Commercial Coalition Tackles Security Complexities
Firms join forces to provide integrated solutions.
Corporate America is helping assemble the homeland defense jigsaw puzzle that includes thousands of pieces being put together by hundreds of people looking at a multitude of different pictures. Industry leaders agree that the biggest challenge is the complexity of the problem and the plethora of solutions being proposed by companies with a range of specialties taking widely varying approaches.
Establishing the U.S. Department of Homeland Security is just the first step in getting a handle on the many aspects of protecting U.S. citizens. Agencies must determine the best way to provide security on a variety of fronts—from border control to infrastructure protection to information security. Firms big and small have been busy proposing technologies, so the challenge security implementers now face is how to sift through the possible solutions and choose those that will be most effective.
The Homeland Security Department has taken some specific steps toward finding those solutions. It has set aside funding and has established a process for piloting solutions in certain categories of technologies that cost less than $1 million and can be implemented in less than six months. The biggest challenge industry faces will be managing the complexities involved in providing integrated security solutions.
Just as information systems companies teamed with corporate colleagues to offer end-to-end solutions to conventional government requirements, today many firms are joining forces to create and produce integrated solutions. One such firm, Oracle Corporation, Redwood Shores, California, has been working on homeland security issues for many years. Oracle Senior Vice President for Public Sector Sales Steve Perkins leads the company’s homeland security operations. He notes that the company’s technology already plays a significant role in each of the 22 agencies that will be part of the Homeland Security Department.
Security is an infrastructure issue, and communicating securely while managing systems was critical for government agencies even before September 11, 2001, Perkins relates. After the terrorist attacks, however, it became apparent that the government would be looking for comprehensive rather than individual solutions.
One of Oracle’s key assets addresses this challenge. Its homeland security-focused partnership program, which was established in January 2002, includes 225 companies. More than 45 of these firms are new Oracle partners that joined the company’s long-standing worldwide partnership program of more than 12,000 firms specifically to be part of homeland security efforts.
“Oracle has always had a very strong partnership program, even before 9/11. [After 9/11,] we determined that we should be out looking for homeland security solutions within our current alliances and then with those companies that we think have solutions,” Perkins explains.
Oracle is working with several partners to develop prototypes of technologies and also working with integrators who will take part in developing and managing security programs. In addition, the company is investigating how partners can take advantage of Oracle’s technology, he says.
To become a partner in the security effort, companies must be able to exploit Oracle technologies so that there is a good business match. They must also demonstrate strong research, offer proven technologies, show expertise in specific business domain processes and know how to work with the government.
Oracle’s partner companies offer products that address a range of homeland security issues. For example, BIO-key International Incorporated, Eaton, Minnesota, has developed a new science for biometric fingerprint verification to police access to facilities or information systems. Don Rosacker, president of the company, says that, because it collects more data, his firm’s software out performs current biometric technologies in the three major areas of fingerprint verification: false accept, failure to enroll and false reject rates.
“Up until now, the most discriminating biometric technology has been [scanning] the iris. BIO-key’s technology is 200 times more discriminating than iris identification,” Rosacker states.
The Automated Fingerprinting Identification System (AFIS), for instance, is the most widely used system. It collects data about 50 to 75 fingerprint minutiae points then determines the relationship between them, which results in 100 to 200 data elements. The BIO-key system collects a total of 1,500 to 2,000 data elements. The software is what Rosacker calls “hardware agnostic,” so organizations can use their current fingerprint identification devices.
The failure-to-enroll rate is a critical issue in fingerprint biometrics, Rosacker says. Differences in physical characteristics can preclude fingerprints from being collected. In AFIS, for example, five to 12 percent of the population cannot be enrolled in the system. BIO-key software reduces this percentage to less than one-tenth of one percent.
Rosacker relates that current biometric systems also do not address the problem of multiple enrollments for a single individual. A person could enroll using one identity one day, then re-enroll using another identity the next, yet other technologies do not spot the duplication. BIO-key software can review existing databases to determine if an individual is enrolled multiple times. The ability to look across a large database is key to effective implementation of the company’s software, and Oracle’s database strength is one of the reasons BIO-key is working with the company, he says.
Increased security concerns have prompted many agencies and businesses to take a layered approach to monitoring their facilities. However, coordinating input from multiple devices can create information overload for security personnel.
Vigilos Incorporated, Seattle, has created a software solution to this dilemma that connects various types of access control, intrusion alarm and video surveillance devices into one system.
Geoffrey T. Barker, chairman and chief executive officer, Vigilos, points out that security screening data is just information and should be organized in a database, which is what led to his company’s work with Oracle.
Using Avanta, Vigilos’ open architecture software platform, an organization sets the security parameters to monitor its facilities. The firm’s security solution collects, stores and responds to data from existing intrusion detection systems and video equipment then notifies designated security personnel. For example, when an unauthorized person attempts to enter a restricted area, security cameras can be directed to view the location. On-site security personnel will be alerted, or notification can be relayed via telephone, fax or e-mail to off-site personnel. If this first group does not respond, the system will alert a second tier of personnel designated by the organization.
Barker contends that Vigilos’ software addresses the three pillars of protection. First, it directs security breach information to the people who need it. Second, it is state-of-the-art technology that leverages the existing investments in security systems at facilities. Finally, the software reduces required training because security personnel have to learn only one system. Barker refers to this as network-centric security. Several financial institutions, an oil refinery and a freight shipping facility currently use the technology.
Oracle also is working with a company that addresses the security concerns surrounding the cargo transport industry. For more than 13 years, Savi Technology Incorporated, Sunnyvale, California, has been in the business of asset management, offering a variety of products that employ radio frequency identification.
