Case Study: The company finds a security fix for its physics middleware that powers computer games.Shooting at the water isnt a particularly smart use of ammunition in Electronic Artss popular computer game, "Medal of Honor: Pacific Assault." Still, theres something downright beautiful about the way the water swells up, splashes and sloshes as bullets pierce the surface. Even the most disciplined players probably cant help but empty a clip or two into the swamp as they trudge along.
Behind those small touches—the sloshing water and waving palm fronds, not to mention the grenade explosions, bullets and crumpling enemy soldiers—lies sophisticated computer code that reproduces, in a virtual environment, the very same physics that govern the behavior of objects in the real world. And that is where Havok, of Dublin, Ireland, comes in.
A gaming site finds a winning strategy. Click here to read more.
The 7-year-old company is a leading provider of physics middleware for the gaming industry.
Havoks technology is used by virtually every major video game maker, including Electronic Arts Inc. (the maker of the "Madden NFL" football games), Microsoft Corp.s Game Studios and Midway Games Inc.
All told, Havoks technology powers the movements of characters and objects in more than 150 games.
"We provide better, faster graphics, better game play. ... When the wind blows a chandelier thats swinging from the ceiling, does it happen smoothly, or is it jerky?" said Jeff Yates, director of product management at Havok.
Like many high-tech companies, however, Havoks fortunes rise or fall with the value of its intellectual property: the core algorithms and computer code that drive its physics engine and animation technology.
Other companies pay to use Havoks physics engine, rather than take the time and expense of developing and deploying their own. But if Havoks files were stolen or somehow leaked to the Internet, the company could soon find its physics engine available, at no cost, across the Internet.
The danger of not securing the companys sensitive data was made clear to Havok executives in October 2003, when game developer (and Havok customer) Valve Corp. revealed that the entire source code for its much-anticipated video game, Half-Life 2, had been snatched by hackers and published on the Internet, along with some elements of Havoks technology. The game had been slated to hit store shelves for the 2003 holiday season but wasnt released until November 2004, in part because of the theft.
"Valve woke people up to the potential risk of data theft," said Alistair Duff, Havoks director of IT.
For that reason, in the last year Havok began a program to secure its IP (and that of its customers) from theft or accidental loss using CoreGuard, an enterprise information protection system from Vormetric Inc., of Santa Clara, Calif.
Duff was tasked with finding a fix for the companys security concerns and given a "blank sheet" to find a technology that addressed Havoks concerns about IP theft and piracy, he said.
"Data theft presents a huge problem for the company," Duff said. "We have to prove to our customers that we can protect their data and our own data."
Consultations with different vendors about Havoks security needs produced proposals that were a witches brew of security point solutions, Duff said.
"We had four prospects on the table, [most] of them ... involved installing five or six different products from different vendors on each client PC," Duff said.
Linux takes on Windows gaming. Click here to read more.
Things began looking up when a systems integrator in San Francisco tipped off Havok to Vormetric and its technology. The two companies met in November 2004 and soon partnered on the effort.
Meanwhile, Colin Tankard, an independent security consultant at DCSR Ltd., a VAR and integrator based in Herts, England, had been brought in to help Havok evaluate its options.
Tankard, who has since joined Vormetric and now heads the companys sales and engineering operations in Europe, said that what initially seemed like a complex of problems facing Havok, including PC security and e-mail security, eventually boiled down to one issue: data security.
"We started off talking about PC security—standard encryption on file servers—IDSes [intrusion detection systems] and secure e-mail. But what we were talking about was ... protecting a file so that nobody could rip off a copy," Tankard said.
Tankard was able to show Havok how Vormetrics CoreGuard technology could be used to protect the companys IP, as well as that of its customers.
CoreGuard uses PEMs (policy enforcement modules) installed on selected host machines and a separate hardware appliance to encrypt stored data across file systems and databases, enforce access control, and log events, according to Vormetric.
