Making security less expensive

In a step toward helping developers around the world create security-enabled software products, Intel Corp. recently announced it will make its Common Data Security Architecture software available in May at no cost.

“We look at security as being one of the key issues surrounding broad adoption of e-commerce [both in] business to business and business to consumer,” said Doug Cooper, Canadian marketing manager for Intel Canada in Toronto.

“We really look at [making CDSA free] as an enabling effort on Intel’s part,” he added.

In addition, Intel is making the software available as open-source code.

This, in itself, addresses one of the fundamental components of security infrastructure, according to Martin Reynolds, a research fellow at DataQuest in San Jose, Calif. He said a big issue in security is knowing whether solutions are indeed secure. By making the source code open it is easier to closely scrutinize, find and solve potential security problems.

“You can look into [the application] and see what is going on, and you can identify that there aren’t problems buried in the code,” he said. “Open sourcing the software fundamentally makes it easier to make it secure.”

Reynolds also said open-source material has an added advantage, in that the more people viewing the code, the more likely problems will be identified and solutions presented.

A second key issue this offering helps to address, according to Reynolds, is the overall state and speed of security infrastructure awareness.

“Security is not going fast enough, and Intel recognizes that it is a key component of this e-commerce world, which they view as being their future.”

“If we can’t trust the systems we are not going to do e-commerce, so what [Intel] is trying to do is move us toward trusted systems,” he added.

Reynolds said this will help companies move towards structured systems more quickly and, by making the software free, Intel makes it less painful for developers to integrate it into any software system they might produce.

Cooper said Intel’s move to offer the software for free is not driven purely by altruism. Not surprisingly, there is also economic logic to its decision. He says Intel’s mission has changed for the first time in almost 15 years, mostly in recognition of the fact that the Internet is driving the computer industry whereas, in the past, price and performance were the motivators.

So rather than just focusing on technologies that are building blocks for the computer industry, “our focus is now on technologies that provide building blocks for the Internet economy,” he said. Cooper added that CDSA works with virtually any operating system.

With analysts predicting a billion Internet users spending a trillion dollars by 2003, Intel sees itself well positioned. “That growth is going to fuel the adoption of PC clients, which will clearly be part of our business,” he said.

The best definition of CDSA comes from The Open Group’s Web site, which describes it as a set of layered services and associated programming interfaces, providing an integrated but dynamic set of security services to applications. The lowest layers begin with components such as cryptographic algorithms and random numbers and build up to digital certificates and key management mechanisms.

“CDSA specifies a bunch of interfaces that code can use to provide security services, it doesn’t necessarily provide those security services,” Reynolds clarified. “So if I want to encrypt something, I can either encrypt it myself and write my own encryption code or I can say to CSDA, ‘encrypt this for me,’ and CDSA takes it and runs it through its standard format and passes it through an encryption module,” Reynolds said. He added that the encryption module might or might not be exportable, depending on its structure and the country in question.

Joey Roa, vice-president of technology for a Calgary-based payment processing company MoneyStream, sees the use of CDSA this way. “What CDSA really promises is that you can have this magical middleware or magical silver bullet that sits in your system.”

Roa added, “It is not so much that it aims to make a particular solution more secure but what it allows for is a more simplistic architecture to be employed.”

Roa said this is very important, especially for IT managers, because there is a lot of proprietary technology out there. “So if you want to integrate various platforms in your organization and bring them up to snuff from a security perspective, it is a huge cost,” he said. Unless you know and understand all of the technology, you will either have to bring in consultants or spend money on training, he said.

Though the software is aimed at developers, Roa also sees others using it,

“I think you will see the larger organizations start to embrace it, especially those that have a lot of legacy systems,” he said. He cited banks as an example since many of them have a wide variety of boxes including Unix, Linux and NT.

Recent changes in American encryption regulations now allow for open-source security software to be freely exported, thus helping to create a worldwide technical support network for Intel software. There are still more than a half dozen countries on the banned list which, at least theoretically, can not access the software.

The Windows version will be available in May, while the 64-bit and 32-bit Linux versions will be available in August. At this time the software can be downloaded from Intel’s Web site at