Security a booming career? You bet!
The rise of the Internet has made security expertise more marketable than ever
Network, data, and communications security has always been important for business computer systems, but the huge growth in internetworking -- the Internet being the chief example -- has made security expertise more important and more marketable than ever. Our Career Advisor describes the various aspects of this growing field. (1,400 words)
This month a reader letter inspires me to launch into a little talk about security -- a burgeoning field that holds interest for corporate chiefs and individual users alike. Please be advised that I only touch upon what is a complex, ever-advancing field. For more specifics, check out the links at the end of this article.
I am a Software Engineer with more than five years experience working primarily in object-oriented development. Recently, I have become intrigued by the Internet and the rapidly advancing field of network security. It seems like a very broad discipline. What comprises this field of study and does it represent a lucrative career path?
Signed, Seeking Secure Advice
The recent phenomenon of open systems, networking, and the Internet has opened up whole new career paths in security. Whereas the Internet was once used as a means of passing around mostly unclassified government and academic information among a limited number of users, it is now used to conduct business securely for a global audience of possibly tens of millions. Wiring corporate systems into external networks has always put internal data at risk. As even Microsoft is realizing, the real future of computing is moving away from the isolated desktop and into the wide open systems of the Internet. For digital money to change hands, corporations to pass information among far-flung offices, or even managers to be sure who, inside the company's walls, has access to what data, secure systems must be in place.
The security gurus at Pencom System Administration (PSA) tell me that the art of protecting data and securing networks against attack encompasses a wide range of disciplines. A comprehensive security policy for a complex system requires programmer types for the software products, systems administrator types for the setup and maintenance, and architect types for the overall design and policy. The entire field of security is often broken into two categories: host security and network security.
Strong, security-conscious companies today look for skilled talent that understands the need for solid procedures of authentication and authorization to protect the data on host machines. Authentication attempts to prove identity, ensuring that the person requesting access is who he/she claims to be. Authorization concerns itself with the different data elements within a given database, as different users are generally provided varying degrees of access. For instance, certain employees may be able to read the general account information, while only managers can access the salary information from the same database.
For many security specialists firewalls represent the fundamental structure of a host's security system, standing guard between the network and the protected system. It is a blocking mechanism which filters certain traffic according to a security policy. It is tuned to block or permit a variety of different data types -- such as telnet, ftp, or certain IP addresses. A good firewall will filter the information flowing from the inside out as well as from the outside in.
Although firewalls are traditionally a hot area in the field of security, they are becoming more and more standard -- many good firewall products these days are making the implementation and maintenance almost turnkey. Accordingly, hiring managers have been telling us that it is making less sense these days to have an engineer in-house who is solely a firewall expert.
On the network level, it is assumed that the channel is insecure, requiring information to be protected against interception, or encrypted, or both. This is done primarily through the use of secure protocols. Encryption, the process of encoding a set of data so that it may only be read by intended recipients with a unique key, is used on virtually all levels of security systems, from password verification to protocols.
Public key encryption systems allow users to establish a private session key that allows an individual to encode and send information over insecure channels. Pretty Good Privacy (PGP), developed by Phil Zimmerman, uses this technology. Each person has mathematically related public and a private keys. The public key is published in the database equivalent of a phone book. To send a message, Bob looks up Alice's public key and uses it to encrypt a message that then only Alice can decode using her private key. Encryption systems are based on sophisticated algorithms and the specialists in this field are skilled mathematicians.
Hiring managers emphasize that a major part of a security expert's job involves watching and waiting. Once characters like Kevin Mitnik are caught, they ironically benefit the industry at large, as they expose the true weaknesses of a system. But the only way to catch him is to have a sophisticated auditing system which logs, tracks, and monitors all data movement. Then, with a little detective work, the transgressor's moves can be reconstructed and the faults of the system revealed.
In most of the companies we work with today, there are two basic levels of security specialists: those who implement the technology and those who set the policy. The implementors maintain the system and keep the logs. Systems and Network Administrators are generally best suited for this task of supporting firewalls and keeping watch.
The highest salaries and the real leading-edge work in the field is being done by those who set the policy. These types are generally systems architects -- they must know how the system is designed as well as be able to understand most of the underlying software. This position requires risk analysis, policy application and security system implementation.
Future challenges to security
The best Security Specialists we work with make it clear that security is a constantly expanding field that includes more and more aspects of hardware and software. When distributed code across insecure networks (i.e., Java on the Internet) becomes the norm, security professionals will be required to redouble their efforts. It is one thing to be wary of intruders, theft, and the falsification of information, and another thing altogether to allow executable code through the gates and into the system. Although the designers of Java attest confidently to the built-in security aspects of the browser and the language, one must always be on the lookout for wily viruses and Trojan Horses coming in through other paths.
As mentioned above, there are many levels to a good security system; however, cryptography represents one of the fundamental building blocks and spans them all. Currently the export from the U.S.A. of strong cryptography is limited by the U.S. government, which prohibits the export of systems with a key length over 40 bits. This, the 40-bit key length, as Wired writer Brock Meeks says, is "the digital equivalent of a Captain Crunch decoder ring."
Forty bits is simply too short to be fully secure. It is certain aspects of the public key system (the reverse signing of keys) which hold the most promise for a future system of anonymous digital cash. Without strong cryptography, international electronic commerce may never come to the Net. But demand will invariably drive the development of more secure systems and political forces will hopefully recognize their importance. As this field flourishes and with deeper levels of complexity and priority, the career possibilities will follow.
If you have technical problems with this magazine, contact firstname.lastname@example.org