Security Roundtable - Page 7

Webs Challenges

Coffee: Things have been difficult enough when weve been able to draw a line around a group of facilities and say, "This is the environment." Now, as we move to a services paradigm, you wont really have the option of isolating yourself from the network and getting on with your work. Its like deciding not to breathe because there are contaminants in the atmosphere.
People have said that a firewall on your net is like a steel door on your front door, but if the UPS man gets let in to make a delivery and it turns out that what he was delivering had a bomb in it, your front door didnt really do you much good. Were going to have the electronic equivalent of the UPS guy, the pizza guy and every other technician in the world walking in the door and doing things for you as we move to a Web services mode.
Ed, as we talk about the Web being a vehicle for delivering services, what does that do to the security issues?

Glover: It makes it a lot more interesting and challenging for us. The thing with Web services is that we are definitely going to go into it, and hopefully we go into it in such a way where we take some small steps first and we really try to understand what our risks and our vulnerabilities and threats are, and to understand who were working and dealing with in that area. I think that, from a security standpoint, people need to start looking at this at the beginning and not after the fact, and really understanding who their partners are. You might start off in the beginning working with a few partners, people that you already trust and people that you can work with to identify what the threats and vulnerabilities are together. I think this is going to take some time for people to work through this before they really feel comfortable going out, and security is one of the leading drivers in allowing Web services to really become mainstream.

Coffee: Brian, let me turn the question to you. Obviously, making .Net secure has to be regarded as an absolutely crucial starting point in getting the .Net paradigm established as the way people want to write their new applications. Where you do you feel you are on that?

LaMacchia: As you commented earlier about the firewalls having limited protection, if you start letting lots of people through, we have to basically build in security in a number of levels. We build in security in an execution environment, in our case using the .Net Framework and the runtime; we have to build it into the protocols, too.
Today, if youre doing a Web services call, you end up doing that by doing channel-level security and running SSL or maybe doing some client/server authentication back and forth. Thats why were also putting a lot of effort into coming up with and participating with other companies in the security standards for XML Web services.
We start with being able to strongly authenticate XML messages that come out of our XML digital signature standard, which is about to come out of the IETF and W3C as a full standard. We also see that work in XML encryption, XML key management services. These are all fundamental pieces for how were going to pass SOAP messages around that are going to be digitally signed and encrypted to provide security and authentication.
Once we have that, we can base strong authorization decisions off of it so that you know whether that UPS guy at your door really is a UPS deliveryman or is an imposter, and you can make appropriate trust decisions on that basis.

Trilling: With regard to your analogy about the firewall and the UPS guy, one of the things weve really seen is its important for people to install what we call application or Layer 7 firewalls, which will actually inspect the content of the traffic, which is the equivalent of looking under the coat of the UPS guy to make sure he doesnt have a bomb.
In the past, organizations sort of thought, as you point out, "If I put a firewall or antivirus software around my perimeter, Im done." Now people are opening up their networks not only to customers but to suppliers, to telecommuters and to all kinds of people.
Its not only about blocking everybody out, but letting just the right people in and having appropriate systems in place. That may include firewall and antivirus, as well as intrusion detection systems around your most critical systems to tell you when a break-in is place—a vulnerability assessment software that can proactively tell you where the holes in your system may be, where systems need to be patched in advance of an attack.
All of these are important and crucial decisions that people need to evaluate on the basis of the value that theyre storing on their networks.