The castle-and-moat era of information security is over: Now it’s described as woven cloth, submarines, onions and Snickers bars. How will CSOs translate nutty metaphors into secure worldwide systems?
CISOs have spent the past few years perfecting digging moats around the corporate castle. Now, as they lift their heads out of the trenches, they find themselves living in the age of bomber planes and guided missiles.
The problems with perimeter-based security are neither new nor unclear. Corporate information systems increasingly rely on tools and processes that exist outside the protective embrace of the traditional firewall. Wireless, mobile, remote and ad hoc are the watchwords of today’s business, with employees, partners and customers often using two or three different devices — ranging from laptops to cell phones to kiosks at the local Internet café — to connect to corporate data. And the demand for additional network-reachable resources can force companies to punch more holes in their once reasonably secure perimeters.
There’s no indication that this trend is going to reverse itself. But what defensive model comes next for information security if the perimeter goes away? That question has been the subject of lots of creative speculation. Attend any conference keynote and you’ll likely hear the castle-and-moat metaphor replaced by a litany of other images: cloth weaving, germs and cells, submarine warfare, peanut butter sandwiches, onions, oil and water, and even Snickers bars.
Those metaphors are useful, though they serve only as a starting point for discussion in what has become a very complex information security world. If CISOs are to keep up with the rising tide of threats — from zero-day code exploits to fraudulent insider hijinks — the conversation has to turn to specific, concrete ways to build abstract concepts such as flexibility, agility, responsiveness, redundancy and diversity in the infosec defence model.
Think Before (Re)Acting
The fundamental first step in reworking information security is to clear your to-do list and make room for architectural and strategic rethinking. Experts say the rate of technological and regulatory change makes that rethinking tougher than it sounds, but today’s disappearing perimeter makes a little think time crucial.
“So many of our security practices assume we have one static and controllable security architecture,” says Richard Baskerville, chairman of the CIS Department at Georgia State University. “[But] your boundary is now logical; it’s no longer a physical perimeter,” he adds. “And that sucker can snake out all over the place” — particularly in a world where Web services will begin connecting networks autonomously, “CSOs will soon need agile practices to manage many interconnected and changing security architectures simultaneously,” says Baskerville. “It’s more like managing security threads woven together into a fabric. Each thread must be strong, and the fabric weave must also. The security manager is constantly reweaving new threads. [For instance,] a policy review might occur on the fly as part of a security response to a network reconfiguration. Similarly, a security architecture review may be rapidly required to certify a new [virtual private network] connection to a trading partner.”
Those threads can become a management nightmare, however. With new technologies coming online every day, keeping security policies in line with technical reality can resemble swatting bees — while sitting in the middle of a swarm. Dial-in networks with highly secure dial-back boxes have been replaced by broadband connections all running through Port 80 — a port necessarily left open on most firewalls. Coaxial cable connections have made way for wireless. And hackers refine their tools every day.
Tracking these developments is a must, yet it carries a subtle downside: It can so distract CISOs that they fail to develop an overarching, active approach to security that can cover all contingencies. Even government security mandates, which provide guidelines for a corporate security model, can contribute to the problem. CISOs can get bogged down in compliance with the regulation of the day rather than keeping an eye on the big picture.
“It is tempting to look at the strategic models as recipes for security success when they are really best used either as a checklist to ensure that a company’s strategic security plan isn’t missing important elements, or as a benchmark for strategies and policies,” says Amy Ray, trustee professor of computer information systems at Bentley College.
“The key is to get out of a reactionary security position [where you] focus on patching existing systems only, without looking at security as a competitive weapon, and into a proactive security position where security investments are prioritised based on a strategic understanding of the architecture and use of information systems,” says Ray. But, she confesses, “such a change in thinking isn’t easy, especially for companies facing compliance issues”.
Making that strategic shift may not require a complete reorganisation of existing security management and infrastructure, however. Instead, adding a few key pieces could make all the difference. “The traditional paradigm for information systems security has been centralised and hierarchical and based on control — as it should be,” says Baskerville. “You have to be able to control these systems. But that paradigm is increasingly out of sync with decentralised information resources, many of which the organisation has limited ownership or control over.”
Given that situation, he suggests, information security organisations must consider creating two groups of security professionals: one that deals with traditional, centralised information resources, and another, a security skunk works that lives on the borders of the organisation, where creativity and innovation are valued more than rigid structure. (See “Sniffing Out a Skunk Works”, 44.)
