Lenovo ThinkCentre M50 IDC white paper titled "The Coming of Age of Clien - Page 7

Companies are subject not only to fraud and the direct loss of assets but also to the value of lost business. When their services are denied by a deliberate overload of bogus requests, they lose the value of the potential business that would have been transacted during the period of denial. Another less tangible but perhaps ultimately more disastrous effect of such attacks is damage to reputation. The harm can be irreparable. Public confidence in a company may be shaken beyond repair by a particularly malicious attack or series of attacks. For electronic commerce to function, customers and partners need to be able to trust the ebusiness process. And security requirements will only rise as companies turn increasingly to ebusiness. Although the encryption technologies today are sufficient to guarantee complete confidence and, mathematically, a user can have perfect assurance that a message is unique and really did come from the person who says he or she sent it, in order for the system to be a trustworthy enough medium in which to do business, the infrastructure must be whole. Given that most companies' security focus is on network servers, routers, and firewalls, it may be that the client node is the overlooked weak link in the security chain, but it is by no means the only possible point of penetration. Breaches can be internal or external. Often, depredations come from the employees themselves. Employees must be protected from each other so that all intranet users trust the system. And corporations must be shielded from external threats, hostile outsiders who may enter the castle from the Internet via the many connections most firms maintain to communicate with the outside world. For both internal and external transactions, users must be able to trust and be trusted. SECURITY TECHNOLOGY: FROM GLOBAL TO LOCAL Public key encryption and its associated infrastructure address the issue of trust at the global level. Of the many elements that make up a total security solution, however, PKI is the most dependent on completeness; that is, any two parties participating in secure transactions must both agree to rely on a third party, a trusted authority, sometimes called a certificate authority. It is because of the complexity of implementing the PKI infrastructure that companies have recently turned to less ambitious tasks with respect to guaranteeing security at the client node. Encryption similar to that used to pass keys back and forth over a network between participants in a PKI scheme can be used to perform far simpler - but no less important - jobs at the local level. For example, without having to resort to the network at all, a PC client can provide its user with securely encrypted folders, the contents of which would look like gibberish to any hacker who managed to open them. Using one or more authentication techniques (e.g., some combination of biometric access control, proximity badge, and password), only the legitimate owner of the locked-away files can open them as readable data. This same type of authentication can be pressed into service to authorize the client node's user to the network and all the corporate resources it contains. THE EVOLUTION OF SECURITY TECHNOLOGY Security has come a long way since the need for it was first perceived. The development of security technology has followed both the leapfrog-like need to stay ahead of the competition and the availability of the means to do it. The essence of encryption is the systematic altering of text or other data by mathematical transformations (algorithms), processes that are inherently abstract (i.e., they can be embodied in either software or hardware). Also critical to the success of any security scheme is a set of procedures for handling both the original (clear) and transformed (encrypted) text. In this area, some sets of procedures are distinctly better than others, as we shall see. ©2003 IDC #3577 7