Search in ISMS Guides


Saturday, August 4, 2007

Information Security in Unbounded Environments

Felix Mohan, CEO - SecureSynergy

Today, bounded environments ensconced within clearly demarcated perimeters are giving way to a milieu where gateways are obsolete. In this environment, the distinction between insiders and outsiders is blurred, and organisations neither have central administrative control over their information systems nor do they have access to global view of events occurring therein. In such an environment, it is almost impossible to thwart cyber attacks. Traditional models of information security fail to deal with the security problems associated with open-ended environments.

Given the fact that no system is totally immune to attacks in an unbounded environment, there is now an intense focus on ensuring survivability of mission critical systems and essential services, despite the presence of cyber-attacks. Emerging technologies such as grid computing and web services, make unbounded environments even more vulnerable, mandating the need to build capabilities into systems such that they have the resilience to survive an attack and continue to fulfill their mission in a timely manner. The 'survive' philosophy of modern information security is a big departure from the 'prevent' viewpoint of traditional security models.

Traditional Network Security
When organisations began deploying firewalls as security tools a decade ago, they could easily define the network perimeter. Most people who had access to corporate networks worked on desktop computers in the main office; and external connectivity was virtually non-existent. A simple firewall-based demilitarized zone between the private and public network could provide adequate protection. In this traditional network security, the whole aim was to put into place firewalls and create an environment to keep people out - much the same way as a fortress was meant to keep attackers out. For centuries, rulers built castles with moats and stone walls as protection from invaders. These obstacles provided an effective first line of defence against enemy attacks. In the traditional fortress model of network security, firewalls and intrusion-detection systems were meant to serve the same function as walls and moats.

Fortress security model
A major lacuna of the fortress model was its dependence on trust for its success. Anyone outside the gate is suspect; anyone inside is trusted. If someone got inside, they could pretty much do what they wanted. In unbounded environment, trust becomes an extremely complex concept. Trust is especially difficult to establish in the presence of unknown users from unknown sources outside one's own administrative control. In unbounded networks where everyone is an insider and often unknown, there are always numerous untrustworthy insiders. A fortress model is only as strong as its weakest component. If a trusted insider abuses his or her authority, or an intruder finds an exploitable vulnerability in a security perimeter, the entire system can be compromised.

Airport security model
The airport security model is based on the environment that prevails in a typical airport. There are two significant characteristics in an airport. Firstly, there is no differentiation between insiders and outsiders. Everyone - airport staff, security staff, and passengers - go through the same security scrutiny. Secondly, there are many logical layers of security. Passengers authenticate themselves at various zones, starting at the entry into the airport terminal, right up to the point where they enter the aircraft. The security check at these places is typically done by a 'different' security agency to eliminate any collusion. The airport security, therefore, employs an efficient system of 'layered defence'.

On similar lines, the airport security model (which has replaced the traditional fortress model as the preferred model in emerging unbounded environments) is robust, flexible and situational, with multiple zones (or layers) of security based on role. 'Gates' to zones can employ multiple overlapping technologies for identification, authentication and access control, depending on the individual's role and the purpose of the zone. Even if one zone is breached, the system remains safe. The result is a series of fortresses within the fortress.

Point-to-point security model
Point-to-point 'dynamic trust' is the future model for a highly networked world. It requires point-to-point authentication and trust, from any user on the network to any other user. It uses multiple overlapping or alternative technologies and assumes that all parties to transactions must identify and authenticate themselves and prove their right to participate. This model corresponds most closely to a world heavily populated with intelligent wireless devices.

All three models are responses to specific risks and eras. The fortress worked in the mainframe era. The airport model works for most enterprises now. The point-to-point model is required for a world where high levels of transactions are conducted wirelessly, anywhere, anytime.

Virtual Enterprise Networks
In the prevailing unbounded environment, organisations have to work with an ever-changing list of 'external' people and organisations. In these relationships there is a need to share information with someone (or something) physically located outside of the traditional enterprise security perimeter guarded by the firewall. As boundaries between internal and external environments are becoming irrelevant for enterprise networks, it is giving rise to a new identity and access management infrastructure for providing security services - the Virtual Enterprise Network (VEN).

The VEN (based on the airport security model) is an alternative to traditional security with demilitarized zones, providing robust 'layered defence' so that even if someone got inside one layer, there would be other layers to protect the organisation's information resources. The upshot is a model that builds on the existing infrastructure, but plans for a distributed perimeter. The VEN defines four logical layers -

(a) The resource layer. This layer houses clients, servers, applications and data, and is the innermost layer.

(b) The control layer. This is a new layer, not found in traditional security models. In this layer authentication services reside as do controls for security policies across layers

(c) The perimeter layer. This layer contains firewalls, proxies and gateways that enforce physical and/or virtual boundaries between intranets and the Internet, or other security domains.

(d) The extended perimeter. This is the outermost layer. Here organisations engage technologies or services to secure resources physically located outside the perimeter.

No comments: