More on the team

"Businesses want to know that their systems are secure. We try to consider all the alternatives so our clients can be prepared for the unexpected."

As institute executive of the IBM Privacy Research Institute and senior manager of security and privacy at the IBM Research lab in Zurich, Michael Waidner oversees about 30 researchers who are working in two main areas of security and privacy. Michael likens the two areas of security and privacy research to the practice of medicine, where both preventative action and diagnosis and treatment are essential.

One major topic for Michael’s team is research in cryptography, with an emphasis on how to build systems that enable individuals to control precisely what information is revealed about them in electronic transactions. Michael’s team also researches ways to analyze and improve cryptographic protocols already in use. Such protocols, for example, for electronic payments or authentication, are often flawed. “You assume that the only way to get into a cryptographically protected system is by knowing the secret key,” Michael explains. “But in reality, there are often many other, indirect ways to break into it.” So there is a need to verify that protocols are as secure as they need to be. Michael’s team analyzes the underlying logic of such protocols, identifies flaws and develops alternative, more secure designs.

Financial services companies and the public sector are primary clients of Michael’s team of researchers, as is the health care industry, where privacy is of utmost importance. Because their clients’ end goal is secure systems, Michael’s team begins at the top level – with that goal in mind – and develops model-driven design techniques to build complex solutions that can be implemented in real systems and give businesses what they are looking for: to know that their systems offer privacy protection and a high level of security.

Michael’s team is also researching how to effectively detect intrusions as early as possible, and how to react on intrusions once they happen. Many approaches to automatic reaction may often actually play into an attacker's hands. They may detect intrusions and shut down the network as a result – which is exactly what the intruder wants. One solution developed by Michael’s team, “Billy Goat,” sets up a system on the network that hosts thousands of unused but real-looking IP addresses. When someone tries to contact an IP address on this system, it can be safely assumed that the contact is not legitimate, and then either a system administrator or the system itself can take steps to prevent the intrusion or catch the attacker.

Michael first became involved in the field of security when he was studying computer science at the University of Karlsruhe in Germany. After reading the first article that introduced the concept of public key cryptography, he was struck by the interesting application of mathematics it entailed and wanted to use his expertise to further privacy issues. “As a student,” Michael says, “I liked the idea of working on new, challenging problems in cryptography, and at the same time developing information technologies with a very positive impact on society.” Michael became a lecturer at the university, working on and teaching about various aspects of cryptography, security and fault tolerance before joining IBM in 1994.

As developments continue, Michael believes our dependence on electronic information systems will necessitate more dependable privacy and security systems. He explains that one of the important, emerging issues in security is developing the methods and tools to measure the level of security provided by a system. He explains that it’s like building a bridge. “Today we know how to build IT systems, like we know how to build bridges. But unlike civil engineers, we computer scientists cannot really predict how long our systems will stay secure, what it takes to break into them, whether one system is more secure than the other. We still need to develop the models and tools to assess the level of security our systems provide.” To that end, his team works on building systems with predictable, quantifiable security.