.
Surely THIS TIME encryption's going to be the next big thing??
De facto is a Latin expression that means 'concerning fact'. In
law, it is meant to mean 'in practice but not necessarily ordained by law' or 'in practice or actuality, but without being officially established'.
Basically, it's stuff which happens because people want it to happen like that, and they vote by doing. It is often said that RSA SecurID is the 'de facto' standard for two-factor authentication, and I would concur that there is really very little competition. Cisco is the de facto standard for switches and routers, Microsoft for Operating Systems, Google for search engines and so on.
I've worked with encryption for a loooong time now (yep, 4 'o's worth), and whereas RSA BSafe is de facto for browsers, there hasn't really been anything you would call widely accepted as 'the way forwards in encryption'. I should know, I've worked for most of them at one time or another, and none of them has been able to gain the market share or trust they want.
But, without me noticing, and that's often the way, there was always someone there in the shadows, waiting quietly, lurking in my emails, and on bulletin boards, in forums and in applications. Using exactly the same principles of key exchange as SSL - the only other real 'standard' in encryption (ok, "key exchange", you pedant) techniques - PGP have actually been there for years.
So much so that the UK government have just announced that they are using PGP for their whole disk encryption, and email. That's a pretty big deal when pretty much every government department has been told to encrypt everything from now on, or else. More on this later... for now I have more reading to do on PGP. As the bandwagon rolls into town, I'm jumping on to see if I can't ride it through.
Surely THIS TIME encryption's going to be the next big thing??
Saturday, 31 January 2009
Epic Google fail
[This post is in honour of Walt Conway, who prodded me last night to ask why I haven't blogged since October. Has it really been that long? Thanks for noticing! Well, I'm still here, but have been asked ever so politely by my current employer to refrain from posting whilst under contract as their security is paramount, and I'd only end up giving something away...]
Today, as I search for my usual Saturday afternoon information, I note every site has been marked as unsafe for human consumption:
...appears for every page which comes up in your search results. Following the link takes you to an interstitial page. I know this because it's prefixed in my address bar with:
I can't follow any link on this page to get to the page I want to (an IT distributor's website, run by friends of mine). Google are costing people business, although the people they usually cost business are possibly profiting from this major fubar.
Yup - today, for one day only, I'm going to check out Yahoo!
Today, as I search for my usual Saturday afternoon information, I note every site has been marked as unsafe for human consumption:
"This site may harm your computer."
...appears for every page which comes up in your search results. Following the link takes you to an interstitial page. I know this because it's prefixed in my address bar with:
http://www.google.com/interstitial?url=
I can't follow any link on this page to get to the page I want to (an IT distributor's website, run by friends of mine). Google are costing people business, although the people they usually cost business are possibly profiting from this major fubar.
Yup - today, for one day only, I'm going to check out Yahoo!
Friday, 31 October 2008
Pitchforks in sheds
I once heard someone describe network tools as 'pitchforks in sheds' - the basic premise being that although the tools themselves were all incredibly useful, without someone to use them, they are essentially useless.
I've looked at a lot of security tools in my time, and have seen some great ones. HP recently showed me WebInspect, which looks like a great hacking tool on its own, and an awesome development and QA tool in conjunction with other pieces of software in the family. They obviously know this, because they invited me to a dinner which I sadly couldn't make. I always think that when a company is confident enough to invite critics for a dinner, the tool is probably a market leader which wants to stay in that position. If it's just a presentation, then it's probably a start up. Just a thing I've noticed over the years... anyway, back to the point.
There are a great many tools out there which are very useful for networks, security focused or otherwise. However, without someone to roll-out, manage, and insert into processes - i.e. to get them used now and in the future - you may as well make a big pile of company cash in the car park and have bonfire night early.
I've looked at a lot of security tools in my time, and have seen some great ones. HP recently showed me WebInspect, which looks like a great hacking tool on its own, and an awesome development and QA tool in conjunction with other pieces of software in the family. They obviously know this, because they invited me to a dinner which I sadly couldn't make. I always think that when a company is confident enough to invite critics for a dinner, the tool is probably a market leader which wants to stay in that position. If it's just a presentation, then it's probably a start up. Just a thing I've noticed over the years... anyway, back to the point.
There are a great many tools out there which are very useful for networks, security focused or otherwise. However, without someone to roll-out, manage, and insert into processes - i.e. to get them used now and in the future - you may as well make a big pile of company cash in the car park and have bonfire night early.
Subscribe to:
Posts (Atom)