Lock and Load

By Peter Coffee  |  Posted 2006-01-16 Print this article Print

Opinion: Integrated security should build on key ideas.

What would you say is the single most civilizing technology ever devised? You might think that as an active backpacker, Id unhesitatingly cast my vote for indoor plumbing—but when I get to the end of a seven-day trek and see the car that we parked at our exit point still sitting there, Im even more appreciative of the invention of the lock and key.

Thats why my hackles rise whenever someone who appears to be pretty smart—say, Google co-founder Larry Page—seems to be overlooking the lessons that locks can teach us.

Locks and keys are truly unsung heroes of simplicity and effectiveness. Can locks be picked? Yes, but you can choose to use a more elaborate type of lock thats more resistant to attack. Can keys be lost or stolen? Yes, but you can use combination locks if you want to reduce that risk. Can people abuse their possession of a key? Yes, but a trained professional can implement a surprisingly granular scheme of privileges using multiple master-key levels. Can locks be defeated by brute-force attacks? Yes, but stout materials and good design offer any buyer an appropriate balance of protection, convenience and cost.

These technical attributes are obvious; less so are the social effects of this simple invention. Whether were talking about critical infrastructures such as electrical substations or personal luxuries such as vacation homes, we would have to incur the expense of hiring armed guards to protect all manner of rarely visited facilities if we didnt have cheap, simple, reliable technology to do that job.

What, then, of Larry Page, and his comments in his heavily hyped but rather disappointing keynote at this months International Consumer Electronics Show in Las Vegas? "Why cant your Bluetooth cell phone start your car," Page asked, "since it already has a Bluetooth speakerphone ... instead of carrying your keys?"

Larry, allow me to show you the wireless key for my Toyota: If its coin-cell battery dies, I can plug the fob into a socket on the dashboard and start the car anyway. How do I unlock the door to get in if the wireless key isnt working? I use the mechanical key thats normally hidden in the fob but that I can extract and use to unlock the door in the conventional manner. Its a system, not a stupid tech trick.

And I retain the power to partition system access and to fine-tune user privileges: I can lend someone my phone without losing the ability to drive my car or lend someone my car without having to lend them my phone as well. Get it?

Im sorry if this seems incredibly obvious, but sometimes the obvious needs to be reintroduced. I suspect that our mental vision of technology, like the physical eye of a frog, simply stops noticing things that dont move. This makes it easy for us to overlook mature technologies that simply work—and forget why theyre effective.

IT departments in general seem to be reinventing established models of physical security, as they discover that digital protections such as firewalls and VPNs are ineffective against a crowbar and a Torx driver that combine to get an intruder into a server room—and out again with a box full of unencrypted hard disks.

Theres a powerful opportunity, though, in combining physical location awareness with network privilege management: "If Im not in the building and someone is logging in to the PC in my office, that probably is not me. If Im in my office and someone is trying to VPN into the network with my credentials, thats probably not me," said Peter Boriskin, director of product management for the Access Control and Video Systems unit of Tyco Fire & Security, when we spoke earlier this month.

Im not arguing with Larry Page about the opportunity for making more effective use of network and wireless technologies, especially those like Bluetooth that actually had security engineered into them up front. I am urging Page to talk with physical security professionals, such as the folks at Tyco, to build on—rather than gloss over—key principles of asset access and privilege management.

Technology Editor Peter Coffee can be reached at peter_coffee@ziffdavis.com.

Peter Coffee is Director of Platform Research at salesforce.com, where he serves as a liaison with the developer community to define the opportunity and clarify developers' technical requirements on the company's evolving Apex Platform. Peter previously spent 18 years with eWEEK (formerly PC Week), the national news magazine of enterprise technology practice, where he reviewed software development tools and methods and wrote regular columns on emerging technologies and professional community issues.Before he began writing full-time in 1989, Peter spent eleven years in technical and management positions at Exxon and The Aerospace Corporation, including management of the latter company's first desktop computing planning team and applied research in applications of artificial intelligence techniques. He holds an engineering degree from MIT and an MBA from Pepperdine University, he has held teaching appointments in computer science, business analytics and information systems management at Pepperdine, UCLA, and Chapman College.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel