Can corporate spies steal their company’s secrets, or can malicious hackers destroy their databases? Companies know that the answer is, yes, if adequate, multilevel security is not in place.
The good news is that Internet protocol—the hypertext transfer protocol, or HTTP—already contains the basis for any good security system. Its secure mode (called HTTPS) uses a technology known as secure socket layer (SSL) to allow a client to verify the identity of the server that it is calling and to encrypt the information that the parties pass back and forth. When engaged, SSL replaces the “http” at the beginning of the address line on the browser with “https,” and displays a little lock in the bar at the bottom of the screen.
These signs show that the browser is using a set of keys—a public one and a private one—to perform both of its security tasks. As the names suggest, the server keeps its private key secret, but publishes the public key so all of its clients have access to it. To prove the authenticity of the server, the client retrieves the public key from a certificate that a known third party such as VeriSign (www.verisign.com), an Internet communications services company based in Mountain View, Calif., has validated with its own set of keys. The client can then use the server’s public key to validate that it indeed has arrived at the server’s Web site, rather than at a hacker’s. The client’s browser uses the public key to encrypt the exchanged information in such a way that only the server’s private key can decode it, and the server’s browser uses the private key to encrypt data in a way that only the public key can decode.
Another security layer
Once the client attaches to the server, another layer of security is necessary to prove its identity to the server. SSL allows for this second round of validations by giving the client a set of keys. One form of these keys is a login name and password. Another is code on a piece of hardware such as a smart card stored on the client’s computer.
This kind of mutual authentication is more common among business-to-business relationships because the burden of managing public certificates can be excessive when the number of users becomes large. “The security requirements of partner relationships justify the cost of acquiring and managing certificates,” says Dick Mackey, principal at SystemExperts Corp. (www.sysexp.com), a network-security consulting firm in Sudbury, Mass. “When you’re dealing with business partners, they can purchase the hardware or software that can protect the private key adequately. And there usually aren’t that many of them.”
Despite the advantages of SSL, Mackey and other experts recommend SSL as only the basis for a larger, multilayered approach to security. “You want multiple layers of security because you want multiple lines of defense against someone breaking through and trying to get all the way into your system to steal your data or cripple your computers,” explains Mitchell Ashley, chief technology officer, StillSecure (www.stillsecure.com), a security-software developer in Louisville, Colo.
One line of defense is to limit physical access to computers through difficult-to-decipher passwords for logging onto computers and, where appropriate, dedicated lines of communication. Other lines of defense include firewalls and software that limits access to data based upon each user’s level of security clearance. Yet another defense is a class of software that resembles virus checkers, in that it checks for known vulnerabilities in the network to attack, rather than looking for viruses, trojans and worms. Users update the software much as they would their virus checkers.
James R. Koelsch, [email protected], is an Automation World Contributing Editor.