October 16, 2000

By Scott Berinato, eWEEK


Everyone knows, when they buy electronics, to look for the "UL" symbol on the back. It's the mark of Underwriters Laboratories Inc., and its seal of approval essentially means the product probably won't electrocute you or catch fire.

Given the number of IT shops burned by poor security this year, many think it's time for a UL-like underwriting organization in the world of Internet security. But don't build your security infrastructure expecting any such labels in the near future.

One security administrator at a large Midwestern bank recently purchased an intrusion detection system and says, in retrospect, he wishes it had some kind of underwriter's seal of approval on it.

"The product just hasn't met our security requirements," said the administrator, who requested anonym ity. "If there were some stamp with the weight and respect of a UL when we were evaluating, that would have meant a lot. It would change our approach to buying security products."

Underwriters in other industries test products and give them a "grade" so buyers can make certain assumptions about them. UL, for example, has three classifications, each meaning a product or its components have been tested for certain types of risk. There are also legal implications to having a product tested and approved.

Creating a baseline set of specifications that all security products must meet would not only help enterprises grappling with a glut of secur ity products and services but also would protect managed security providers should they be sued by clients if security is compromised.

But many of the same security experts who see the need for a UL-like organization say it's not likely to come about any time soon. Some doubt it's even possible to create such a thing.

"The sheer complexity and the cost of creating that, and having it be credible, seems to indicate you could never get ahead of the problem," said Bruce Schneier, founder of managed secur ity company Counterpane Internet Security Inc., in San Jose, Calif. "Plus, to stick to the analogy, Underwriters Laboratories deals with randomswhat happens if lightning hits your appliance? With computer security, you have intelligent adversaries. Lightning doesn't target your radio. Hackers target your computers."

Another user at a life insurance company also supports a security underwriter, but he, too, doubts its feasibility, asking rhetorically, "Have you ever tried to put a basement under a house?"

That's not to say there haven't been efforts to create underwriters in the security world.

The most notable example is ICSA.net, a Carlisle, Pa., group that most security managers know for its work certifying firewalls, VPN (virtual private network) hardware and other security products.

In fact, founder Peter Tippett invites the analogy to UL and wants to extend certification into the services realm with a "best practices"-type stamp for Internet sites under the TruSecure brand.

But vendors and users alike are resisting buying into ICSA.net as the potential nonpartisan underwriter for Internet security.

"First off, they're for- profit," said Dave Williams, CIO of Retail Solutions Inc., in Lincoln, R.I., who does not look for the ICSA stamp of approval on security products. "That's a bias right there. And more than anything, any sort of 'eUL' will have to have credibility. But I definitely want to see some sort of underwriter. I've been burned like everyone in security."

Others weren't as kind to ICSA.net.

"We've worked with ICSA, and they are a nightmare," said Steve Peters, president of VPN hardware vendor Red Creek Communications Inc., in New ark, Calif. Peters said the number of customers demanding ICSA certification has been dropping. "There was no service. They were in it for the money," he said. "But some sort of underwriterwithout the ICSA politicsthat would help."

Several other users and experts echoed Peters' and Williams' sentiments, including the administrator at the life insurance company, who said, "We haven't been real happy with them. I don't see them as the answer."

But ICSA isn't the only group trying to underwrite security.

Visa International Inc. last week launched a Web site, Global Data Security, which aims to set privacy and security standards for merchants and consumers in its network. Visa hopes this becomes akin to the "Good Housekeeping Seal of Approval" for online security.

None of these efforts, however, meets the real needs of underwriting security. Most experts said the organization that would oversee security would have to be not-for-profit, widely respected, independent and capable of keeping up with technology that changes quickly.

But the effort to create and support an underwriter is slow. Vendors say they support such an initiative and would put their products through the wringer if a stamp of approval were available, but few seem to want to do anything about it.

Counterpane's Schneier doubts it can happen. "I don't think anyone can afford to do it or can keep up with the pace of change, which means it won't happen," he said. "We'd be better to recognize there won't ever be such an underwriter's stamp and go from there."

Retail Solutions' Williams holds out more hope.

"I can see how that first step is a real big one," he said. "But if there were an organization already out there willing to take it on, the rest would read ily fall into place. An underwriter would really help, and that's what this is all about, right? Helping users?"


Underwriting Security

While some agree with ICSA.net's certification categories and criteria, many say it hasn't proved credible enough to be a standards underwriter


* Anti-virus software * Firewalls * IP Security products * Cryptographic products

Criteria for passing

* Product resists specified threats * Product passes battery of tests n Performance-based n Underlying technology not assessed


* Initial test and contract for certification * Random tests throughout product life * Yearly recertification of products

main page ATTRITION feedback