Newsletters   Subscriptions  Forums  Store   Career  Media Kit  About Us  Contact  Search   Home 
tfh
Volume 14, Number 10 -- March 7, 2005

Security Niches Filled as Public Security Lapses Mount


by Alex Woodie


Maybe Paris Hilton's first go-round in a public display of her private assets was a shrewd PR stunt, but the second certainly was not. A hacker posted the contents of her cell phone's address book on the Internet after gaining access to her account on a T-Mobile server. Records of a prominent Bank of America customer--Uncle Sam--are also out there, somewhere, after a "small number" of unencrypted backup tapes were lost. New products from GST and Original Software can help protect companies during such security nightmares.

The public admissions of security failures by T-Mobile and Bank of America last month put the spotlight on the importance of protecting data residing on servers. (For what it's worth, T-Mobile stressed good cell phone security practices to its customers, even though it appears that it was its own server that was initially compromised in the Hilton hack.)

While the IT community has been saying for years that there was a need for better security, it's quite rare to have two such high-profile security breakdowns occur so closely to one another. Usually, companies try to keep such glaring lapses to themselves, and with good reasons: they highlight their security weaknesses and they make them look incompetent and unworthy of the public trust.

Undoubtedly, T-Mobile and Bank of America have substantial security policies in place. BofA, one of the largest banks in the world and a large OS/400 shop, has to follow myriad security rules laid out by banking regulators in the United States and abroad. Similarly, as a large, publicly owned provider of cell phones and services, T-Mobile must abide by numerous security laws mandating the protection of their customers' data.

Obviously, those policies didn't go far enough. Or if they did, the policies were not followed in practice. Either way, they're serious breaches that companies like yours can learn from.

Establish Strong Security Policies!

According to a Wired news story from last week, T-Mobile's big mistake was a failure to apply a patch to fix a "high severity" vulnerability in its BEA WebLogic server application, even though the patch had been around for well over a year. The vulnerability had already led to one high-profile hack into T-Mobile's server, in which the hacker built his own interface to T-Mobile's database, and took his sweet time stealing e-mail, social security numbers, and other personal information from multiple victims, including a secret service agent.

This is just the sort of thing that keeps system administrators awake at night. Protecting customer records should be a top priority for every IT organization. If an administrator can't keep up with the patches issued by their hardware and software vendors, they should either be fired and replaced with somebody who can, or this vital function should be outsourced to any number of outfits that make it their business to stay on top of the weekly vulnerability-patch cycle, especially when it comes to Windows.

Outsourcing security to managed security service providers (MSSPs) is becoming more popular, but that's not to say security is something that should be outsourced entirely. Every company should have a good security policy in place as the foundation for all security decisions. Having administrators who know what they're doing is also crucial, as is surrounding the data and access points with security products and technologies that add separate and incremental layers of protection.

Scramble That Data!

Original Software Group launched a new security tool last week that can provide another incremental layer of security protection for OS/400 shops. The product, called Extractor Compliance Edition module, does one thing: It scrambles the data used for testing new OS/400 applications.

Original, an English firm that specialises in developing OS/400 testing software, recognized that using live customer data for regression testing is a double-edged sword. On one hand, an exact copy of customer data provides the best simulation of how a new application will behave once it's released into production. On the other hand, sensitive customer records must be afforded some level of protection when organizations take them off the server and put them into the hands of software testers, especially in lieu of new laws mandating certain levels of IT security in the United States, Great Britain, and Canada.

Original developed Extractor Compliance Edition after several customers asked for a way to scramble live data for use in testing, said Gus Kenyon, Original's director of marketing. "The way live data is formatted, and the amount of it that is readily available, is very meaningful to the testing process," he said. "These customers wanted to protect the sensitive nature of this data."


Compliance Edition scrambles data to an extent that it's rendered meaningless and can't be reconstructed. However, it does not interfere with database structures, and retains database features like referential integrity, which is important for accurately testing applications. The software is a modified version of its Extractor for iSeries tool, and is an extra-cost option for users of Original's TestBench suite; pricing was not provided.

If a company that used Extractor Compliance Edition were to outsource part of its application testing, the company could be confident that--no matter how good or bad the outsourcer's security policy and practice is (think T-Mobile)--there would be no way for the outsourcing provider (or anybody that hacked its systems) to access the customers' records, such as Paris Hilton's address book.

Encrypt Those Tapes!

