The Security of Your Data Is at Risk
Alex Clarke, Aston Science Park, Photonics Cluster (UK)
The growth of the Internet’s reach and capabilities, accompanied by the rapid deployment of largely insecure wireless technology, has expanded the amount of processor power that can be subverted and governed by powerful networks of cyber criminal groups. The problems span all of the sectors that photonics research and development is enabling.
Nearly every person, business or organization has embraced IT (information technology) in some form, whether a simple LAN (local area network) using portable devices for personal flexibility or WAN (wide area network), for central office communications to multiple branch offices.
As the system criss-crossing the globe reaches ever farther, fibre expands throughput capability toward the business premises, the technological march continues to add flexibility (wireless is one example), and payload-intensive new services are expected to increase the risk of exposure to our data, our intellectual property, our medical records, our educational and career paths, our business information and our commercial transactions.
New threat, old technology
If you take a long look at current defences, the world of e-commerce – industry and finance – is trying to fend off 21st-century threats with 20th-century technol-ogy and fixed ideas. If this situation continues, it will limit the information defence capability of the commercial community.
FTTX, or fibre to the “X,” is the suggested route to bring fibre capability to everyone, including the home subscriber, expanding beyond FTTP, or fibre to the premises, and creating a string of active and passive optical networks (AONs and PONs). The leap in payload capability suggests that a range of new services will be routed through the network, carrying yet more valuable data and suggesting that we should begin thinking responsibly about its safety.
Much talk in the media is of “personal identity” and what it means to individual data that may be acquired and used for illicit purposes. Few discuss the wider implications of “corporate identity” and of massive reductions in public confidence when, on occasion, the press gets a scoop exposing larger institutional carelessness toward vital and up-to-date information. This was cited in press reports on TJX Companies Inc.’s TJ Maxx, for example, where, in 2007, 45 million accounts were stolen. There also have been public sector data disks that have been mislaid, lost or stolen; public and private keys that have been left open; log-in details that have been shared; etc.
If someone were to gain enough information to make transactions using my personal details for illicit purposes, they could leverage only as far as my personal limitations allow, which would not be a great achievement for a highly organized network of criminals. Thus, I would hardly be much of a prize.
However, taking this to another level, if I were the managing director of a company with 200 employees, a £4 million-per-month payroll, and a business community that carries intellectual property belonging to the company’s research and development departments as well as IP relating to signed NDAs (nondisclosure agreements) belonging to our customers/tech-nology partners, I would be in real trouble if the criminals gained enough information to intrude on the network, access our servers and make transactions as if they were my company.
There also are other knock-on effects that generally don’t get a mention.
NDAs may be in breach if it is deemed that the organization in question did not have adequate protection in place. The scope of opportunity will become greater as the limitations lessen, enhancing the advantages to criminal networks. I therefore predict a time when SMEs will have to operate to a formal security standard to provide confidence to their customers and partners.
Few safeguards
How many SME and large enterprises shred their failed or old hard drives when equipment is upgraded? How many actually have instituted a digital security policy? My guess to both of these questions? Precious few.
As we map out the next generation of threats, several possible futures are beginning to concern us.
To what level would public confidence sink in relation to the way bulk transaction and account information are handled if 200 million bank accounts, 34 million e-banking accounts or 26 million digital patient records were compromised or if a digital bomb were thrown at the stock market?
My studies on this subject reveal that the e-criminal network is as good as current technology.
Public and private keys are falling over, as are enterprise class firewalls; the Internet (DNS) itself is threatened; user names and passwords are relatively easy defences to break down; and, of course, there is the threat from staff carelessness in leaving laptops on trains or in losing important disks.
In fact, there are two fronts on which this battle should be fought. I do know that the next generation of security technology – which is photonics – is now close to market, and that the development should secure our transmitted data for the next three to four decades. This will punch quite a timescale for the e-criminal to catch up. I must note that there is no permanent cure for these problems, as every countermeasure really only buys time. How much time is purchased will be proportional to strength and resilience against e-criminal capability. Leaving the fight to technology alone and sitting comfortably back in our chairs is no defence at all.
Photonic data security technology can provide an evolution in scale as well as security. This fits the modelling very well – if we intend to cram more services and to transmit more precious information about ourselves, our finances and businesses online through the additional flexibilities we want from the network.
Training to combat the carelessness is another front. Businesses, especially those in technology R&D and people outside the IT community, must be aware of what they can do to reverse the trend of data leakage. Build a digital security policy and maintain it.
We lock our homes but allow our crown jewels to be transmitted beyond the confines of our business and personal lives. Our community of engineers, designers and data security specialists is attempting to couple these two fronts of battle, which should aid the adoption of the next generation of security technology and rebuild the necessary defences.
Contact: Alex Clarke, Photonics Cluster (UK), Aston Science Park, Birmingham; tel.: +44 121 260 6000; e-mail: [email protected].