Bethesda, Md., March 30, 2009 – Arxan Technologies® Chief Technology Officer Kevin Morgan says enterprises deploying widely-used data protection methods aimed at “defending the perimeter,” are not enough in today’s distributed computing world to safeguard intellectual property, and urged companies to adopt new strategies aimed at integrating security into the software and data assets themselves. 

Morgan, with Arxan, a leading provider of application hardening solutions designed to protect software applications from tampering, issued the call to action at the 10th Annual CERIAS Information Security Symposium last week, while speaking on the topic of “Unsecured Economies: Protecting Vital Information.” The topic in part, was focused on the implications of a recent global CIO survey pegging losses of $4.6 billion worth of intellectual property last year alone.

Morgan’s comments were delivered to an audience of leading information security experts, researchers and practitioners assembled at the Symposium, which is sponsored by Purdue University’s Center for Education and Research in Information Assurance and Security (CERIAS), one of the world’s leading centers for research and education in information security.

While traditional security thinking has led many towards a focus on securing the perimeter – such as the perimeter of the network, application or system, Morgan argues this approach is insufficient in today’s world of distributed computing. Moreover, he says this focus has diverted resources and attention from the real task at hand -- building in defensibility to applications, and in turn, leaving everything inside the perimeter vulnerable to attack.

“The concept of a defensible physical and electronic perimeter does not exist,” said Morgan. “There are far too many methods by which the perimeter can be penetrated, both through direct and indirect attack. Boundary protections are futile; we have to assume criminals have direct access to company data and processes through computing elements. Therefore, any model of protecting these computing elements from access will not deliver the necessary level of security.”

More importantly, says Morgan, given today’s distributed enterprise computing model -- a modern enterprise literally has no set network perimeter to defend, making the case even stronger to focus data protection resources at the source of the application.

New Realities, New More Relevant Focus
“The security model must directly address the security of the company assets at the finest level,” said Morgan. The data itself and the applications themselves must be intrinsically secure, and the keys that provide legitimate access to, and operation of these assets, must in turn be secure.”

Morgan says companies need to look to application hardening techniques, which can be employed at any stage of the software development process and allow firms to maintain control of the intellectual property contained in their software and data. The most modern and effective defenses against tampering, malware insertion, unauthorized access and the like are binary-based technologies that protect against both reverse engineering and tampering attacks. So-called “Guard” technologies defend, detect and actively react to attempts to application hacking or tampering through embedded and layered defenses. These next-generation Guard solutions can heal themselves, call for help, shut down the program or monitor the threat before deciding on an appropriate response.

Additionally, Morgan recommends cryptographic key protection. “One critical point of failure in today’s systems is the instance at which the key is revealed and used; this point is identifiable through signature patterns and cryptographic routines. Once found, they direct an attacker straight to where the keys will typically be constructed in memory where, fatal exploits can occur, including phishing, spoofing and code tampering attacks.

“It’s vital that private keys are never revealed statically or in run-time memory and that public keys cannot be tampered with, and that is what cryptographic key protection addresses,” he said.