Bank of America's embarrassing revelation that it lost a "small number" of unencrypted backup tapes as they were being sent by airliner to a secure, offsite location, provided the perfect backdrop for an announcement that GST is expected to make today.

GST is releasing SafeDATA, a new appliance that encrypts data as it is sent to backup tapes. The SafeDATA appliance is operating system agnostic, works with any IBM eServer, and is the only appliance of its kind in the iSeries market, said David Breisacher, founder and CEO of GST.

SafeDATA is a self-contained appliance that is set up inline between a server and a tape drive. During a backup, it compresses and encrypts the data before it's sent to the tape drive, and, conversely, performs decryption and then decompression during a recovery from tape. The appliance comes with its own GST-developed GUI interface, called Paranoia, which provides encryption key management. The units use the AES encryption standard.

GST says SafeDATA throughput ranges up to 80 MB per second native (up to 160 MB per second with compression turned on), allowing it to keep up with today's high-speed tape drives, such as LTO 3, SAIT, and SDLT. Since encrypted data is not compressible, this speed cannot be boosted by additional compression performed by the tape drive itself. The devices are available in LVD and HVD SCSI and Fibre Channel models that range from $17,250 to $23,550.

GST is positioning SafeDATA as a way to ensure the integrity of tapes sent to disaster recovery sites, where tapes from many other companies gather, and where mix-ups are more likely to occur. While there are software encryption packages available for OS/400, encryption can be a very processor-intensive activity, and offloading it to a dedicated device like SafeDATA can free up an OS/400 server for other workloads, Breisacher said.

Had Bank of America used a SafeDATA appliance when performing their backups, it wouldn't have mattered if BofA lost its tapes (or they were stolen by airline baggage handlers, as some suspect), because the data would be unintelligible to any third party viewing it. The uninvited viewer would have needed the other key, located on the server or other secure location, to examine the data.

But BofA didn't use SafeDATA, or apply encryption to its backups some other way, and as a result, information about the bank accounts of about 1.2 million federal workers and more than 60 senators has been compromised, putting them at risk of identity theft.

For the record, Bank of America said there is no indication of any misuse of the accounts. Unfortunately, the same can't be said of Ms. Hilton.

Sponsored By
LAKEVIEW TECHNOLOGY

Turn Your Downtime into Prime Time

FREE Availability Destination Planner!

Imagine your productivity in sixth gear. MIMIX Express Solutions' easy-to-handle products for HA, disaster recovery and network optimization are designed for your size business. Move your mid-sized business into the information availability fast lane today.

MIMIX. Where Choices are
Highly Available.
www.MIMIX.com/ExpressSolutions
Editor: Timothy Prickett Morgan
Managing Editor: Shannon Pastore
Contributing Editors: Dan Burger, Joe Hertvik, Shannon O'Donnell,
Victor Rozek, Kevin Vandever, Hesh Wiener, Alex Woodie
Publisher and Advertising Director: Jenny Thomas
Advertising Sales Representative: Kim Reed
Contact the Editors: To contact anyone on the IT Jungle Team
Go to our contacts page and send us a message.

THIS ISSUE
SPONSORED BY:

Bytware
SoftLanding Systems
COMMON
Lakeview Technology
WorksRight Software


BACK ISSUES

TABLE OF
CONTENTS
iSeries ISVs Elated as IBM Opens Roadmap and Wallet

Future "Cell" Power Processors Can Run OS/400

IBM's Chiphopper Tools to Help Build iSeries Apps

Security Niches Filled as Public Security Lapses Mount

But Wait, There's More


The Linux Beacon
Mandrakesoft Buys Rival Linux Distro, Conectiva

IBM Plans X3 "Hurricane" Chipset for Xeon Servers

Gartner Gives 2004 Server Report Cards

The Windows Observer
New SQL Server 2005 Workgroup Edition to Target SMBs

Windows Server Takes on Big Unix Boxes

Windows Continues to Gobble Up Server Market Share

NEC Upgrades Windows Fault Tolerant Servers

The Unix Guardian
Open Source Servers

Intel Stands By Itanium, Positions It Against IBM's Power

Intel Goes Whole Hog for Multicore Chips

Intel Maps Out Its Server Roadmap


Copyright © 1996-2008 Guild Companies, Inc. All Rights Reserved.
Guild Companies, Inc. (formerly Midrange Server), 50 Park Terrace East, Suite 8F, New York, NY 10034
Privacy Statement