Metaphors R Us
Another part of the shift promoted by several experts involves a complete change in how security organisations view their efforts. “You cannot protect every house in the nation, so you create a border to the country,” says Elad Baron, CEO at security provider Whale Communications. “The problem [with information security] is that you need lots of access, not just minimal access through those borders. There is still a perimeter, but you need to switch the paradigm from preventing everything to allowing secure access from anywhere.”
Charles Palmer, head of security research at IBM, agrees that tipping today’s model on its head makes sense. “Try to write down how many people have access to your house. You can do it because there are a limited number of people to whom you have given access rights,” Palmer says. “If you walk into my house and you don’t punch in the magic code [on my alarm system], you obviously shouldn’t be there.”
Today, however, many security systems attempt to keep a list of everybody who shouldn’t be inside corporate walls — and that will never work, says Palmer. With new people being born every day and yesterday’s good people sometimes going bad, “you are never going to have a complete list”, he says.
Such a shift in approach will require some technological changes, of course. Whale Communications promotes secure sockets layer virtual private networks and related tools as steps along the path to universal secure remote access. And today’s identity management systems certainly can solve part of the problem, but ultimately, security needs to be intrinsic in every system and every user in order to maintain control and keep the bad guys at bay. If everyone carried their security with them, any connection they made would be automatically more secure. And new technologies on the horizon could make that model a practical reality in just a few years.
“I think the model that you need to go to is security technology that’s identity-enabled,” says Bernie Cowens, vice president of security services for Rainbow eSecurity. “You may have something like a key that fits on a key-ring; we’re all used to that paradigm. We have this key; we can plug it into this PC or my PDA or my workstation at home,” says Cowens. “When you’re using hardware or a smart-card-based technology, we have a higher assurance already because we’re not relying on a password.” Better yet, Cowens adds, people have much experience protecting physical keys. “That’s the beauty and value of hardware — you know when it’s gone,” he says. “And people are used to protecting their car keys or their house keys.” And while many people tape their passwords to their monitors on a regular basis, very few would consider taping their house keys on the front door.
IBM’s Palmer touts an even more encompassing approach proposed by Trusted Computing Group (TCG), an industry organisation consisting of IBM, Microsoft, Intel, Sun and many others. Under TCG’s plan, most computing hardware would contain a chip that would allow for simple, secure authentication. “The idea is to come up with this chip, this little island of trust that will make you feel better,” says Palmer. “It’s not just a place to store your passwords; it can use cryptography to do mathematical proofs about who you are. So you put some secrets in this little chip and do the mathematics to say: ‘This is Charles’s laptop.’” The chip could also perform even more functions, such as securely identifying what machine produced a given word-processing document or e-mail message. (These same features, of course, have caused some observers to decry TCG’s potential to limit privacy and free-speech rights.)
Tools such as these, however, lead to a different security metaphor, in which the model begins to look less like a brick wall surrounding a city, and more like oil and water on a sheet of glass, where the oil drops represent untrusted connections. When water drops touch, they instantly merge, each drop intrinsically containing the properties necessary to have it combine seamlessly with other trusted resources. Oil drops, meanwhile, can’t make the connection, leaving them on the outside looking in. The model also makes sense when you consider internal threats: The technology that allows for secure outside access could do the same for internal employees.
Back to Tech
Meanwhile, Palmer says, other technologies will enhance security on a more granular level. One possibility includes having applications come complete with descriptions about what normal behaviour looks like, allowing monitoring systems to easily identify potential attacks.
This approach to perimeter security will become critical as Web services get more pervasive. John Dias, senior security analyst at the US Department of Energy’s Computer Incident Advisory Capability, says Web services has the potential to allow very complex applications to inhabit systems simply by coming through Port 80. That means more risk — risk that Dias would like to see mitigated by tools that check the validity of Web services applications at the perimeter.
Dias is part of the Organization for the Advancement of Structured Information Standards’ working group developing the Application Vulnerability Development Language (AVDL), which would allow applications to tell AVDL-compatible firewalls what kinds of behaviour to allow — and what to stop in its tracks. “That approach is going to be more effective for what’s going on today,” he says.
