Sunday, January 30, 2011

The Technical Problem of Information Security

This article provides an in-depth look into Information Security and End-to-End Security. What is the problem, what can we do about it, and how effectively?

This discussion presents the technical requirements for an End-to-End IT security solution, summarized in four points:
  1. integrate core security services;
  2. eliminate known weak or costly links such as password lists, access control databases, shared secrets, and client-side PKI;
  3. avoid the seemingly desirable scenario of a single point of control, which is recognized as a single point of failure;
  4. bind a coherent system of trust to the solution and to its users.
The NMA ZSentry solution is mapped as an example of a system that complies to these requirements and provides a cost-effective implementation.

The technical problem of information security can be stated, quite simply, as "to avoid too much concentration of information and power, while allowing enough information and power so as to make a task possible to execute."

For example, an all-knowing, all-powerful entity would be the perfect attacker and could break any security measure.

That is why we oftentimes talk about "need to know" and "separation of powers." We name these principles, respectively, information granularity and power granularity.

Such principles mean that information should not be provided in its entirety to a single entity and one should also avoid the scenario where any entity is, at the same time, user, administrator and auditor. That is why business information and power should be carefully divided, for example, among local employees, the office management, the enterprise management and the customer.

Also, contrary to what is oftentimes advocated in regard to IT security solutions, there should be no single point of control in an IT security system, which point must be recognized as a single point of failure -- i.e., no matter how trustworthy that single point of control is, it may fail or be compromised and there is no recourse available because it is the single point of control.

One of the earliest references to this principle can be found some five hundred years ago in the Hindu governments of the Mogul period, who are known to have used at least three parallel reporting channels to survey their provinces with some degree of reliability, notwithstanding the additional efforts.

Tools such as authentication and authorization can help define information and power granularity. However, at its most basic level, a secure IT system needs to do much more than just control authentication and authorization.

No matter how much assurance is provided that each component of a secure system is correct, when operational factors such as collusion, internal attacks, hackers, bugs, viruses, worms or errors are taken into account, the system may fail to be effective -- i.e., may fail to be secure in the context of its operational use.

In addition, underlying assurance problems such as insecure operating systems and reoccurring buffer overflow vulnerabilities are not likely to improve over the coming years.

There is a real need, thus, to bring together policy, management and implementation considerations that could influence effectiveness assurances for each particular IT security solution.

Other security principles such as redundancy, diversity, and least privilege also need to be used in defining the specific requirements for a secure IT system. In addition to being specific, such requirements need to be clearly formulated, decidable and, as much as possible, complete.

Additionally, an end-to-end design is important to assure effectiveness, because attacks and errors are hard to detect and prevent at the interface points. End-to-End (E2E) security is defined as safeguarding information in a secure telecommunication system by cryptographic or protected distribution system means, from point of origin to point of destination

For lack of paper trails or other material proof, non-repudiation is also often essential for Internet and IT security systems. A common definition states that non-repudiation is about providing proof that a particular act was actually performed, for example as demonstrated by a trusted time-stamp. However, this definition is etymologically incorrect and, thus, should be repudiated. It also misses the point. We and other authors prefer to define non-repudiation as "preventing the false denial of an act". In other words, it is not enough to provide proof of an act, as a denial may be presented and create a tie. While a correct denial should win the tie, a false denial should not.

To be effective, non-repudiation needs to take into account technical and business considerations. For example, bank checks are non-repudiable in the sense that a check is paid if (1) you did not tell the bank beforehand that the check should not be paid and (2) the signature does not look like a signature you did not make. The reader should note the double-negative, which provides less room for customer repudiation -- the signature does not have to look like a signature that you made, it just has to not look like a forgery.

Commonly, IT secure systems also must satisfy security standards such as the Controlled Access Protection (C2) level of security as defined in DoD 5200.28-STD (the Department of Defense Trusted Computer System Evaluation Criteria), the ITSEC Level 3 as defined in the Common Criteria for Information Technology Security Evaluation, or the Code of Practice for Information Security Management BS 7799 (a British Standard that is the basis of the ISO/IEC 17799-1 Standard).

To meet these objectives, an effective IT security solution should be based on two points:
  • Clear security principles, algorithms and products based on time-proven designs; and
  • Independent, permanent verification and validation of the systems’ security features.

The first point defines the component quality used in the IT system, where a weak component may compromise the whole system. For example, a system that relies on conventional username/passwords for authentication is likely already broken.

The second point focuses on the need to continuously evaluate all potential and existing threats, and verify any additional security design features that might be necessary to mitigate the risks stemming from the most likely and/or most damaging threats associated with the customer environment, and eventual changes in that environment.

The ZSentry security solution satisfies both points. ZSentry uses standard encryption technology with the unique Sans Target method to keep it safe and HITECH Safe Harbor compliant to send data between parties as regular email. It does not require installation of any software, which is great for both security and usability, and it even adds functionality such as self-destruct, with message level access control. This is also good news for Novell users who have become used to this type of functionality.

For example, using ZSentry renders your private health data unreadable to any third party who might come across it, and takes the issue of HIPAA breaches and fines off the table.

Read more about Why Not Passwords?

Read more about End-to-End IT Security