XML's Dirty Secret

Computerworld - The information security crowd has a serious problem. These folks think that what they're doing to safeguard data still works. Sure, they did good work keeping secrets and ensuring data availability and integrity when most computing was mainframe-based as well as during the client/server boom of the '90s. And they even made electronic data interchange safe.

But in the age of Java and .Net, where most business-to-business data will be represented in XML, things are very different.

Yes, virtual private networks (VPN) and end-to-end encryption using public-key infrastructure technology can keep data confidential while it's in transit. Protecting data at the network level is fine, until someone hacks into your system and goes fishing for it. But the real vulnerability is XML itself.

The trouble with XML is that it explains far too much about the data that's represented in it. The tags that define the structure of a document and describe what each individual data element is also make it dead easy to locate sensitive data, such as credit card and transaction information. This is simultaneously the basis of XML's power and its greatest weakness.

The metadata of the tags simplifies programming and facilitates interoperability. But it also helps point out to interlopers - whether inside or outside the organization - where the important stuff is. Using XML for sensitive or mission-critical traffic is like painting a target on the data. Not only is the data exposed and wide open, but it also calls attention to itself.

Application programmers know this. System designers know this. And if they think about it, IT managers, too, realize the vulnerability. But according to Weston Swenson, president of Wellesley, Mass.-based Forum Systems Inc. (www.forumsys.com), the IT security establishment seems to think that using Secure Sockets Layer encryption or a VPN to protect data being transmitted is all they need to do. If that's what they think, then they're a few years behind the curve, says Swenson, whose company's product addresses XML security directly. Forum's product seems like a good answer to a question IT managers and CIOs should be asking themselves.

Forum's Sentry Server Appliance is an encryption engine targeted directly at XML data going to or from an application. It takes a data stream and selectively encrypts specific data, and even data tags, so it can hide the data description. Someone who's looking for credit card tags using a search string - , which could be anything. And multiple cyphertags need not, of course, all represent the same data type.

The product is quite simple: It's basically a Linux box with Forum's proprietary software. Using the built-in workbench, you can examine the XML structure of a typical transaction and set encryption policy for whichever data elements and tags you wish. The encryption uses Triple Data Encryption Standard, with RSA for key management, so that's not a weak point. Because the product encrypts only what you tell it to, it can process data very quickly.