Intel® Software Network - Wireless Security Demands More than T... http://www.intel.com/cd/ids/developer/asmo-na/eng/61289.htm?

prn=Y

Introduction

By Chris S. Thomas, George Moakley, Regina Lynn Preciado, and Matt Gillespie

Perpetual tension exists between new functionality and the security required to support it. This tension is
manifest in the challenge to fully implement wireless technology while not compromising the data on the
client device or the rest of its home network.

This article is the first installment of a two-part series in which Intel® Developer Services solicits opinions
from two veterans in their respective roles at Intel to weigh in on topics of note. The other article in the
series provides a similar treatment of the topic of manageability in wireless environments.

Intel Chief Strategist Chris S. Thomas is considered one of Intel's visionaries, charting future directions for
industry and computing. George Moakley is Director of Enterprise Architecture at Intel and is the lead
architect for Intel’s e-Business Solutions Lab. Their different business roles shape and inform their
discussions, which together form a whole that is more than the sum of its considerable parts.

Chris S. Thomas on Reversing the Philosophy

of Security

The first part of this article presents the strategic and philosophical point of view held by Chris S. Thomas
toward addressing the security challenges presented by widespread deployment of wireless technology.

As Thomas has intimated in his previous columns, a huge change in how we do business and how we
architect is upon us. Emerging business models based on what George Moakley calls “active mobility” – the
ability to stay connected while moving from hotspot to hotspot and protocol to protocol – are inspiring us to
re-think the way we conceptualize and realize security.

Thomas sees three major shifts happening:

Moving to a “security provider” model

Segmentation replacing end-to-end security
An architectural, rather than technological, approach to security

1 of 7 1/28/06 2:09 PM
Intel® Software Network - Wireless Security Demands More than T... http://www.intel.com/cd/ids/developer/asmo-na/eng/61289.htm?prn=Y

Home Base: Security as a Service

We are moving toward a sign-on philosophy in which users sign on to one location – a security provider –
through which they connect to everything else. This connection might become a permanent VPN or
fixed-line connection between user and service provider. For example, if AT&T is my security provider, and I
need to connect to Intel, I would sign on to my AT&T account. From there, AT&T* would connect to the
corporate LAN. That connection would always be the same. I always return to my “home base” (AT&T) to get
to my communication path.

Unlike technologies like Passport*, the security provider model simply provides you with access. Passport
assumes a play in the content; for example, it provides a wallet for brokering money. You register to do what
you want to do.

In a security-provider relationship, users register their devices with the provider. You no longer have to
negotiate between end points, just the one connection with the provider. Your security provider then
connects you to other systems.

In this kind of arrangement, corporate IT does not have to worry about users logging on to the network
where they might gain access to sensitive information. Malefactors have a much harder time sneaking
through with viruses or denial of service attacks. Working offline and synching through intermediaries
significantly reduces the number of problems for IT by eliminating the log on.

The asynchronous model is unlikely to reduce performance. Even when you are online in a synchronous
mode, there is a delay (network latency), whether you measure it in milliseconds, seconds, minutes, or
hours. And synchronous is really asynchronous when you are hitting routers in between. It is not an issue of
whether synchronous will go faster; rather, it is a matter of architecture.

Security Segmentation: Trusted Relationships

Do Not Log On

Trusted relationships do not log on. They do not initiate processes. They do not even enter into the
environment. A trusted business relationship is a messaging relationship with clear boundaries.

Here is what I mean by this:

1. I do not want to create a door in my environment for you to come in.

2. I do not want to have user IDs and passwords.
3. I do not want to have you capable of initiating a business process on my side of the firewall.
In most corporate environments, if you remove inter-employee communication from the equation, most
employees lack a compelling reason to log into the corporate network and services. Instead, we could set up
messaging relationships, perhaps through individual users’ service providers. Once an account is identified
and secure, the employees can get everything they need through messaging.

The subset of people who will be inside the corporate applications, who need a login to function, are a small
number in very controlled islands.

