November 2001 Mfg.Trust
Mfg.Trust is a monthly feature of the
NCMS InfraGard
Manufacturing Industry Association
Infrastructure assurance for manufacturers.
Powered by NCMS.
This month –MANAGING THE TRUST OF THE TRUSTED PARTIES
Creating a Truly Secure Information Environment
Accompanying Resource Page for this Story
Editor’s Preface:
Security has traditionally offered defenses from the
external threat: Castles, the Great Wall in China, and children’s secret
club house passwords all serve this purpose. However, the most insidious
threats are almost always lurking within the castle walls. Think Caesar
and Brutus, or Navy Chief Warrant Officer John Anthony Walker, Jr., who,
for 18 years, handed over classified materials to the Soviet Union.
This month, we will focus on just one part of
security. We will examine the high level issues for protecting valuable
business information inside the enterprise and among trading partners. Our
goal is to present a clear analysis of the issues that you probably face,
and offer potential solutions upon which you can take action.
Jonathan Hudson (jonathan@aereous.com)
and Todd Graham (tdgraham@aereous.com)
co-authored our feature and resource page this month along with your
Editor. NCMS is appreciative of their insight and expertise.
The NCMS InfraGard Manufacturing Industry Association
web site (http://trust.ncms.org)
offers far richer content than can fit in just one email feature, and
stores material on past monthly themes. Please visit this month’s NCMS
Managing Trust Resource Page, and tell your co-workers!
John Sheridan (johns@ncms.org)
PS: If you are in the Ann Arbor, Michigan vicinity, you can learn more about NCMS and our information assurance programs by participating in the FREE open house on November 13th. Learn more about the “NCMS Networking Event-A Manufacturer's Guide to Surviving a Down Economy” at www.ncms.org
Managing the Trust of the Trusted Parties
Creating a Truly Secure Information Environment
Twenty years ago, companies kept their most sensitive
information safely locked away in file cabinets and storage closets. In
today’s economy, information that represents an enterprise’s lifeblood
is shared within and among enterprises on a daily basis. You wouldn’t
leave a paper copy of your company’s financials next to the photocopier
even if your building were closed to outsiders, so why is the equivalent
being done in the online world?
Existing security solutions address the old problem
of perimeter security. Firewalls, Intrusion Detection Systems and
Anti-Virus Software are the first line of defense in keeping hackers out
of your network. However, if you haven’t thought about protecting your
network internals, your intellectual capital is only half secure. Theft of
proprietary information from within the enterprise causes extraordinary
losses when a disgruntled employee walks out with a master list of
customer information, or a downstream supplier shares design schematics
with a competing upstream customer.
The emerging issue is clear: managing the trust of
the “trusted agent,” whether employee, contractor, or trading partner.
Given human nature, people will circumvent systems that get in the way of
what they consider important, and resent efforts to force compliance. Many
hidden threats are a result of your implicit trust in the “trusted
agent.”
The American Society for Industrial Security reports that over 70% of information theft occurs within the extended enterprise by trusted parties – employees, OEM’s, suppliers, etc (see link below). Given this troublesome statistic, it is time that organizations reevaluate their network security infrastructure with a sharp eye towards the internal threat. The following five parameters should be given due process in any such evaluation.
- Authentication
- Access Control
- Administrative Domain Protection
- Pervasive Information Protection
- Simplicity
You already have your perimeter defenses, now let’s look at these internal parameters one-by-one to see what goes into crafting a truly secure information environment.
1. Authentication
The Issue: Authentication is the process of
establishing a person’s identity on the network. It can come in the form
of something you know (passwords), something you have (smart cards), or
something you are (biometrics). Password-based authentication is the
easiest and lowest-cost authentication technique, but even good password
policies aren’t always good enough (see link below). Two-factor
authentication (usually something you have plus something you know, like a
fingerprint or “smart card” and a password) is generally better, but
more costly. You should also consider the underlying authentication
technology. The username/password combo used by many business-oriented
operating systems – you’re probably using at least one – are easily
compromised.
The Solution: Your dog’s name is not a good password; any good security will start with good password policy. A number of vendors offer software that automatically enforces these policies. Additionally, smart-card, biometric, and other authentication devices are coming down in price. RSA SecurID is the emerging standard, but companies like Rainbow, Entrust, Access360 and Passlogix have compelling products as well. Most important, though, is to ensure that your system is properly implemented and administered.
2. Access Control
The Issue: Access control manages how users
may interact with resources on a network. The CEO of your company should
probably have access to many systems, while a marketing intern
shouldn’t. Access control products have matured to the point of being
able to handle complex needs, but they are not all homogenous. Microsoft
has built access control into its business-oriented operating systems and
backend technologies, and is representative of the common access control
mechanism – the access control lists (ACL). ACL’s create strict
definitions of what users may access, but depend on constant administrator
input and configuration / re-configuration. Because keeping up with the
dynamics of business needs is so work-intensive, a System Administrator
will often grant an individual access to files, folders or resources that
they should not be allowed to see, either by accident or because the
individual needs partial or occasional access. Revocation, the process of
revoking access to resources in a timely way, is a nightmare, and
represents a significant
vulnerability in large enterprises.
The Solution: For the time being, the best solution is vigilance. Auditing tools from companies such as Tivoli and Computer Associates remove some of the headache of tracking individual access. Some single sign-on companies are grappling with this problem, and new, more flexible pattern-matching technologies are emerging to react to network conditions but have not yet been proven in the field. Further on the horizon, expect to see new works emerge from standards committees that address some of the current problems with access control systems.
