The information security crowd has a serious problem. These folks think that what they’re doing to safeguard data still works. Sure, they did good work keeping secrets and ensuring data availability and integrity when most computing was mainframe-based as well as during the client/server boom of the ’90s. And they even made electronic data interchange safe.
But in the age of Java and .Net, where most business-to-business data will be represented in XML, things are very different.
Yes, virtual private networks (VPN) and end-to-end encryption using public-key infrastructure technology can keep data confidential while it’s in transit. Protecting data at the network level is fine, until someone hacks into your system and goes fishing for it. But the real vulnerability is XML itself.
The trouble with XML is that it explains far too much about the data that’s represented in it. The tags that define the structure of a document and describe what each individual data element is also make it dead easy to locate sensitive data, such as credit card and transaction information. This is simultaneously the basis of XML’s power and its greatest weakness.
The metadata of the tags simplifies programming and facilitates interoperability. But it also helps point out to interlopers whether inside or outside the organization where the important stuff is. Using XML for sensitive or mission-critical traffic is like painting a target on the data. Not only is the data exposed and wide open, but it also calls attention to itself.
Application programmers know this. System designers know this. And if they think about it, IT managers, too, realize the vulnerability. But according to Weston Swenson, president of Wellesley, Mass.-based Forum Systems Inc. ( http://www.forumsys.com), the IT security establishment seems to think that using Secure Sockets Layer encryption or a VPN to protect data being transmitted is all they need to do. If that’s what they think, then they’re a few years behind the curve, says Swenson, whose company’s product addresses XML security directly. Forum’s product seems like a good answer to a question IT managers and CIOs should be asking themselves.
Forum’s Sentry Server Appliance is an encryption engine targeted directly at XML data going to or from an application. It takes a data stream and selectively encrypts specific data, and even data tags, so it can hide the data description. Someone who’s looking for credit card tags using a search string <cre, for example won't find them if the tags themselves have been encrypted. All that appears is , which could be anything. And multiple cyphertags need not, of course, all represent the same data type.
The product is quite simple: It’s basically a Linux box with Forum’s proprietary software. Using the built-in workbench, you can examine the XML structure of a typical transaction and set encryption policy for whichever data elements and tags you wish. The encryption uses Triple Data Encryption Standard, with RSA for key management, so that’s not a weak point. Because the product encrypts only what you tell it to, it can process data very quickly.
And there’s more. The box can digitally sign data, ensure nonrepudiation and issue certificates. Since it’s a dedicated device that handles just a character stream as both input and output, it really doesn’t care what kind of hardware, software or operating system the rest of your systems use.
Raising Awareness
I worked in the computer security industry for a dozen years, during a time when the major problems involved neither secrecy nor availability. The trouble spots were awareness (getting users to recognize the need for security) and integrity (making sure data wasn’t corrupted, usually because of errors and omissions).
Security awareness today is higher than it’s ever been, and we’ve got lots more tools to ensure data integrity and protect against viruses. We have industrial-strength encryption that’s almost certainly unbreakable for at least the next decade.
But the very strength of our encryption capabilities can mislead us into a very false sense of security. Yes, we have the ability to encrypt our data so it’s unreadable. But do we actually do it? And do we encrypt the right stuff at the right time?
We expend a lot of effort to protect data so we can communicate it easily and cheaply over the Internet. But once it arrives at its destination, it’s decrypted and stored in our databases, and the only remaining security is whatever firewalls and authentication systems are in place. And we know that those can be and are being hacked every day.
XML is one of the most powerful ideas to engage modern e-commerce. Let’s make sure it works for good.
