REDMOND, Wash. -- While meeting Tuesday morning with PC Week's Corporate Partner advisory
board and a team of Microsoft's Windows
2000 security engineers, I suddenly found the words to describe the
fatal flaw in almost every current approach to securing our enterprise
information systems.
Coincidentally, in the month just ended, the publication of an MIT PhD
thesis gives us an opportunity to look at new ways of closing this
enormous gap in our defenses.
Most security solutions have no power to guard against the acts of
authorized users. It may seem self-evident that authorized users are the
clients, not the targets, of information security technologies, but fraud
and abuse are most often committed by persons authorized to access or
modify data as part of their jobs.
If you've already spent, hypothetically, a million dollars protecting a
system against intrusion or attack, and someone offers to double your
security budget, it's far from clear that the added million dollars should
go into added protection against outside threats. The unmitigated risks
are more likely to lie within, but how can one reduce them?
On the Internet, information risk is a paradox. There is risk in
aggregation: A person who steals 100,000 credit card numbers in a single
act is a bigger problem than a person who steals a waste-basket's worth of
carelessly discarded receipts. But there is also risk in isolation: A user
may be able to frame a query about average salary for a group of
employees, defining group criteria so that a single employee's salary can
be deduced from the results -- even though the inquiring user is not
supposed to have access to other individuals' information.
The fleas on the rats
It's a losing battle to attempt the containment of information risk by
application- or component-focused campaigns of design review and source
code audit. To do this, as I said in our meeting at Microsoft, is to try
to keep track of the fleas on the rats that carry the plague of
insecurity.
The owner of a system must be able to articulate policies such as, "A
user may not issue a query that returns a result set (or its statistical
aggregate) that includes the salary field but has only one member."
Policies must be relatively few in number and automatically applied across
entire populations of applications and users -- as opposed to present-day
reliance on every link in every separate chain of data, application and
user privilege configuration.
The serendipity of the Web is a wonderful thing. When I returned from
the meeting where I raised this concern, I plied Google with the four-word
search group, "security
isolation aggregation policy." One click later, I was reading someone's
trip notes on last May's IEEE Symposium on Security and Privacy, which
included two promising papers: "Hardening
[Off-the-Shelf] Software with Generic Software Wrappers," by employees
of Trusted Information Systems Inc., and "Flexible Policy-Directed
Code Safety," by MIT researchers David Evans and Andrew Twyman.
Evans and Twyman acknowledge that the Java Virtual Machine has the germ
of a policy-based approach to system security, with the JVM's facilities
for controlling (for example) the precise locations and operations of
allowable access to a user's data files. But Java's designers "were
hamstrung into providing only a limited number of checks by a design that
incurs the cost of a safety check regardless of whether it matters to the
policy in effect," observes Evans, who is now an
assistant professor at the University of Virginia.
In his MIT doctoral thesis,
Evans suggests an approach that "statically analyzes and compiles a
policy." He asserts that this method "can support safety checks associated
with any resource manipulation, yet the costs of a safety check are
incurred only when the check is relevant."
Attacks on our information systems are more than matters of
convenience, or even of business continuity. In an Off the Cuff column
earlier this week, News Editor Michael Zimmerman refers to China's uneasy
relationship with Taiwan and the implications for our current
presidential campaign. It's worth recalling that, late last summer, those
Taiwan Strait tensions expressed themselves in a bilateral campaign of Web
site attacks.
Information security has become the world's concern, and new ways of
approaching the job are timely contributions to making this a better world
in many ways.
Are you tired of counting the fleas that carry the plague? Tell me
at peter_coffee@zd.com. Off the
Cuff, an online exclusive column, appears Monday, Wednesday and
Friday.
See
more Off the Cuff columns.
.gif){kind=small}
.gif){kind=spacer}
.gif){kind=spacer}
