Shaping the Infrastructure for Information Security in the 21st Century
Articles and Tips: article
Senior Research Engineer
Novell Systems Research
Network Security Team Leader
01 Jul 1996
This AppNote covers some of the issues that must be understood and dealt with in shaping the infrastructure for information security as we move into a new century. It describes the increasing risk to intellectual and personal property as the world becomes connected, along with some of the "new" threats to the availability, integrity, and confidentiality of information. It also discusses what Novell is doing and what you as the customer can do to further the cause of secure networking. After all, whether the field of information system security is prepared for the 21st century will depend to a large degree on the cooperation of today's security professionals, customers, and policy makers.
RELATED APPNOTES Mar 95 "NetWare Workstation Security Architecture" Aug 94 "An Introduction to Novell's Open Security Architecture" Apr 94 "Building and Auditing a Trusted Network Environment with NetWare 4"
As today's information infrastructure, which is focused on individual workgroups and enterprises, evolves into one that is national, multi-national and, ultimately, truly global in scope, security becomes an increasingly crucial consideration. The basic technology exists today for protecting sensitive data, and developers and vendors are generally capable of responding to security needs. However, the commercial products and services that will become widely available to users will be primarily the result of market forces.
As the commercial developer of the world's most widely-used network operating system, Novell recognizes user needs as the driving force for providing truly secure network services and security features. Customers, in turn, must continue to communi-cate their needs for security and for secure services if they are to reap the benefits of "secure networking."
To that end, this AppNote covers some of the issues that must be understood and dealt with in shaping the infrastructure for information security in the near future. It describes the increasing risk to intellectual and personal property as the world becomes connected, along with some of the "new" threats to the availability, integrity, and confidentiality of information. It also discusses what Novell is doing and what you as the customer can do to further the cause of secure networking. After all, whether the field of information system security is prepared for the 21st century will depend to a large degree on the cooperation of today's security professionals, customers, and policy makers.
The Evolving Role of Information in Our Society
The latter half of the 20th century has often been referred to as the "Information Age." As we approach a new century, information is becoming more and more critical to everyday life, both at the commercial and personal level. The concepts being espoused by the United States government for the National Information Infrastructure, or "Information Superhighway," include extensive use of distributed computing to transmit and manipulate sensitive data between organizations. When this paradigm is extended to the global level, it is illustrative of the potential environment that will be faced by Novell's customers, partners, and competitors over the next few decades. For the purposes of this AppNote, we'll call this the global information infrastructure.
There are many opportunities and advantages for electronic financial transactions within a global information infrastructure. Adequate security is essential to the success of this infrastructure. The need to protect financial assets such as bank accounts and major business transactions is obvious. Other examples of the classes of sensitive commercial information being shared among the offices of multinational corporations include financial data, customer lists, sales protections, product development plans, and patent applications. In addition, businesses around the world are demanding information protection and verification capabilities.
Consider also the potential for electronic commerce that could exist within a global information infrastructure. With the proper security mechanisms in place, vendors could deliver software products and their associated documentation electronically. By doing so, they could decrease their costs and those of their distributors and retailers, at the same time increasing convenience for their customers.
In this electronic software distribution scenario, the primary concern is not so much that customers will purposefully abuse the system, but that intellectual property might be stolen from customers without their knowledge or consent. There are many unscrupulous people out there seeking financial gain from the misappropriation or unauthorized disclosure of intellectual property. The threats posed by this group are much more worrisome than the possibility of attacks on the integrity of the information.
For this distribution system to work, there must be a mechanism in place to ensure that only bona fide customers can retrieve a vendor's products, and that those customers are charged an appropriate price. Preferably this mechanism would also ensure that those customers do not deliberately redistribute products without authorization (and without the vendor being paid).
Many similar issues exist for personal data. While the conse-quences of misappropriating personal information may not be of the same direct financial form as for commercial information, they can be of extreme importance to the persons affected. It is vital that private information such as credit card numbers and medical case files be protected as fiercely as commercial financial data and trade secrets.
Paranoia Becoming Reality
Some skeptics dismiss the concerns of security-minded people as paranoid delusions. However, few companies can afford to put their business at risk by not preparing for potential threats that are becoming more and more real every day. As the value of the information processed by networks increases, so will the threats to the availability, integrity, and confidentiality of that information.
When It Pays to Be Hostile
When asked to identify the primary threat to the security of networked computer systems, many people point the finger at high school aged "hackers" armed with personal computers and modems. But amateurs who try to break into your system for the fun of it don't pose nearly as much threat as dedicated individuals and groups seeking ill-gotten financial gain. The commercial value of the intellectual property (products and trade secrets) that will become available electronically will provide a strong motivation for new classes of attackers. The threat of deliberate, malicious attacks on information systems will only increase as the value of the information stored on those systems increases. Some of these attacks will undoubtedly originate with agents external to the organizations that own and use the networked systems and resources.