The industry has not yet adopted this thought process overall. But in 2002, 40 million people submitted
their taxes this way. They used TurboTax* to fill out their forms, which they submitted to Intuit* in a
trusted relationship. Intuit then sent the forms to the government in another trusted relationship. The
government sent refunds to the individuals directly. Everybody has a trusted destination for the information.
If someone submits my tax form to Intuit who should not have, it is obvious, and I have to deal with it
because that falls into my segment of security.

In his section of this article, George Moakley points out that you will have information on your device that

2 of 7 1/28/06 2:09 PM
Intel® Software Network - Wireless Security Demands More than T... http://www.intel.com/cd/ids/developer/asmo-na/eng/61289.htm?prn=Y

needs to be protected from anyone who may invade, steal, or break into the box. That is true, because the
malefactors will continue to figure out where to place their dirty deeds (which is one reason I do not advocate
procedural-based Web services).

If, however, I instead send you a document that you can scan, and you are expecting a certain payload, it is
very difficult for that payload to be corrupted. If data is being moved in an XML document, you are not
worried about the application because you can scan the data as it is moving. In a segmented security model,
the user’s computer is not part of the network. It is simply a messaging partner.

Closed Loop Security: Architecting for a

Secure Future

I look at security as an onion, with layers of physical and logical security. The device is the core and contains
some level of ID. The user provides the next layers of logical security, protecting the data with encryption,
passwords, and so on. Another layer of logical security identifies the user when he or she uses a different
computer or device to access the same data.

Aysnchronous architecture changes the security risks but does not eliminate them. What mitigates risk is
the contractual relationships between parties. We have already reached the limits of what end-to-end
security can provide. Segmented security can pick up where end-to-end leaves off. With a segmented
security model, each layer of protection is owned by somebody. That somebody is contractually bound – by
business and service agreements – to provide security for its segment. I believe this will be the most secure
architecture for an actively mobile computing population.

Corporations do not have as big an architectural challenge with internal security, as they can be a trusted
intermediary. They can implement single sign-on and security policies to secure wireless devices and
networks. However, as an enterprise begins to work with not just one entity but dozens, it gets harder for
one point to secure all those entities. Over time, I think we will see intermediaries that manage access – and
there is a new model, a new philosophy, and a new approach to security. It is an architectural approach
rather than a technology approach.

Of course, we need technology to provide security – and that is the underlying value proposition – but it is
not sufficient in itself. The business models we apply to security are equally relevant. Securing the user does
not establish the contractual and business commitments that companies really need, and it does not make
the business environment function.

Closed-loop security means developing an agreed-upon legal environment within which we work, instead of
coming in each time and establishing our ID and user environment before we can function. I might not even
do the transaction myself. I may designate a proxy. Alternatively, I may have agreed with my service
provider to some number of dollars worth of service, paid for dynamically or automatically. Because I have
authorized them to proxy for me, all of these transactions are contractually valid.

Opportunities for Developers to Design the

New World

Developers have many opportunities to design this new architecture.

Solution architect – Start with the security architecture in your workflow and business process flow,
regardless of what technology lies underneath.

3 of 7 1/28/06 2:09 PM
Intel® Software Network - Wireless Security Demands More than T... http://www.intel.com/cd/ids/developer/asmo-na/eng/61289.htm?prn=Y

Software architect – Establish clearly where the security handoffs are between you and other elements,
including networks, databases, user devices, peer devices, etc. Develop a clean definition of who owns the
security of the information and when that is no longer your responsibility. (Otherwise, you will continue to
be the owner and implicated in security issues even if you handed off to another security segment.)
Middleware architect – You have a massive opportunity to secure the information (the payload) and to
secure the processes that are traveling through the middleware. This environment is begging for support
right now.
Hardware architect – The security performance algorithms you design are crucial to devices not slowing
down or draining the batteries during pre-processing of packets and data elements. I/O is going to be
tied to more and more security functions.

Silicon: Powering a Secure Architecture

I am espousing a network architecture in which silicon plays a huge role at every point on the path. A set of
performance improvements has to occur to process each message in an asynchronous architecture. A
device will need to be able to query other devices to ensure that the devices are not corrupted. Being able to
move seamlessly through hot spots is going to require a lot of performance, and Intel® processors are going
to provide that edge.

