Wednesday, March 28, 2007

Security on a Card: Good, Bad or Not'n Special?

One of the innovative things (and, yes, my long and thoughtful post on security innovation is still upcoming ... and, no, security innovation is NOT dead!)  I noticed at RSA 2007 was a few security "security on a card" solutions. What do I mean by "security on a card" here? A dedicated pluggable (USB, PCMCIA or whatever) hardware that carries some or all of the host protection, policy enforcement and, possibly, management, access and connectivity functions. You can also think about as a "micro-appliance" in the pocket.

In fact, I was briefed by a few Lucent-Alcatel folks who are working on a really cool "security platform" on a wireless card (called Project Evros). Yoggie folks have another one of that type, with somewhat different focus and functionality and so does Seclarity. There are also a few "stealth" vendors working on such technologies, as I was told.

Let's quickly look at pros and cons, generalized to cover whatever solutions of this type that I saw.

Pros:

  • Much harder to disable for host-based malware as well as attackers (I am stopping short of just flatly saying "more secure" here!)
  • Harder for "legitimate" users to bypass
  • No security software to update, manage and, in general, mess with
  • No software conflicts between security and application software
  • Predictable environment for security functions to run (some cards contain fairly robust Linux-based OSs with their own CPUs and even separate wireless network uplinks)
  • Likely, easier to centrally manage and support
  • Some provide host-independent, but detailed access audit (Hurrah, more quality logs to manage!)

Cons:

  • Another piece of hardware to break or lose
  • Extra hardware cost
  • Possibly, risk of losing some or all protection if hardware is removed
  • The opposite risk of not being able to bypass it and thus do any work in case of hardware failures - new "single point of failure"
  • Possibly reduced protection from threats that entirely bypass the card (e.g. from virus infected CD or DVD)

Overall, it sounds pretty impressive and this "security on a card" space will definitely be interesting and exciting to watch! I am predicting that we will see more of this type of stuff in the coming years, since these technology help deal with today's as well as yesterday's (such as worms...) security concerns: data theft, compliance risks, etc. What about future risks? :-) Only future can tell...

Technorati tags: ,

No comments:

Dr Anton Chuvakin