Mike Rider, professor of electrical and computer engineering and computer science at Carnegie Mellon University, envisions a time when security looks less like a wall of bricks and more like a wall of organic cells, full of diversity and redundancy, and naturally designed to fight off attackers. A similar concept underlies the (controversial) paper recently advanced by security luminaries such as Dan Geer and Bruce Schneier.
“How do biological systems survive? With lots of cells, all diverse,” says Rider. “They don’t all share common vulnerabilities. [You could] apply these techniques within computer systems.” Rider says Carnegie Mellon is doing research on systems that redundantly check each other for the results of possible attacks, similar to what happens in modern fault-tolerant computing.
Diversity, however, gets more complicated. Instead of shipping millions of copies of identical applications, software providers could make minor, random changes in each, modifying their profile (but not their function) just enough that exploits would affect only a small percentage of the total.
It’s an intriguing idea, but one that Rider confesses needs more investigation. Patching, for instance, becomes a much more complicated issue if every executable on the planet is slightly different.
Reality Check, Please
All these technologies and ideas sound intriguing in theory, of course, but James Christiansen, CISO at credit and financial service provider Experian, says it is critical that researchers and vendors not miss the point. Such esoteric solutions may solve only 1 percent of the problem, when the real issues aren’t disguising application signatures but instead are when a contractor downloads data to a laptop, only to have the whole thing stolen (as happened to Wells Fargo).
“Let’s walk before we run. Let’s look at the big things first,” says Christiansen, who has done a fair bit of thinking and writing on the subject of what he calls resilient security. At his previous post as CISO at General Motors, Christiansen managed information security needs across GM’s diverse units, which include manufacturing and financial businesses spread across the globe.
To Christiansen, the perimeter model is incomplete but not useless. “If I could put a lock on individual bits, that would be ideal, but that’s unreasonable,” he says. Christiansen believes the right infosecurity model should look more like a Snickers bar, with a thin outer layer surrounding both insecure goo and hardened nuts. “We’ve gone from a single perimeter to multiple internal perimeters,” he says. “Moving security closer to the information you’re trying to protect is how you win the game.”
Other experts concur that perimeter security — in some form — may always have a place in the CISO’s mind. “Physical barriers to communication continue to dissolve, but managers are responsible for protecting information that they either own or for which they have custodial responsibility,” notes Bentley College’s Ray. “While an increasing amount of information is shared outside corporate perimeters, the most valuable information is still maintained internally for most companies — budgets, software and product designs, information about competitive business processes, and so on. Perimeter defence plays an important role in protecting this information.”
Yet while the term may never go away completely, there’s no denying that the idea of the perimeter must change — and soon — if organisations are to have any hope of staying ahead of the threats. “The perimeter is the world,” says IBM’s Palmer. “That’s what’s driving CSOs insane.” w
Sniffing Out a Skunk Works
Infosecurity teams can garner creative ideas from the front lines of business.
Putting a highly structured, centralised security organisation on the front lines of the information security battle is akin to putting a battleship to task against a million speedboats with blowtorches. Holes will appear. Sinking will ensue.
The best way to deal with the versatility and creativity of the attackers, say some experts, is to create your own flexible, innovative group — or skunk works, if you will. Such groups will become increasingly crucial as companies begin using technologies such as Web services, which involves the combination of new tools with the potential for disaster if secured improperly, says Richard Baskerville, chairman of the CIS Department at Georgia State University.
Baskerville explains that such teams need not be expensive. “You don’t need — and it’s unlikely a CSO will be able to justify — a full-time team immediately, maybe even ever,” he says. “But a virtual skunk works is an intermediate strategy. If you have the right folks on staff, they can be assembled into a team as a temporary skunk works and then return to normal duties when finished.”
James Christiansen, CISO at business and credit service provider Experian, agrees. It’s important, however, to both hire the right people and to create a work environment that supports innovation. “Motivated people who are imaginative are usually knocking on my door with solutions before I’m thinking about them,” Christiansen says. “It’s all about the magic of motivation. You can’t be seen as a deterrent.”
“Its similar to a CERT or a [disaster recovery] team, only the purpose is to anticipate newly opened vulnerabilities rather than recover from them,” Baskerville says. The key, he notes, is keeping properly creative and intelligent people happy whenever things are running smoothly. “The tricky part of managing this potential is finding the kind of challenging tasks that will keep such people interested from day to day,” he says.