Bug Watch: Safety in electronic security

This week, Vanessa Chandrasekaran, of Indicii Salus, looks at the pounding that electronic security has taken in the media recently, and explains how server-centric technology is providing light at the end of the tunnel for the security industry.

Electronic security is rarely out of the news agenda at any time, but the last month has witnessed a steep increase in media coverage. On a basic level, any public exposure could be seen as good news if it highlights the importance of electronic security to businesses and consumers. However, recent coverage belies the old adage that 'any publicity is good publicity'.

It started with disturbing reports that the hijackers responsible for the atrocities in New York may have used encryption software to co-ordinate their attacks online. The result is that the US authorities are now calling for ultra-tough restrictions on encryption laws.

This was followed by the release of the film Enigma, the story of Bletchley Park's top-secret code-breaking heroics during the Second World War. Added to indifferent reviews, it transpired that the Enigma machine, which disappeared on April Fool's day last year, had been stolen to humiliate the director of Bletchley Park as part of an internal power struggle.

Finally, question marks emerged over the long-term future of PKI (Public Key Infrastructure), the robust framework that provides a reliable environment to secure internet transactions over public networks. At the Information Security Solutions Europe conference in London, the major topic of discussion was how to rebrand PKI following concerns that it had failed to fulfil its full potential.

What can we learn from all this negative publicity? Is electronic security simply too difficult to implement? Conversely, is encryption technology too powerful and therefore too dangerous to leave in public hands? If securing electronic communication is so fraught with obstacles, surely that throws the long-term viability of the whole medium into doubt.

The fact of the matter is that electronic communication is at the heart of interaction for billions of people worldwide. Securing electronic information exchange is not optional; it's essential. The good news is that a blend of new technology and added responsibility from the vendor community can go a long way to resolving the issues outlined earlier.

Most reassuringly, the main problems surrounding PKI don't concern the solidity of the technology itself. The problems instead lie mainly with deployment. Today's PKI technology has a client-centric architecture, which means it needs to be installed on each individual device that has to be secured.

This approach is extremely time-consuming, expensive and inflexible (the IT manager has to re-engineer the PKI technology every time a user moves PC, for example). To use PKI effectively involves either dedicating internal IT resources to its installation and maintenance or employing costly external systems integrators.

Device-centric PKI is equally unfriendly for the consumer. For electronic commerce to take off, consumers need to be confident that security is seamlessly taken care of and device-independent. This is virtually impossible when current PKI solutions need to be installed on each device that a consumer uses: be it a PC, PDA, TV or mobile phone.

Instead of instinctive, instant transactions, consumers are forced to worry more about whether the device they're using is secured, not whether their credit really runs that far!

From the perspective of both deployment and applications, the future for PKI, and therefore electronic security, actually looks quite bright. The key is a complete overhaul of the way in which PKI is provisioned, and a move from a device-centric to a server-centric approach.

The server-centric model makes realising the benefits of PKI easy for IT staff and inexpensive for their finance directors. It is also intrinsically more secure than holding security details on devices, exposing them to theft and hacking. Server-centric PKI concentrates risk in one central location - typically a data centre - that maintains the highest standards in physical and electronic security.

For consumers, server-centric PKI makes total, seamless security a reality for the first time. Any device can be secured from a central point on the network as long as it has an internet address. This gives users the freedom and flexibility to interact and transact online, however and whenever they want, in the knowledge that their security is assured.

New applications for electronic security are not just confined to corporates and are breaking into the general consumer environment. Examples range from secure banking and stock trading services to gaming applications, such as online lottery transactions.

With PKI now well established and a server-centric architecture in place to make it more accessible, the security industry has woken up to the need for a rich range of applications to fulfil the potential of its technology.

Electronic security may have been going through a difficult period, but the future from both a technical and applications perspective is rosy. The bottom line is that electronic communication is now a fundamental, irreversible part of our business and private lives. An easy-to-use, inexpensive means of securing sensitive electronic communications is therefore vital.