Driving Security Infrastructures
The following is a companion article to "IT Security Coming of Age" published in the August, 1998 issue of Sys Admin, which describes a suggested model for a security infrastructure. This article provides additional background for readers who may not be familiar with some aspects of security developments.
Before developing a security infrastructure, it is important to consider the different facets of groups that would be involved in an organization's overall security outlook.
Smaller organizations do not tend to focus on security, however, it is equally important there. The organization should establish groups responsible for the physical security of the surroundings; a group for developing and enforcing corporate policies, and finally an information security group. It is necessary for these groups to have a close working relationship in order for the successful development and implementation of a security architecture.
Consider the following relationships:
Corporate Security - is responsible for the development of corporate policy regarding security of the corporation's property, intellectual property, and the enforcement of these policies. This group is typically also responsible for conducting investigations within the company and interfacing with the legal agencies when needed.
Systems Security - is responsible for developing and implementing policies at a systems level. This group is responsible for providing the users, developers, and systems staff with the tools needed to provide a safe network, which is hopefully difficult to penetrate, and safe from viruses and other related problems.
A solid security infrastructure must consist of several pieces, not all of which will be discussed in this article. First, the corporation must be committed to securing and protecting its intellectual property. Second, it must make some decisions about what constitutes that intellectual property, who they want to protect it from and why. These decisions will form the basis for a series of security policies to fulfill the organization's information protection needs.
The security policy is the primary building block for any information security effort. The policy sets out how the employees will operate, how incidents will be investigated, and how management will react. Policies are used to establish the operating procedures for such things as user account creation, privileges, risk analysis, investigations, and discipline. There are some extremely good reference materials on developing security policies. However, less than 50% of companies have taken the time to design, write, and implement them.
However, writing the policies is only part of it. Aside from developing the technical capability of implementing these policies, the organization must remain committed to them, and include regular security audits, and other enforcement components into its operating plan. This can be likened to installing a smoke alarm: if you don't check the batteries, how do you know it will work when you need it?
There are many reasons why a corporation should be interested in developing a security architecture. These include:
Over the past ten years, industry has experienced significant changes in the business environment. Many global companies and smaller ones as well, constantly struggle to establish a place in new markets. Globalization means expanding the organization's networks and computing facilities (to support marketing, sales, and support staff) to places that your organization has never operated before. This is often complicated due to cost and the available technology outside North America. In addition to geographic and time barriers, corporations are faced with cultural, legal, language, and ethical issues, all of which impact the deployment of a security architecture.
In this time frame, we have also seen a drive toward electronic exchange of information with suppliers and customers. In the last few years or so, electronic commerce has emerged as a way of conducting business. Although many consumers have not embraced electronic commerce, for many businesses, it is the only way to interact with their customers and suppliers. Today we are not only working to conduct more business electronically, but we are storing more of our corporation's history, technology, strategic information, and other intellectual property online. In fact, there has been a 323% increase in the number of reported intellectual property loss incidents. Au: Since what year?? -editor
The competitive environment in which we operate has forced today's companies to seek efficiencies in order to drive product costs down. One of the results of this activity was outsourcing of non-core activities, including support for legacy systems and the use of contract personnel rather than full-time employees. This creates other problems including those of company loyalty, which will be discussed later in this article.
The mobile user community reflects the desire to get closer to our customers for improved responsiveness (e.g., automated sales force). Additionally, legislation and the high cost of real estate have played a role in providing employees with the ability to work from home. The technology is there, why not? The result of all these trends is that information is no longer controlled within the confines of the data center, thereby making it easier for the information to be accessed, and less likely that this access would be noticed.
Firewalls provide the perimeter security necessary for today's organizations. However, much of the risk comes from internal or connected sources, and not from the external network. The FBI estimates that 1 out of every 7 employees is actively working against the company. That doesn't mean stealing pens. It means that they are actively seeking ways to defraud or otherwise cause the company other financial, legal, or public relations damage. In fact, employees commit 77% of the crimes against their own employer. Au: According to what source? -editor
Once the organization recognizes that the risk comes both from inside and outside the corporate network, the corporation can exert its forces into the development of technologies to protect its intellectual property. As one legitimate user community after another has been added to the network, it is necessary to identify who can see what, and provide a method for doing so. This forces companies to look more seriously at mechanisms like single sign-on and privilege management systems.
Most companies have taken measures to address many of the external exposures, such as hacking and inadvertent leaks, but the internal exposures, such as industrial or economic espionage, are far more complex to deal with. If a competitor really wants to obtain valuable information, it is easier and far more effective to plant someone in the organization or locate a business partner who knows where the information can be found.
Traditional Security Solutions
For some corporations, the migration from a mainframe to a workstation-computing model caused no end of administrative problems. Within the mainframe computing environment, the ability to control access to the physical machine, and the data it contained, was a benefit.
As workstations and client/server computing became the way to get work done, a new security model had to evolve. The resulting model used by many companies was based upon a "moat" approach, where the installation of a firewall provided protection against unauthorized access. Bear in mind, that few corporations either knew about firewalls, or recognized the need to separate their network from another network. For those corporations that did, the most common firewall was an air gap: the total lack of physical network connectivity. In fact, in some situations, the air gap is still in heavy use.
Many organizations also took the view that all of the information on the corporate network should be freely available to all employees, contractors, and other personnel who accessed the network. With this open approach, users are totally dependent upon the availability of network level protection, such as encrypted sessions and other similar services to provide adequate protection.
The consequence that many organizations have witnessed with this model is that few internal applications and services made any attempt to operate in a secure fashion. As the number of external organizations connected to the corporate network has increased, the likelihood of the loss of intellectual property has also increased. With the knowledge that the corporate network and intellectual property was at risk, a new infrastructure was needed to address the external access and internal information security requirements.
