New worlds

e d i t o r i

Single photocopies of single articles may be made for personal use as allowed by national copyright laws. Permission of the publisher and payment of a fee is required for all other photocopying, including multiple or systematic copying, copying for advertising or promotional purposes, resale, and all forms of document delivery. Special rates are available for educational institutions that wish to make photocopies for non-profit educational classroom use. Permissions may be sought directly from Elsevier Rights & Permissions Department, PO Box 800, Oxford OX5 1DX, UK; phone: (+44) 1865 843830, fax: (+44) 1865 853333, e-mail: [email protected]. You may also contact Rights & Permissions directly through Elsevier’s home page (http://www.elsevier.nl), selecting first ‘Customer Support’, then ‘General Information’, then ‘Permissions Query Form’. In the USA, users may clear permissions and make payments through the Copyright Clearance Center, Inc., 222 Rosewood Drive, Danvers, MA 01923, USA; phone: (978) 7508400, fax: (978) 7504744, and in the UK through the Copyright Licensing Agency Rapid Clearance Service (CLARCS), 90 Tottenham Court Road, London W1P 0LP, UK; phone: (+44) 020 7436 5931; fax: (+44) 020 7436 3986. Other countries may have a local reprographic rights agency for payments.

Derivative Works Subscribers may reproduce tables of contents or prepare lists of articles including abstracts for internal circulation within their institutions. Permission of the publisher is required for resale or distribution outside the institution. Permission of the publisher is required for all other derivative works, including compilations and translations.

Electronic Storage or Usage Permission of the publisher is required to store or use electronically any material contained in this journal, including any article or part of an article. Contact the publisher at the address indicated. Except as outlined above, no part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical, photocopying, recording or otherwise, without prior written permission of the publisher. Address permissions requests to: Elsevier Rights & Permissions Department, at the mail, fax and e-mail addresses noted above.

Notice No responsibility is assumed by the Publisher for any injury and/or damage to persons or property as a matter of products liability, negligence or otherwise, or from any use or operation of any methods, products, instructions or ideas contained in the material herein. Because of rapid advances in the medical sciences, in particular, independent verification of diagnoses and drug dosages should be made. Although all advertising material is expected to conform to ethical (medical) standards, inclusion in this publication does not constitute a guarantee or endorsement of the quality or value of such product or of the claims made of it by its manufacturer.

Subscription orders + payments
155 / $174 for 6 issues from Elsevier, The Boulevard, Langford Lane, Kidlington, Oxford, OX5 1GB, UK. Tel: +44 (0)1865 843181: Fax: +44 (0)1865 843971. Prices include airspeeded delivery worldwide. Prices valid to the end of 2004. Periodicals postage is paid at Rahway, NJ 07065. www.compsecoline.com Distributed by Mercury Intl. POSTMASTER send address corrections to: Refocus, 365 Blair Rd, Avenel, NJ 07001, USA Free circulation enquiries: Tower House Sovereign Park Market Harborough Leicestershire LE16 9EF Tel: 01858 439612 Fax: 01858 434958 E-mail: [email protected]

The opinions expressed by authors in this journal do not necessarily reflect those of the Editor, the Editorial Board or the Publisher. Although every effort is made to verify the information contained in the articles, accuracy cannot be guaranteed. Printed and bound in the United Kingdom by Headley Brothers Ltd, Ashford, Kent. Periodicals postage is paid at Rahway, NJ, 07065. Postmaster send address corrections to: Information Security Technical Report, 365 Blair Road, Avenel, NJ 07001.

New worlds

I

t's easy to be cynical about anything that declares itself to be 'new'; even more tempting to glaze over when people say "it's a whole new world". No one wants to be caught out like green Miranda at the end of The Tempest: "Oh brave new world that has such creatures in it!" she cries, as the audience smiles at her naïvité; for we have seen these mortal men to be less than wondrous. And yet, as information security gets to be middle-aged and world-weary, there are new contexts emerging that do change the rules. New legal and regulatory regimes. New species of malware. New hardware platforms that promise trustworthy computing. New web-based ways of delivering software as a service. And so on. Compsec 2004, the sister conference to Infosecurity Today, addresses many of these 'new rules, new threats'. But that is enough of a plug for our own event. In this issue, SAP's Chief Security Officer Sachar Paulus argues that, as we move to a world of web services, with inter-company collaboration routinely breaching any firewall, we need to move beyond the perimeter paradigm in security. He is hardly the first to say this, of course, but it is reassuring that the 'Microsoft' of the enterprise is attending so closely to security. For it is precisely the big enterprise apps that will loom large as tempting targets in the near to mid future. Eric Doyle explores the technicalities of securing web services in his feature 'Web services

need trimmed edges'. The environment he depicts is a fast-changing one, where security weak spots are being discovered too quickly for most developers to react. This piece touches on the difficult issue of getting developers to buy in to coding securely. Computing hardware is on the cusp of a qualitative change in the name of security. The ambition and scope of the Trusted Computing Group has massive, as yet ill-understood, implications. What will it mean for the fair use of electronic content? What will it betoken for Open Source — to which it seems to be inimical? Sarah Hilley investigates these questions, and others, in this issue's feature on trusted computing; and the president of the Trusted Computing Group, Jim Ward proselytizes on page 42. But, as always with security, it is never just a matter of bits and bytes. When 10 new countries, most from the former Warsaw Pact, joined the European Union on 1st May, it meant a big expansion of the zone covered by the EU's data protection regime. The old EU was always a patchwork — with different countries having distinct security and privacy cultures. But the landscape now is even more quilted. Steven Mathieson explores these issues, from España to Estonia, in 'Data protection in the new Europe'. So, new worlds evolving to provide a challenging environment for the traditional IT security industry. Can it adapt and prosper?

Brian McKenna, Editor [email protected]

Infosecurity Today July/August 2004

Publisher’s Note

l

Photocopying

a

ISSN 1742-6847 © 2004 Elsevier Science Ltd.All rights reserved. This journal and the individual contributions contained in it are protected under copyright by Elsevier Science Ltd, and the following terms and conditions apply to their use:

1