Lock and Load

Opinion: Integrated security should build on key ideas.

What would you say is the single most civilizing technology ever devised? You might think that as an active backpacker, Id unhesitatingly cast my vote for indoor plumbing—but when I get to the end of a seven-day trek and see the car that we parked at our exit point still sitting there, Im even more appreciative of the invention of the lock and key.

Thats why my hackles rise whenever someone who appears to be pretty smart—say, Google co-founder Larry Page—seems to be overlooking the lessons that locks can teach us.

Locks and keys are truly unsung heroes of simplicity and effectiveness. Can locks be picked? Yes, but you can choose to use a more elaborate type of lock thats more resistant to attack. Can keys be lost or stolen? Yes, but you can use combination locks if you want to reduce that risk. Can people abuse their possession of a key? Yes, but a trained professional can implement a surprisingly granular scheme of privileges using multiple master-key levels. Can locks be defeated by brute-force attacks? Yes, but stout materials and good design offer any buyer an appropriate balance of protection, convenience and cost.

These technical attributes are obvious; less so are the social effects of this simple invention. Whether were talking about critical infrastructures such as electrical substations or personal luxuries such as vacation homes, we would have to incur the expense of hiring armed guards to protect all manner of rarely visited facilities if we didnt have cheap, simple, reliable technology to do that job.

What, then, of Larry Page, and his comments in his heavily hyped but rather disappointing keynote at this months International Consumer Electronics Show in Las Vegas? "Why cant your Bluetooth cell phone start your car," Page asked, "since it already has a Bluetooth speakerphone ... instead of carrying your keys?"

Larry, allow me to show you the wireless key for my Toyota: If its coin-cell battery dies, I can plug the fob into a socket on the dashboard and start the car anyway. How do I unlock the door to get in if the wireless key isnt working? I use the mechanical key thats normally hidden in the fob but that I can extract and use to unlock the door in the conventional manner. Its a system, not a stupid tech trick.

And I retain the power to partition system access and to fine-tune user privileges: I can lend someone my phone without losing the ability to drive my car or lend someone my car without having to lend them my phone as well. Get it?

Im sorry if this seems incredibly obvious, but sometimes the obvious needs to be reintroduced. I suspect that our mental vision of technology, like the physical eye of a frog, simply stops noticing things that dont move. This makes it easy for us to overlook mature technologies that simply work—and forget why theyre effective.

IT departments in general seem to be reinventing established models of physical security, as they discover that digital protections such as firewalls and VPNs are ineffective against a crowbar and a Torx driver that combine to get an intruder into a server room—and out again with a box full of unencrypted hard disks.

Theres a powerful opportunity, though, in combining physical location awareness with network privilege management: "If Im not in the building and someone is logging in to the PC in my office, that probably is not me. If Im in my office and someone is trying to VPN into the network with my credentials, thats probably not me," said Peter Boriskin, director of product management for the Access Control and Video Systems unit of Tyco Fire & Security, when we spoke earlier this month.

Im not arguing with Larry Page about the opportunity for making more effective use of network and wireless technologies, especially those like Bluetooth that actually had security engineered into them up front. I am urging Page to talk with physical security professionals, such as the folks at Tyco, to build on—rather than gloss over—key principles of asset access and privilege management.

Technology Editor Peter Coffee can be reached at peter_coffee@ziffdavis.com.