You Can Trust It

You Can Trust It

INTRODUCTION

VISION
STATEMENT

THE PLATFORM
IS THE WEB

LOCATION
INDEPENDENCE

BANDWIDTH
TOLERANCE

EASY DATA
RETRIEVAL

YOU CAN TRUST
IT

IT JUST WORKS

We're advocating that the user be able to walk up to any computer anywhere and get on with his work. This has serious implications for what we do about security. For the sort of system envisaged here, high quality security could make the difference between acceptance and rejection in many applications.

From the point of view of the user, security features necessarily make it more difficult to get on with the task at hand. After all, their purpose is to stop someone else doing things; any cost to the legitimate user is viewed by the legitimate user as unfair overhead.

To keep users and security experts both acceptably happy, the security system needs to be flexible. When the user is in his office, he's firmly within the corporation's security perimeter. He doesn't need encrypted network traffic or elaborate authentication schemes. When he's in a hotel room or a cyber-cafe, the requirements are more stringent: he probably needs to expend a fair amount of effort getting authenticated (perhaps by a smart card that he carries, or by certificates stored in his laptop), and he should be willing to consume some of his computation cycles encrypting his communication. There are intermediate situations: at home, we might decide the user is within the perimeter, or at least allow simpler or more efficient access based on known information about the location.

From the point of view of the system manager, we've made his security problem potentially much worse. First, as we've just noted the security system must be flexible. This means more options for the manager to manage, and more susceptibility to obscure security flaws. There's also a more severe issue if the manager allows users to access data from outside the corporation's security perimiter: the tools must provide adequate audit trails to show which user transferred what data into or out of the perimeter, and they must provide for controls prohibiting certain transfers.

From the point of view of system design, the main new factor is that the user's computer might be anywhere on the world-wide Internet. Fortunately, much of this is a solved problem. We can use SSL to protect web-based communication when it's on public networks, and X-500 certificates to achieve authentication. We possess technology (the Secure Web Tunnel) that lets us achieve this level of security from the outside world into a corporate intranet, and in a way that permits flexible auditing or filtering at the firewall. These techniques reduce the security issues to a previously existing hard problem.