3. Administrative Domain Protection:
The Issue: Your data and resources are most
vulnerable where there are no lines of defense to protect them from
compromise – on the desktop (see next topic) and within the
administrative domain. The people responsible for keeping your network
running have enormous power over the information and resources within
their domain of administration. Reading emails, accessing proprietary
information, and creating small backdoors in the network are all within
the realm of what can be done, and what in fact has been done.
One horror story came out of a hospital, where the
system administrator learned she was to be fired, and encrypted the entire
patient database, using a password that only she knew. She refused to give
up the password unless she was given a sizeable severance payment. An
honest system administrator will acknowledge the power that they wield and
accept certain constraints that don’t interfere with their ability to do
their job.
The Solution: This issue is amongst the thorniest of them all, as the people required to implement protective measures may be the same people you are trying to protect against. A security consultancy or vulnerability assessment company such as TruSecure or Securify can help you find the weak spots within your network, and justify the need to implement better security technology. As for the technology itself, Computer Associates has software that allows “selective root” access, giving administrators the power to do only certain administrative functions. Startups such as Aereous are building backend data protection tools, and some of the storage systems companies like EMC and Network Appliance are beginning to broach this subject as well.
4. Pervasive Information Protection
The Issue: Information can be stored
encrypted, and tunneled around your network using IPSec or between
enterprises on a VPN. However, once a file is open on a desktop, there is
little that can be done to prevent its contents from theft. Current file
systems have provisions for read/write or read-only on files, and
databases have become intelligent enough to prevent certain fields from
being viewed. But even encrypted information can be emailed, printed or
saved after it has been decrypted. Whether by accident or malicious
intent, there is currently no good way to apply pervasive protection to
information. Ironically, this is arguably where the greatest need for new
security technology exists – it is where information is most vulnerable
to even the most unsophisticated user.
The Solution: Again, emerging technologies may have the answer, but not without complexity. By intelligently applying usage rights and rules to information, an enterprise can moderate this significant vulnerability. Usage rules are policies for how individual users may interact with individual documents – Mary may be able to do anything she needs to do with a file, but John can only make changes to it, and not print, email or copy information from it. Companies like Aereous are building software that makes it easy to extend usage rules across the enterprise and even outside to business partners, closing off the most logical ports of information exit. Auditing functionality is also important, so that if information has been compromised, an administrator can determine where the leak occurred. Pervasive information protection is seen by many as the “what’s next” in good information security, and is a sector that will likely see explosive innovation over the next few years.
5. Simplicity
The Issue: K.I.S.S - keep it simple stupid –
yet no one seems to be able to do so. If security technology creates too
many barriers to usage, people will find a way to circumvent it.
McAfee’s PGP toolset is a great way to encrypt email – just hit an
extra button within Outlook. Yet, for as simple as it is, that extra
button is a complication that 95% of the world just won’t accept.
Imagine what the systems administrator has to manage – different
systems, potentially thousands of users, different programs and resources
that require multiple logins, and audit trails for who’s been doing
what. Unlike external technologies such as Firewalls that the
administrator can set up and forget, intra-enterprise technologies are
required to accommodate the fluidity that exists in the organization
itself. If the technology isn’t built to handle the needs of your
network, it probably won’t be used. Effective internal security can
only be practiced when its value exceeds the administrative burden
required to implement it.
The Solution: Some technologies are known for their ease of use, so seek those out. Evaluate your network “as is,” and what your business requires as a final state. (See the Resources page at trust.ncms.org for two excellent information systems baseline tools.) When you have the intersecting set of “simple enough” and “effective enough” can you create a strong security architecture upon which the rest of your business can function effectively. Finally, educate your users on why they should be interested in utilizing security tools, and try to make it part of their daily process.
Conclusion
These five parameters, when given appropriate
consideration, can help you recognize weaknesses that you didn’t even
know existed. The threat is real – a KPMG study concluded, “Executives
can be misinformed about the actual vulnerabilities of their network
systems. Poorly trained and/or poorly qualified system administrators,
poor reporting procedures for security breaches, or dishonest employees
are often the cause of this misinformation.”
Security
should not be viewed solely as insurance. Security technology does
have a tangible ROI: when your anti-virus software saves you from
downtime, when your single sign on solution reduces administrative
overhead, when your VPN eliminates leased private lines, when pervasive
information protection enables you to collaborate and share information as
you couldn’t before.
As business reliance on networked systems continues to evolve, so too will the technology foundation required to support it. Internal security is fast becoming an absolutely critical component for any company that intends to protect their information assets. In expansionary economic times, enterprises should look to spend extensively on R&D, pushing new products out the door and growing with the market. But in contracting economies, the enterprise needs to focus on protecting its market position and staying buoyant. Now is a better time than ever to take a critical look at your network security architecture and determine how security technology can help your enterprise weather the storm.
Links
Trends in Proprietary Information Theft:
http://www.pwcglobal.com/Extweb/ncsurvres.nsf/docid/36951F0F6E3C1F9E852567FD006348C5
KPMG e.fr@ud Survey 2001:
http://www.kpmg.ca/english/news/n_efraudsurvey2001.html
Stronger Passwords Aren’t:
http://www.infosecuritymag.com/articles/june01/columns_executive_view.shtml
| Please check out these related sites | ||
|
|
|
|
|
Copyright 2004 |
||
