ENCRYPTION TECHNOLOGY
The New Business Environment

By Jasper Rose

Government and business leaders must come to terms with the implications of the War on Terrorism and the cataclysmic events of 2001.  People are worried by the terrorist threats directed at air travel and paper-based mail leading to a definite movement for less face-to-face meetings and less reliance on traditional mail. Insurance premiums are rising steeply, thereby forcing organizations to consider distributed operations. The outcome is a change in the way we conduct business and far greater use and dependence on electronic communications and networks.

As organizations move more of their business processes onto these networks to create new and viable business opportunities or improve efficiency, they are realizing the implication, that rather than having one security perimeter to protect, there will be many perimeters with many interconnections. Such connections are vulnerable to attacks and steps must be taken to minimize the threat to information during transmission based on a combination of business needs and network risks.

For years hackers have been breaking into computer networks. Once we could talk about the hacker ethic, which said something like, “Information should be free to all; you can look and explore but don’t touch.” Now, however, we are seeing an altogether more dangerous phenomenon, the politically motivated hacker or cyber-terrorist. There is a growing trend for hacker groups to encourage attacks, as a protest against human rights abuses, lifestyle choices, environmental issues, or political issues. It is clear that businesses need to adopt a more diligent approach to network-based attacks on their critical operations and information. Universal connectivity, coupled with the reliance on commercial products and service providers, has eliminated the possibility of absolute protection.

There are solutions that deliver acceptable security, without exchanging one set of risks for another that is equally threatening. The answer is defense in depth; using multi-layer firewalls to keep the terrorists out, authentication to validate users, intrusion detection and virus protection to discover the attacks that beat the firewalls, and encryption to protect data. Make no mistake, when connecting two secured sites with an unencrypted communications connection, you lose control of the information. Of the choices above, only

However, encryption per se is no silver bullet. Certainly the right encryption must be implemented, but it must also be managed securely. Without secure management even the best encryption can be defeated; it will not keep a skilled attacker at bay. The encryption and the secure management must be totally reliable and must have little or no impact on network performance. There remains the question of what form of networks should be used. Should an organization rely on the Internet and lP security, such as that afforded by the Internet Protocol Security (IPSec) standard, or are there other solutions? Of course IPSec is an answer when an organization is faced with dynamic relationships or low cost connections with customers or partners. But what about those business-critical connections that carry the bulk of the corporate information, is there a better solution? Absolutely.

More organizations are realizing that private networks are much harder to attack than those relying on the Internet and few private networks are attacked successfully. The switched structure of private networks based on frame relay, Asynchronous Transfer Mode (ATM) and point-to-point lines make them difficult to access. All the high profile hacker attacks involve the Internet. For business-critical connections, a private network is more reliable and by far the most secure option, and recent price developments have meant that there is little, if any, difference in the cost of operating such networks. Guaranteed Quality of Service means networks relying on technologies such as ATM and frame relay have an advantage, but even private networks such as these must be secured using encryption, because you do not know who can access the fibers, cable or satellites carrying the information.

Business and government leaders are facing a period of great uncertainty where it is clear that the level of threats will not be reduced in the foreseeable future. There will be greater reliance on electronic communications networks carrying data, voice and video traffic, which in turn will face greater threats from cyber-terrorists and cyber-criminals and providing a defense in depth approach to security will greatly contribute to the overall security of your business. But, in the end, encryption, the tool for secure information transmission for electronic communications, will play an ever-increasing role in making today’s world a safer place to do business.