On the service side, processing the payloads, Intel processors will provide the performance to parse and
process XML, to scan and secure data, and perhaps even to create keys and other safeguards for the user
environment.

Silicon is in the equation in all shapes and sizes, from the smallest handheld device to the biggest
intermediate messaging appliance.

I believe that the nature of standards we have driven for the last seven or eight years and the change to
service-oriented architectures and XML are fundamentally reversing the philosophy of security. Security
becomes a wonderful opportunity to architect differently and to create new business models.

George Moakley on Actively Mobile Users

Raising the Bar

The remainder of this article responds to Thomas's comments from George Moakley's perspective, that of a
hands-on architect working on individual solutions.

In a previous article, Moakley identified "actively mobile users" as that class of mobile users who use
applications continuously while moving around, among, and between networks.

Those networks may be of different topologies, and they may be owned by separate providers. The
challenges represented by maintaining a session as the user moves between those networks are clear, but
they are accompanied by security challenges that we are only beginning to work on.

As a user moves between connection points with a connected PIM device, PDA, or laptop, the security
scheme must include the security linkage handoff between those connection points. This challenge is
becoming more complex in the emerging wireless-applications environment. For instance, if you are in a 3G
cellular mode and a Wi-Fi access point becomes available, your device should be smart enough to drop the

4 of 7 1/28/06 2:09 PM
Intel® Software Network - Wireless Security Demands More than T... http://www.intel.com/cd/ids/developer/asmo-na/eng/61289.htm?prn=Y

cellular connection in favor of the Wi-Fi network.

Not only must the systems make that switch without losing the application session, but they must
determine whether they can do so without compromising security, identify the appropriate security system
for that environment, and seamlessly adjust functionality accordingly. Application architects must address
all of these concerns.

New Means Are Needed to Maintain Security

across Multiple Networks

There is, at present, a lack of tools available that can maintain a security session (such as a single VPN
connection) for an active user moving between networks. This lack corresponds to an opportunity for service
and software providers alike.

One possibility is for something to be embedded in the device itself that uniquely identifies it, so that as it
moves around, it can perform a handshake with distributed equipment to identify itself, obtaining
authorization to continue the security session. Moreover, these systems must support a dependable
mechanism that conveys the fact that the system has not been compromised, to guard against session
hijack or spoofing.

The situation presents an interesting trust relationship between a corporate network and its mobile users.
Not only must the network be able to confirm that the user and device are trusted parties, but it must also
be able to verify that their activity since last connecting does not threaten security on the overall network.

Thus, the network must be able to scan the device for viruses and other compromising effects. Moreover,
devices should be security managed in the disconnected state; the continuity of management can then be
attested to upon reconnection, potentially obviating the need for actual on-connect scans, which could
require a lot of resources and time.

Ultimately, devices need to be identifiable, both from the standpoint of asset management and from that of
security, and there is a lot of overlap between those two issues. That identification requires a consistent
method to communicate the information to other entities, including other users, as well as services.

From a customer point of view, that role should be filled by the carriers, which implies the need for standards
between carriers that do not exist yet. The bottom line is that, the more we depend on this type of
communication, the more robust our security requirements must become, and there is a substantial lag in
satisfying those requirements that will certainly worsen before it starts to get better.

Client-Network Trust Relationships Place Large

Demands on Devices

As mentioned above, part of the burden of maintaining secure sessions between providers falls to the
applications themselves. At the same time, however, it is impractical to depend on every wireless application
being designed (or redesigned) to accommodate this requirement.

While there is a role for the equipment itself and a role for the software running on that on equipment, much
of the security must be associated with a one-on-one trust relationship between the client and the network.

5 of 7 1/28/06 2:09 PM
Intel® Software Network - Wireless Security Demands More than T... http://www.intel.com/cd/ids/developer/asmo-na/eng/61289.htm?prn=Y

Whether there is a single session and applications that presume that they are on a network, or between
applications on a per-message asynchronous architecture, there is a need for trust between them. As Chris
Thomas discusses in his discussion, the ideal situation is to move all applications to service-oriented
architectures.

One further challenge is that highly granular payloads can create high levels of overhead. More and more
applications send very small events to trigger large responses. For instance, a very small data set that
represents a pricing update could trigger a relatively large amount of processing on the client side.

