Solving the Web Security Challenge

The Web, for better or worse, has arguably become the equivalent of a massive public agency. It is the repository for consumer information and services of the most sensitive and important nature, ranging from medical records to financial investments.

Web-based services are supplanting traditional desktop software at a blinding pace, taking over terabytes of personal data in the process. Unlimited e-mail storage and Web 2.0-style start-ups will accelerate that trend even more.

Yet access to those massive and indispensable resources is generally gated by a handful of large, profit-driven corporations. Microsoft, Google, Yahoo, America Online and other leading companies have largely built the services that much of the world has come to rely on in everyday life–making them, in effect, the guardians of our most sensitive information.

Which raises an obvious question: Is that a good idea? The most disturbing answer, if history is any guide, is that we may not have much of a choice.

It’s disturbing on many levels, but mostly because the industry is basically making up Web security as it goes along. As security executives from Microsoft, Google and Yahoo attest, the companies are in many cases adapting standard desktop security techniques to new Web applications. Sometimes that works; sometimes it doesn’t.

“Data is now available online, all the time,” said Billy Hoffman, lead researcher at Web security specialist SPI Dynamics. “It’s a great big target.”

Hoffman’s job is to understand where Web security breaks down. The way he sees it, the Big Three Web properties are doing a fairly good job with security, at least on the server end of the equation. The wild card is what happens to that data once it leaves the Googleplex, travels across the network, and gets cached on users’ desktops.

Since 1999, more than 90 percent of all documents have been produced digitally; more than 42 percent of all U.S. Internet users have Web-based banking services; and more than 160 billion e-mail messages are sent daily, according to computer services firm CSC and other sources. As the data piles up, it becomes harder to secure bits flowing between servers and desktop Web applications, not to mention the additional complexity of mashups and other Web 2.0 technologies. Simultaneously, attacks are on the rise.

The bottom line is that we’re entering unexplored territory where an unprecedented number of people depend on a growing number of relatively new applications, some built with still-evolving technologies, to handle enormous amounts of personal data fragmented across a multiplicity of servers and networks worldwide. Against this daunting backdrop–and amid concerns over corporate control–calls for some kind of independent oversight are inevitable.

“We have information on security practices out there. The disconnect is that we don’t have an intermediary that says how these things apply to you as you build Web 2.0 or other applications,” Hoffman said. “Will a nonprofit or some other group arise that tries to publish standards? Probably. We definitely need a central clearing house of good information, because there is a lot of bad information out there.”

Continue reading article on News.com