The New Security Infrastructure
Security measures that are an encumbrance to the user community inevitably get circumvented. For security measures to work effectively, they must be built into operating procedures and practices in such a way that they do not represent an "extra effort". The moment these security measures are seen to impact information flow, system functionality, or efficiencies, they will be questioned, and some users will seek ways to avoid them in the interest of saving time or effort. Consequently, the infrastructure must be effective, yet virtually transparent to the user.
Once data has entered the system, it must be assumed that it may be input to one or more processes. It is becoming impractical to control the use of all data elements at the system layer. Therefore, any data that is considered sensitive, or can only be "seen" by a particular user community must be appropriately protected at the point of entry to the network or system and, most importantly, wherever it is subsequently transferred. The impact of this statement is not terribly clear. As the information is developed or created, the owner of that information must make certain decisions regarding the sensitivity of it:
These types of questions allow the information owner to classify the information. The more sensitive the information is to your operation, the more likely it should be encrypted and protected through a strong backup system, as well as contingency and recovery procedures.
A centralized security administration system facilitates numerous benefits both in terms of efficiency and consistency. Perhaps the most significant advantage is in knowing who has access to what and that if access privileges are to be withdrawn, it can be accomplished for all systems expeditiously.
Clearly, it is not economically feasible to rewrite existing applications or replace existing systems; therefore, an important aspect of the security architecture must be the ability to accommodate the existing infrastructure. Along the same lines of thinking, the size of the existing systems and the population using them precludes a one-time deployment plan. A modular approach is an operational necessity.
The solution to the information security problem must be closely tied to the information that is to be secured. In other words, it is more effective to consider attaching to information a label containing instructions about who can access the data, what they can do with it, and how it is to be disposed of. It is highly desirable to have one, global user authentication and authorization system or process, a single encryption tool, and digital signature methodology that can be used consistently across the corporation for all applications. Authenticating the user at the point of access to the network does not necessarily address the authorization criteria. This means that the authentication mechanism may prove that you are who you say you are but does not dictate what information can be accessed and what may be done with it.
This introduces to the point of auditability. It is a requirement of the infrastructure to be able to identify what changes were made to a particular object, who made those changes, and when were they made. Through auditing then, a reactive investigation can take place thereby leading the investigator to the details of why it happened, and taking whatever action is deemed necessary.
The infrastructure must provide a means to allow users to properly protect their information based upon the classification that was previously assigned. For example, a company may choose to classify its information as proprietary, confidential, and restricted. Each of these classification types will bring with it certain rules regarding how it must be handled, who can access it, and how it must be stored. It is not the intent of this article to discuss in detail a classification system, and the tools to implement it, but rather to highlight that the infrastructure is dependent upon the corporate policies.
Given the inter-enterprise electronic information exchange trend, we can no longer be certain that the data entering the corporate systems is properly protected and stored at the points of creation. Data that is submitted from unsecured areas represents a number of problems, primarily related to integrity, the potential for information to be modified (e.g., the possibility of the terminal device being "spoofed", collecting data, modifying it, and re-transmitting it as if from the original device), and confidentiality (e.g., "shoulder surfing"). The latter is a concern that has increased significantly with the advent of portable devices. Data kept or left in unsecured areas could be found in many forms (e.g., on a portable PC hard disk, a diskette, tape, etc.). The opportunities to modify or destroy data, or to store virus or Trojan Horse code, are concerns that need to be addressed.
At the same time though, the infrastructure must be designed at the conceptual level using the business processes and needs, and not driven by the available technology. The adage that "the business must drive the technology" is especially true. If the infrastructure designers are seduced by the latest and greatest technology, you will never know when you have something that works, because you will be constantly changing it. To make matters worse, since the users won't know what the flavor of the week is, they will simply refuse to use it.
The Impact of Legislation
Unfortunately, we cannot ignore the impact of government in our infrastructure. In some way or another, domestic and foreign policies regarding what we can and cannot use affect us. Consider one of the major issues today regarding the use of encryption. The United States limits the export of encryption to a key length; whereas other governments, such as France, restrict the use of encryption unless they have a key to decrypt the information.
Governments also impose import and export restrictions upon corporations to control the movement of technology to and from foreign countries. These import/export regulations are often difficult to deal with, partly due to the generalities in the language the government uses, but they cannot be ignored. Doing so may result in the corporation's inability to trade with some countries, or losing its ability to operate.
The FBI has a detailed list of technologies and information that is actively sought from corporations and research agencies. This list includes:
This list is by no means extensive or completely inclusive. It is included here to highlight that many technology companies are involved with these technologies to one degree or another, and our infrastructure must include ways to protect the information that is being actively pursued.
Finally, every contract and relationship that is negotiated with information suppliers may also include controls on who or where the information may go. For example, if you buy source code from an application vendor for inclusion in your product, your license agreement for that information must define where you can and cannot send it. But third-party licensing extends to more than just code inserted into an application. Many large corporations negotiate software site licenses, which preclude sending applications to specific countries. Consequently, the infrastructure must allow the corporation to adhere to those restrictions.
About the Author
Chris Hare is the Manager, Security Operations for a major telecommunications and data network supplier. He was previously with iSTAR Internet (now PSINet Canada) and Choreo Systems Inc. He has a broad background including more than 10 years in system administration, UNIX, programming, training, security and technical management. He is the author of numerous articles published in Sys Admin magazine and co-author of several books including Inside UNIX, Internet Firewalls and Network Security, and the Internet Security Professional Reference. Chris lives in Ottawa, Canada, and can be reached through email@example.com.
© 2002 CMP Media Inc. All Rights Reserved.