The Security Server is a central management point and repository for data access policies and for the encryption keys used to secure the data, the company said. Havoc began implementing CoreGuard in February.
CoreGuard can track all data access requests, including those from authorized systems and those that attempt to sidestep authorized access channels. The product can notify security administrators of attempted breaches in real time and captures details about the request that allow administrators to trace incidents back to specific applications and users, according to Vormetric.
So far, Havok has deployed CoreGuard for its customer support group, where support staff receives sensitive information from customers about games that are still in development.
"Havok is intimately built in with the development process. ... We work with game developers right up to the game release," said Yates.
Files received from Havok customers are placed in a file directory on the support machine that is protected by CoreGuard. Once the files are deposited, encryption and access policies are immediately applied.
The companys next goal is to deploy CoreGuard on Havoks development network and use it to protect the companys core assets: 50GB of computer source code and other IP stored in various databases on the companys network.
That job is more complicated and will take longer, however, said Tankard and Havok executives. To succeed, more and more complex access policies will have to be written to govern Havoks team of about 20 developers and its development environment, said Duff.
For example, CoreGuard enables customers to specify both who can access data and how they can access it. But development shops such as Havok are often a tangle of different applications, including IDEs (integrated development environments) with code editors, compilers and other third-party tools, Duff said.
"We have to be careful about how tightly we define our policy to control access to our data. If you want to tie down certain applications, and somebody introduces a new compiler to the development process, that application will be locked out until the policy changes," Duff said. "Its going to take a while to get every application that developers use and make sure the people who need to can access it."
Havok staff will also be watching to ensure that the CoreGuard client doesnt slow processing performance on development machines.
"So far, our experience has been positive enough. But developers are wary of anything that interferes with the speed of their machines—theyll disable AV [anti-virus software] if they can get away with it," Duff said.
Using CoreGuard gives Havok an extra layer of protection for its stored data and differentiates the company from other gaming middleware makers, said Yates.
However, it doesnt mean the company will be able to let down its guard on the network perimeter or jettison tried-and-true technologies such as anti-virus and firewall protection, not to mention the threat of lost or stolen laptops, Tankard said.
"This is part of an overall strategy companies have. It cant protect against good users going bad or someone hacking in because somebody has a weak password," he said. "This is just a piece of the corporate armor."
Case file
Customer Havok
Location Dublin, Ireland
Organizational snapshot Founded in 1998, Havok is one of the worlds leading developers of middleware technology for the computer gaming industry; the company has development operations in Ireland and customer support in both Ireland and San Francisco; the company stores valuable intellectual property for its graphical engine, as well as source code for its customers computer games, many of which are still under development
Business need Havok used PKI (public-key infrastructure) technology from PGP Corp., in Palo Alto, Calif., to protect sensitive data in transit and relied on network segmentation to keep outsiders from accessing machines used by developers; after hackers made off with the entire source code for Valves much-awaited video game, Half-Life 2 in 2003, Havok decided it needed a better way to secure its IP both inside and outside the corporate network
Technology partner Vormetric, of Santa Clara, Calif., and DCSR, a Herts, England, systems integrator
Recommended solution Havok selected Vormetric and its CoreGuard data encryption product, with backing from DCSR; CoreGuard uses lightweight software agents, called PEMs, that are installed on development servers and desktops and a Security Server appliance cluster to enforce access policies for sensitive data; PEMs analyze the context of requests to access data as well as the integrity of the host machine and the applications running on it; the CoreGuard Security Server is used to centrally manage and audit host systems, store encryption keys used in the system, and create and manage data access policies
Lessons learned Try to distill the problem you face as much as possible; Havoks initial conversations with DCSR brought up several challenges: securing e-mail (as well as data stored on PCs, mobile laptops and in transit), defending against cyber-attacks and determined hackers, and proving that sensitive Havok and customer data had not been compromised; there were security products that could address all those pain points, but that didnt guarantee that the products would work well together
Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.
