Time to send a consistent message on security

When it comes to network protection, the market is confused, security specialist Jon Oltsik writes.

Jon Oltsik
Jon Oltsik
Jon Oltsik is a senior analyst at the Enterprise Strategy Group. He is not an employee of CNET.
4 min read
One of the great things about the Internet is anonymity.

Assuming that you block cookies, you can go wherever you want to go and blend in with the crowd. When it comes to security, however, this user and device transparency creates a slew of problems.

Imposter attacks like phishing, IP spoofing and social engineering are the obvious examples, but there's another aspect here. Identity is closely related to trust (that is, who can talk to whom) and integrity (that is, checking the "health" of a network node before granting access).

The lack of integrity checking is no minor issue, as one infected end node can spread malicious code attacks across the network in a New York minute.

In a survey my company carried out last year, security professionals were asked to identify the most common sources of automated worm attacks. Not surprisingly, three of the top four causes pointed directly at dirty PCs. Forty-three percent said employee laptops were the primary source of worm attacks, 34 percent fingered contractor laptops, and 27 percent claimed that home PCs connected to virtual private networks (VPNs) were the guilty parties.

The technology industry isn't asleep at the wheel here.

Think about this for a second: Every time someone logs on to the network, his or her device may be propagating the next Bagle or MyDoom.

The technology industry isn't asleep at the wheel here. Whether you call it network access control, end-point security or network integrity, lots of vendors are talking the talk. The problem I see is that everyone has a different message, and the market is totally confused. Does this type of protection belong in operating systems? In the network? Should agents be deployed independently, or will these agents be distributed as part of Internet security suites? If you listen to industry rhetoric, solutions live everywhere and anywhere. Users are rightfully scratching their collective heads.

How do users make sense out of this situation? The answer is that they don't. While vendors pitch proprietary solutions, users remain vulnerable. What's more, PCs are just the tip of the iceberg. What happens when devices like PDAs, smart phones, refrigerators and Ford Escapes start logging on and spreading worms? This has all the makings of a hacker victory.

One potential way out of this quagmire is the work being done by the Trusted Computing Group, or TCG. For some reason, the organization fails to receive the recognition it should in the enterprise market. Often, it is viewed as an Orwellian "Big Brother" by consumers. But TCG holds much potential for improving security in large organizations.

As TCG standards proliferate, end devices such as computers, cell phones and storage will have security "baked" into onboard microprocessors (this is called the Trusted Platform Module, or TPM). Each device will thus have a unique identity, and the technology can be used as a basis to set up trust relationships, encrypt files or perform integrity checking to make sure devices are "clean" before entering the network.

TCG holds much potential for improving security for large organizations.

There are already about 60 million TCG-capable computers in the world. This number will climb to hundreds of millions in the next few years. The number could easily reach into the billions, if TCG gains a foothold in disk drives, cell phones, servers and USB storage. Since we're talking about a standard implementation and software stack, management software will be able to reach across TCG devices, delivering back-end functionality for identity and trust. No secrets here.

Maybe it's me, but I just don't see any other technology on the horizon that has this type of penetration and potential to improve security. As such, I suggest the following:

•  Chief information officers should begin mapping how TCG fits into their security planning around identity management, confidential data protection, network integrity and enterprise digital rights management.

•  Longer-term security planning should include TCG as a foundational technology. Make sure to have your vendors tell you where TCG fits into their product road maps.

•  Demand that vendors follow the crowd. This is a done deal in the PC business but not so in other segments of the computer industry. To its credit, storage vendor Seagate Technology has committed to TCG at the disk drive level; others should follow.

One other note on the subject of vendors: Most of the networking crowd (and Microsoft) have embraced the Trusted Network Connect, a TCG standard for end-point integrity. Unfortunately, networking giant Cisco Systems remains on the sidelines.

Cisco says it doesn't work with industry organizations like TCG, preferring instead to work with actual standards bodies. Cisco is an active member of the Storage Network Industry Association so this story doesn't hold water. Cisco really should participate in this process for the sake of the industry and overall security.

TCG is by no means security Nirvana, but it will make it a lot harder to impersonate a real node and steal data stored in cleartext. It is also quite real; 60 million PCs prove the concept. What's more, TCG is also free, so the roots of identity and trust will happen organically without a lot of ripping and replacing.

There's been a lot of chatter about how to improve security. This could be it. It's time that the IT and vendor community paid closer attention.