This may be the breakthrough year for communications security. Even with spending on security measures already increasing, all segments of the wired and wireless markets, from government and the enterprise to consumers, are taking security much more seriously. Lots of changes are expected over the next few years as hardware and software vendors more successfully pitch their security-featured products and devices. Along with their trade groups, vendors will also work aggressively to adopt new standards for protected systems and chips.
Analysts at UBS Warburg (www.ubswarburg.com) expect security spending to grow from 2001's $6 billion to $13 billion in 2005 (Fig. 1). Based on its survey, IT researcher and strategist the Meta Group (www.metagroup.com) says that while only 24% of companies increased their technology budget in 2002, 73% increased their spending on security. Market researcher IDC (www.idcresearch.com) reports that security services accounted for almost half (47%) of the $17 billion worldwide IT security market in 2001, and that number is growing.
Research group In-Stat/MDR (www.instat.com) forecasts growth in IC security market segments, adding up to $575 million in 2006. "This sounds low," says Amer Haider, a strategic marketing specialist with Cavium Networks (www.cavium.com), a semiconductor company that produces network security processors, "especially if you consider all the chips that we expect to be introduced over the next few years." (Fig. 2)
The security-chip approach is getting lots of play right now. An industry consortium known as the Trusted Computing Platform Alliance, led by Intel, IBM, Microsoft, and Hewlett-Packard, developed specifications for a new chip that stores special keys on a separate chip for encrypting and decrypting data independent of the computer's main processor. This new level of security is supposed to make life difficult for hackers. Yet with this approach, users may lose control of their own software and data.
Actel Corp. (www.actel.com), which offers a line of secure FPGA chips, says that interest in chip-level security is high. A security section launched on its Web site last summer started out averaging a few hundred hits a month but then rocketed up to achieve 23,000 hits in March 2003.
Best-bet opportunities for many security-conscious chip makers, says Haider, are Web servers for e-commerce and remote access, routers, remote offices (including home), and mobile workers.
Universities have identified communications and computer security as both a growing threat and an opportunity. So they're positioning themselves as experts in these areas, ready to conduct research and develop programs for the government or enterprise.
THE NEW CHALLENGE: WIRELESS
Not surprisingly, much of the focus now is on wireless communications security. More than 20 million handheld PDAs and a billion mobile phones are in use today, yet few corporations have security policies in place to administer the use and protection of their wireless data. Consumers, who are mostly on their own, aren't faring any better.
"Current encryption of wireless is not very good," says Barry Marsh, vice president of product marketing at Actel, "It's probably where analog phones were 10 years ago."
According to Sara Kim, a wireless industry market analyst with the Yankee Group (www.yankeegroup.com), companies have been slow to adopt wireless local-area networks (WLANs) partly due to weak security. That's beginning to change, though, as more vendors consider security in their designs. "This year, the focus is less on trying to solve specific problems and more on trying to put all the pieces together into a single platform. There's more attention to managing wireless security," says Kim.
A recent survey by Evans Data (www.evansdata.com) found that as the wireless sector continues to grow, so do security issues for wireless networks. The biggest increase in activity for developers working on Bluetooth applications involved the Public Key Infrastructure (PKI). For 802.11, it's user authentication and passwords.
"SSL \[secure socket layer\] seems to be establishing itself as the front runner for now in 802.11," says Chris Preimesberger, a wireless analyst with Evans Data. "This is because after eight years of development, the PKI architecture has established a reputation as a trusted and reliable method of authentication."
The survey's purpose was to measure the growth of network security systems over a six-month period for Bluetooth and 802.11 (also known as Wi-Fi). Evans Data found that both systems expanded their developer user base by 36% in that short period. The survey also found that Bluetooth network security schemes, at the moment, are evenly divided among three leading security alternatives: PKI, which accounted for 19% market share; SSL, with 17%; and the Wireless Application Protocol (WAP) at 16%.
A PENTAGON STRATEGY
Curiously, while a national cybersecurity strategy report released by the Bush Administration last September doesn't address wireless phones, it details securing 802.11 and other "private networks" that it says continue to cause a problem. (Almost immediately after the report was made public, the Department of Defense issued a memorandum prohibiting the use of many wireless technologies in the Pentagon and other U.S. military facilities until the DoD develops a wireless security strategy.)
Texas Instruments (www.ti.com) and Certicom (www.certicom.com), which have become partners in the development and marketing of wireless security solutions, believe that another technical issue is the growing variety of connectivity options available to wireless users. Such options range from WLANs and short-range standards like Bluetooth to wide-area networks based on mobile GSM/GPRS and CDMA/1xRTT infrastructures.
Standards groups are working diligently to overcome the security vulnerabilities of these systems, but it's a challenge. One noteworthy example is the Wired Equivalent Privacy (WEP) security standard designed for 802.11b applications. By all accounts, it simply isn't up to the task of maintaining a secure network.
"WEP has holes," says Actel's Marsh. One reason is that WEP keys are handled manually, complicating key management. Another problem is that WEP, in most Wi-Fi Alliance-certified 802.11 devices, features only low-security 40-bit encryption rather than the more secure 128-bit encryption or a virtual private network (VPN). Also, WEP has almost no user authentication mechanism.
Hoping to change all that, the Wi-Fi Alliance is working with the IEEE to develop something called Wi-Fi Protected Access (WPA). The standards-based, interoperable security protocol combines elements of the emerging 802.11i standard for wireless network security with enhancements to the existing 802.11 technology already in use.
WPA is actually a subset of the current 802.11i draft. It takes certain pieces of the draft that are ready for market today, such as the implementation of 802.1x and a Temporal Key Integrity Protocol (TKIP), which provides data-encryption enhancements. TKIP features include a per-packet key mixing function, a message integrity check (MIC) called Michael, an extended initialization vector with sequencing rules, and a re-keying mechanism.
WPA implementation will be mandatory for Wi-Fi Alliance members' product certification beginning in September. In fact, TI began offering its 802.11 customers a WPA software upgrade for existing products in February. Georganne Benesch, vice president of product management for the LAN Division of Proxim Corp. (www.proxim.com), says the company will provide WPA to its existing users as a free software download from its Web site.
There's no shortage of new security products for wireless access:
- IDT (www.idt.com) has unveiled a new access integrated communications processor with hardware-accelerated IPsec, a standards-based method of providing privacy, integrity, and authenticity to information transferred across IP networks. The processor's security features are combined with an integration of peripheral component interconnect (PCI) and Personal Computer Memory Card International Association (PCMCIA) interfaces and Ethernet connectivity. As such, it's aimed at gateways, wireless access points, and VPNs.
- * Motorola (www.motorola.com) expanded its messaging products portfolio for security personnel with mobile access to encrypted messages and digital images sent securely over a network to wireless devices.
- IBM announced a software tool, called Distributed Wireless Security Auditor, that lets network administrators detect unwanted wireless access points on their wireless LANs.
- Cisco Systems (www.cisco.com) unveiled a series of security modules for its network switches.
- Broadcom (www.broadcom.com) announced two new mid-range accelerator cards designed to speed up the processing of VPN cryptographic functions while offloading CPU tasks.
- Northrop Grumman (www.northropgrumman.com) and Intellactics are targeting government agencies with their full-featured network security monitoring systems.
- Electronic Data Systems (www.eds.com) has won a contract from the DoD valued at $258 million to upgrade the Pentagon's computer network and data-storage systems.
Of course, much of this new interest in communications security stems from homeland-security concerns. Even though many companies and government agencies admittedly are playing catchup with long-needed security improvements, saying that they would have updated their network security anyway, homeland security is often part of the pitch, and it's working.