Internet Systems, April 1997
Indecent Exposure
Migrating your system to the Net may make smart business sense, but it also brings intrinsic security risks.
From birth, we are taught to be concerned about privacy. As children, many of us resorted to secret notes, code languages, whispered conversations, and magic decoder rings to convey private information to the select few. Telling someone our secrets made us vulnerable, and we realized that people we didn't want to know might try to find out our secrets. I like to think of those early childhood efforts at encoding secrets as the forerunner of today's encryption. As we got older, we were given school lockers and locks on our bedroom doors for greater physical privacy -- an early form of firewalls, perhaps?
At any rate, as children we were traumatized if the wrong person found out our secrets. In the workplace, however, we know that security breaches are beyond traumatic -- they can threaten the integrity of an entire organization. The explosive growth in the number of companies that have chosen to connect their networks to the Internet makes the issue of security more critical than ever.
Gaining Trust
For successful worldwide acceptance of the Internet as a method of commerce and information exchange, users must have confidence and see it as a foolproof medium. The only way to gain user confidence is to provide the latest, greatest, state-of-the-art security technology and to be able to change it quickly after yet another 14-year-old hacker breaks into your system and posts random pictures on your company's home page -- making a mockery of the system you worked so hard to set up. I'm being flippant here, but hacker intrusions result in more than just odd pictures showing up on your site -- they may also bring with them deadly viruses and afflictions with such dramatic names as Syn Floods, Web Spoofing, and the Ping of Death. Meanwhile, other hackers simply lurk around your system, voyeuristically perusing the most confidential information they can find.
In most organizations, the network administrator is charged with the task of creating and maintaining firewalls to keep local data safe. Many other facets of security, therefore, fall within the realm of the DBA. In our cover story this month, we've focused on the crucial areas a DBA must be concerned with to establish and maintain a secure system. Author and programmer Dan Rahmel first explains the three crucial areas of security that a DBA must know about in relation to the Web: server security, userauthentication, and session security. He then discusses the different encryption methods in practice today before leading you on a vendor-by-vendor tour of the security offerings of major Internet players.
Don't Let the Bit Bugs Bite
There has been much uproar recently surrounding the issue of the exportation of encryption software to other countries. Currently, the U.S. Commerce Department permits companies to export products with up to 56-bit encryption as long as the companies agree to provide a key recovery system that will help law enforcement officials access information in criminal cases. Since January 1997, however, the Clinton administration has granted special government export licenses to a handful of companies, including Open Market, which ships 128-bit encryption in its products. [Heated debate in this area might the government give in to corporate pressure and loosen its restrictions over the coming months.]
Meanwhile, those companies that haven't received special licenses must grapple with lower-level encryption technology. In an attempt to prove just how little protection lower-level encryption technology offers, RSA Data Security Inc. (Redwood City, California) recently sponsored a competition in which people were challenged to decode several of RSA's encryption algorithms. The first level of code was 40 bits, and that was cracked in less than four hours. The next level was 48 bits, and that was unscrambled in 13 days. Such statistics don't do much to promote an image of foolproof security.
Looking Ahead
Security will be gaining even more attention over the next 12 months as companies continue to make their corporate data available via Intranets, the Internet, or yet another burgeoning market -- business-to-business commerce via Extranets. Depending on the nature of your company, the data you are putting up on the Web, and the damage an unwanted intruder could cause by accessing it, you are either ho-hum about the whole subject, extremely nervous, or out of the loop altogether. Wherever you are in your journey, I hope that this issue will be of help to you.
Subscribe to DBMS and Internet Systems -- It's free for qualified readers in the United States
April 1997 Table of Contents | Other Contents | Article Index | Search | Site Index | Home
DBMS and Internet Systems (http://www.dbmsmag.com)
Copyright © 1997 Miller Freeman, Inc. ALL RIGHTS RESERVED
Redistribution without permission is prohibited.
Please send questions or comments to cparkes@mfi.com