The company’s smart tags allow in-transit visibility and asset location that supports military and commercial logistics; however, the tags do not provide the level of security required for today’s homeland security efforts. To meet this need, Savi Technology developed EchoPoint, a patent-pending technology that allows shippers, carriers and logistics service providers to actively monitor the security of their shipments from point of origin through destination. The technology ensures that contraband or dangerous substances cannot be added to containers during transit.
Ken Wykle, senior vice president for public sector, Savi Technology, explains that the SmartSeal secures a container prior to shipment. If someone attempts to tamper with the container by opening the bolt, security personnel can be alerted via fax or telephone. The product is reusable, provides tracking information and works with standard off-the-shelf bolt seals available from many manufacturers.
Savi Technology developed a pilot program with companies in the Asia-Pacific region and is conducting site surveys with European firms. It is in discussions with Sandia National Laboratories about red-team testing the security capabilities of the SmartSeal, Wykle says.
SmartSeal was built on an Oracle database so that information can be shared with the customer. In addition, Savi Technology is negotiating with Oracle to collaborate on a technology demonstration for the U.S. Customs Department during fiscal year 2003.
Partners and customers can evaluate the effectiveness of security products at Oracle’s Information Assurance Center in Reston, Virginia, which was opened just prior to September 11, 2001. “The purpose of that group is to prove the efficacy of security solutions by taking component parts like visual recognition, fingerprint recognition or geospatial capabilities and integrating them with Oracle’s middleware and our security capability and demonstrate that they work with government customers and Oracle. So we obviously accelerated that facility and dedicated it largely to homeland security efforts,” Perkins says.
The center showcases how the company’s technologies integrate with a range of other security products such as access controls, secure Web servers, enterprise access control, security command and control systems, intrusion detection systems, encryption systems and firewalls.
Perkins identifies several types of technologies that will be critical to homeland security efforts both now and in the future. Products that collect geospatial data will help organizations identify potential terrorist targets to assess and mitigate risk. In addition, mapping and a searchable database of this information will assist emergency personnel who respond to incidents.
Many new biometric products are being developed, and this is an important security area. Perkins points out that these technologies address the volume of information that biometric security measures involve. For example, it is simple to match a person’s fingerprint on a reader to one that is imprinted on an identification card. But matching a fingerprint to a voluminous set of records requires heartier technology.
Perkins also believes that wireless communications capabilities will be very important. At the first-responder level, emergency personnel will need to be able to communicate with each other as well as receive instructions from agency and emergency-response coordinators and access information from large databases.
Cyberspace also will play a key role in homeland security as it enables agency and emergency services leaders to manage an event from a central location. Technologies are required that facilitate this capability in a secure and reliable manner, Perkins says.
Additional information on Oracle Corporation is available on the World Wide Web at www.oracle.com, on BIO-key International at www.bio-key.com, on Vigilos Incorporated at http://www.vigilos.com and on Savi Technology Incorporated at http://www.savi.com.
Homeland Defense Depends on Secure Systems
If data is the building block of security, then information assurance is the mortar that holds it together. At the Oracle Corporation, it is Mary Ann Davidson, chief security officer, who is the passionate leader of the company’s information security efforts.
Because the intelligence community planted the seeds of the company—the firm was founded 25 years ago based on a program for U.S. intelligence agencies called Project Oracle—it has extensive experience in building what Davidson calls “security for paranoids.”
While many security experts contend that insiders pose the largest threat to information systems, Davidson points out that viruses have caused billions of dollars in damage, and many take advantage of flaws in software.
“The fallacy is that the remedy is to buy more guards, gates and guns,” she states, using physical security as an analogy. “But you can’t protect against attacks if the security is not built-in.”
Under a U.S. government policy directive, agencies must prove that their information systems are secure, and security products must be independently tested to verify their effectiveness before funding is granted (SIGNAL, August 2002, page 23). This is a positive step toward getting companies to build software products that are secure from their inception, which is the only acceptable approach, Davidson asserts.
Making security a purchasing requirement will change the way companies build their products, and several independent groups are working to design standards that will pressure vendors to make their products more secure by default, she explains.
Even in today’s security conscious world, two problems persist, she says. First, vendors are so eager to get products to market, they release them before they are totally secure, and hackers take advantage of these vulnerabilities. Patches are distributed later; however, organizations must invest time and money to install them, and some systems can be missed, leaving them vulnerable. Second, some security companies, Davidson says, are selling “snake oil,” products that either do not solve current problems or do not deliver on promises.
Oracle’s approach to information security involves layers of protection as well as checks and balances. For example, while some firewalls only deny access to designated items, Oracle uses a denial-by-default approach, allowing only approved items into the systems.
An enhanced auditing technique allows system administrators to know who has accessed which files and at what time, so suspicious activity can be monitored and stopped.
The requirement to be able to share information among organizations to support homeland security efforts is an additional challenge in the data assurance realm, Davidson says. Agencies and individuals must be able to view certain elements of a database but, for policy and security reasons, cannot have access to the entire system. Oracle offers its customers this type of discriminating access to databases, Davidson maintains.
In addition, the company employs hacking teams that report directly to Davidson and identify problems with new products before they are released to customers. This technique has uncovered problems that some companies could overlook, she says.
Certification by independent organizations is one of the keys to ensuring that security products do what they say they will do, Davidson asserts. Oracle has received 15 independent security certifications.
When purchasing information security products, Davidson recommends asking the vendor for references from current customers, then following up with a call to determine their level of satisfaction.