Security gets framed
Despite millions of dollars spent by IT companies, digital security still contains more holes than a Swiss cheese. One European project plans to plug those holes by creating a virtual security framework independent of both devices and the networks they are trying to access.
SEINIT, the Security Experts Initiative, offers the promise of seamless security regardless of hardware, software or access protocol, whether it's mobile phones, bluetooth, WiFi, ethernet or broadband connection. And they achieved this pervasive security without sacrificing privacy.
"We set ourselves the almost paradoxical goal of reconciling security and freedom," says Mr Andre Cotton, coordinator of the IST-funded SEINIT project and Head of the Advanced Information Technologies Laboratory at Thales Communication in France.
The project created a framework for security that negotiates between users and the service they are trying to access.
"Users decide at the beginning what level of information they want to reveal to the service. The framework then negotiates with the service and applies the appropriate security component or protocol," says Mr Cotton.
Users don't have to reveal more information than they want. It may not be possible to set up a secure connection in the way the user wants. Either the device can't cope with the protocols required, say a light PDA, or the user isn't willing to divulge a vital piece of information.
"For example, trying to access a bank account without disclosing the user’s name or identifier," says Mr Cotton. "In this case the framework alerts the user that the connection is not possible, and suggests alternatives."
Vitally, control of privacy is left with the user while the framework applies the appropriate level of security.
Deploying a system like this means that security is by its very nature hardware and software independent. It's governed by a framework rather than a particular piece of encryption or a specific programme.
What's more, SEINIT designed the framework security protocols and technologies as components. "So when new security components or technologies emerge, they can be added to the framework. This means the system is sustainable," says Mr Cotton.
The project team are finalising a demonstrator for the framework on Windows and popular Unix system Linux and across LANs, Internet, and wireless networks.
"But the framework has a small footprint and as of right now it could be implemented in a mobile phone. We simply want to demonstrate the principle," says Mr Cotton.
The next stage is the development of a user interface and that will take place in a separate project, called DISCREET, and due to start in January next year.
Ultimately, though, Mr Cotton hopes the SEINIT approach will be adopted as a formal security standard. "This is a demonstrator, but we hope to show the advantages of this approach," he says.
If deployed, Mr Cotton believes a security system like SEINIT could have a profound impact on society.
"If we had the capability for any platform, hard or soft, to be involved in a security agreement with any requirement and standard it would truly unlock the potential and promise of the information age," he says.
Source: IST Results