A large number of such transactions will be accompanied by a large amount of security-oriented

computation per message to verify, for instance, that they come from a trusted source. This scenario
ultimately increases the demand for intelligence in the device.

Secure Your Environment, but Expect it to be

Compromised

Network administrators want something in the mobile devices that they can touch with their automation
systems to positively identify those devices and the users who are operating them. Unfortunately, the same
small size that makes handheld devices convenient also makes them very easy to lose or to have stolen.

Whatever data exists on a device, it must be secured well enough that the person who stole it cannot access
it, even with a crowbar and a supercomputer, nor can they get back onto the host network. Therefore, when
the device comes back online, the network needs to be able to ensure that it is the same device and the
same user.

Multi-factor authentication, wherein the network requires, for instance, both 'something you have' (i.e., a
token) and 'something you know' (i.e., a password), is an especially good idea in the mobile world. As the
technology progresses, we will be looking at adding a third layer, 'something you are' (i.e., biometrics).

We used to think almost exclusively about how to keep security threats out of the environment. A more
current way of looking at the issue is to recognize that threats will get in, and so we spend an equal amount
of energy identifying them when they do and isolating the extent of the damage.

We are in an arms race in the security space. Every time you give users more powerful tools, you also give
malefactors more powerful tools with which to attack your environment. Chris Thomas looks at this issue
from a strategic point of view in his section of this article, and the two perspectives are vitally linked. That is,
you must address the threats posed by tools as you deploy them, and you must also let the deployment
strategy itself be informed by a unifying philosophical vision.

New security solutions represent tremendous opportunity for ISVs, OEMs, and service providers, and
ultimately, these issues will be solved. In the mean time, senior executives in particular are today having
e-mail forwarded over wireless pathways to non-secure devices, and we need to do what we can to secure
them in the near term. It is going to be an interesting few years.

Conclusion

Consider this a call to action for both the user community and for developers. Mobility represents a radical
shift in how people can work, and that shift creates a lot of opportunity and a lot of risk. Ultimately, the
benefits outweigh the risks, and these technologies will (and should) continue to flourish.

6 of 7 1/28/06 2:09 PM
Intel® Software Network - Wireless Security Demands More than T... http://www.intel.com/cd/ids/developer/asmo-na/eng/61289.htm?prn=Y

Adopters can either insist that all risk be eliminated before they will adopt the technology, or they can
identify and fill in the gaps where the largest risks lie. Success generally comes to those who adopt the latter
approach.

Developers should start to bear in mind that users will want to use their applications while they are moving
about. IT managers should recognize that, as new mobile applications arise, users are going to put them on
the network no matter what, and we had better anticipate how to secure them.

Finally, we must provide similar security controls for PDAs and PIMs as we do for notebooks. Virus scanning,
intrusion prevention, and host firewall functions are all capabilities that must eventually be part of a complete
mobile solution, regardless of the device form factor.

Additional Resources

Intel, the world's largest chipmaker, also provides an array of value-added products and information to
software developers:

The Early Access Program provides software vendors with Intel's latest technologies, helping member
companies to improve product lines and grow market share: http://www.intel.com/software/eap
The Intel® Software Network offers free articles and training to help software developers maximize code
performance and minimize time and effort: http://www.intel.com/software
For information about Intel software development products, including Compilers, Performance Analyzers,
Performance Libraries and Threading Tools, visit the Intel Software Development Products home page:
http://www.intel.com/software/products
Intel® Solution Services is a worldwide consulting organization that helps solution providers, solution
developers, and end customers develop cost-effective e-Business solutions to complex business
problems: http://www.intel.com/go/intelsolutionservices
IT@Intel, through a series of white papers, case studies, and other materials, describes the lessons it has
learned in identifying, evaluating, and deploying new
technologies: http://www.intel.com/it/index.htm?iid=ibe_home+featured_itatintel&
The Intel® Software College provides a one-stop shop at Intel for training developers on leading-edge
software-development technologies. Training consists of online and instructor-led courses covering all
Intel® architectures, platforms, tools, and technologies: http://www.intel.com/software/college/

7 of 7 1/28/06 2:09 PM