Inside the Firewall: Will Bigger Encryption Keys Keep Your BI Data Safe From Harm?

With a solid firewall, you may think your sensitive data is safe, but have you prepared for an attack from within? "Significant numbers of attacks are now coming from inside the firewall," says Yankee Group analyst Jim Slaby.

With a solid firewall, you may think your sensitive data is safe, but have you prepared for an attack from within? "Significant numbers of attacks are now coming from inside the firewall," says Yankee Group analyst Jim Slaby.

Some of the attacks are intentional, but many are not. "A user can inadvertently pick up spyware or a Trojan horse outside the security bubble while, say, working at home or at a Wi-Fi hot spot," says Slaby. "These can give outsiders a back door to security profiles and the location of sensitive data."

It takes sophisticated software at the network edge to detect these threats inside the firewall when the user reconnects at work. "Very few organizations have these edge systems in place," says Slaby. Cisco has Network Admission Control (NAC), "but it's big and complex and not all Cisco products support it yet." Microsoft's Network Access Protection (NAP) won't be ready until Longhorn, the next major Windows revision, is released — in a year or more.

To thwart internal attacks, consider encryption inside the firewall, which offers an additional, application-level layer of security. Most business intelligence vendors offer some encryption capabilities inside the firewall.

Business Objects recently announced new 128-bit encryption for user security profiles, data source locations for sensitive reports and reporting business context. BusinessObjects XI includes the RSA BSAFE, 128-bit asymmetric encryption product.

Rivals Cognos and Hyperion also include encryption for this class of information in their products, but only at the 56-bit level. Both say governmental restrictions on technology exports make automatic inclusion of 128-bit encryption impractical. Meanwhile, MicroStrategy says it has shipped 128-bit encryption with its BI products since 2000.

Business Objects counters that its longer bit length isn't used for document encryption or keycode generation and authentication, so legal restrictions aren't a concern.

All these vendors support 128-bit SSL encryption standards for communicating over the Web.

When it comes to encryption keys, does size matter? A longer key doesn't necessarily buy you more security if your encryption algorithms are weak. Microsoft learned this the hard way with NT 4.0, Slaby points out.

A sloppy security implementation can also trump the numbers. "Strong encryption can be like putting a bank vault door on a tent," says Trent Henry, analyst with the Burton Group. "Often attackers can ignore the cryptographics and find other points of entry."

— Mark Leon


DES 56-bit Once nearly uncrackable, now considered inadequate to defend against brute force attacks
TRIPLE DES Effectively 160-bit Three times slower than DES but, properly implemented, is very secure
RES ADVANCED 128-bit Considered virtually uncrackable at present

Long-Term Web Visitor Tracking

As many as 39% of online users may be deleting cookies from their primary computer every month, says a recent Jupitermedia report. Nearly 60% have deleted their cookies in the past year. Cookies are the primary resource Web analysts can exploit to track behavior of visitors returning to their Web sites over time. Rampant deletion of cookies degrades reliability of this analysis.
Strategic RFID

Most manufacturing companies implementing radio frequency identification (RFID) tagging are doing the minimal "slap and ship" to comply with big customers' mandates: Slap the tag on the finished product and send it on. New initiatives by SAP, Intel, Hewlett-Packard and others are moving us closer to figuring out how to use RFID more strategically, in asset management and SCM.
Risk of Patent Violations

Do you have insurance against open-source patent violation lawsuits from companies such as SCO? This might lower your premium without raising your expenses much: Black Duck Software's protexIP software is now available as a hosted service, so if your environment doesn't require investment in the installed software, you can still check your systems to ensure they're legit.