When Software Is Malicious
In a distributed computing environment, there is significant opportunity for malicious software to intervene between user and data, thus subverting the intent of well-meaning users. For example, such software could be introduced as an authorized user gains access to intellectual property such as a computer program or entertainment product. The intruding software could then transmit the program to a third party. thus undermining the integrity of the licensing transaction and making it impossible to tell exactly who has gained access to the information and what actions an individual actually took and is accountable for.
Malicious software of this sort is known as a "Trojan Horse." It is characterized by the fact that it is present without the knowledge of the system's user and performs functions that the user did not desire, expect, or intend. Certain computer viruses that have received a great deal of publicity and caused noticeable damage to personal computers are unsophisticated forms of Trojan Horses. In networked environments where information is shared and communicated over wide areas, Trojan Horses are easily distributed and have ample opportunity to cause harm.
When Indirect Access Is Easy
Users of unprotected computer systems and networks will prove easy prey to those seeking unauthorized and uncompensated access to such information. The legitimate purchasers of intellectual property may serve as unwitting conduits through which hostile software is able to receive intellectual property and forward it on for further unauthorized and uncompensated distribution.
Security or Alchemy
Although powerful security technology exists for distributed environments, several factors continue to impede the market forces that would lead to its effective incorporation into cost-effective, off-the-shelf commercial products. Foremost among these factors are (1) the failure to recognize the critical need for security, (2) the hope for some new, effortless "quick fix," and (3) inadequate private and public awareness and vision for the future.
The first part of this AppNote has discussed the increasing need for security as the industry moves into the future. This section looks at the ineffectiveness of some of the "quick fixes" that have been proposed from various sources. The following section seeks to raise awareness and provide vision for the future.
Old Things Are Done Away
In the brave new world of the global information infrastructure, traditional protections such as physical isolation and manual review of information before release will prove largely ineffective. It is nearly impossible to physically isolate data when pervasive interconnection is the basis of commercial activities, and most electronic information is being distributed in a form that is not readable by humans.
Futility of "Penetrate and Patch"
One of the most naive and dangerous (yet persistent) beliefs is that one can provide meaningful security against the growing hostile threat by having "experts" try to penetrate the security controls, and then patching the holes that are found. This is a fundamentally flawed method, especially in the face of malicious software. The scale is seriously unbalanced in favor of the attacker, since the attacker need find only one hole while the defender must find essentially all possible holes.
Cryptography Is No Magic Pill
The ability to use strong encryption is essential to the success of the global information infrastructure. When implemented and managed by trusted computer systems, encryption is a known technology that has been demonstrated to work. Yet just because a product features encryption doesn't necessarily mean it is secure. There are many weak cryptographic implementations where the intended protection can be easily compromised by malicious software.
For example, such software can display one dollar amount to the user and digitally sign another, thus undermining the integrity of financial transactions. Malicious software can also subvert confidentiality by leaking cryptographic keys. In this case, the loss of a few tens of bits can completely undermine the security of an entire system. Such leakage is especially devastating since the user is likely to assume that his or her actions are "secure" because they are protected by encryption.
Adverse Impact of Public Policy
Tradeoffs among national security, law enforcement, and information security may well result in a major impediment to the ability of suppliers and users to provide adequate security. Current governmental export policies on encryption prevent suppliers from integrating commercial-quality cryptography into products that will be sold worldwide. Without the ability to provide strong encryption internationally, vendors' hands are tied. Valuable information placed on the global information infrastructure will be at risk and business will not be able to use the infrastructure to transmit and receive the various distinct classes of sensitive information.
Standing on the Edge of Tomorrow
As we prepare to move into a new century, it is important that the community of users--individuals, managers, and policy makers-- understand the threats to the confidentiality and integrity of their information, as well as the limitations of most currently available countermeasures. It is also essential that we have a sound basis for systematic security evaluation. This is where independent product evaluation can prove most useful.
Independent Product Evaluation
In the government arena, the terms "product evaluation" and "assurance" have long been used in association with computer security. They describe the results of technically-based processes that assess security products' features and the level of quality or reliability of their construction. These processes compare a product's security features, chosen by vendors to meet the needs of their users, against a list of fundamental computer or network security functions. They also assess the conditions of the product's construction to evaluate the likelihood that the security features are correct and complete.
Standards for the Future
As mentioned previously, the technology exists today to build a system that meets any of the defined security evaluation classes, from the lowest ones commonly available to the highest ones defined. But affordable, secure commercial products will become widely available only when meeting a particular security level is made a significant purchase criterion among the customer base.
Existing government standards offer some of the information that system designers and integrators need to select and configure products. These standards would also support end-users who could use them to guide their decisions as to which systems should be allowed to process their sensitive data. Unfortunately, the general public--and computer and network users in particular--are largely unfamiliar with formal governmental standards and processes.
The government and business sectors must work together to develop practical security standards that are viable for the next century. These standards should include:
A labeling standard for data and systems. Such a standard must support wide communication about the security attributes of data and systems. It would allow users to designate the sensitivity of their information to disclosure or destruction, with the expectation that recipients of the labeled information would have a common understanding of how to protect the information and what other parties should see or alter it.
A labeling standard is a very desirable alternative to having all data treated as an undifferentiated mass with respect to security and protection. It might be coupled with prototypical policies and operational standards for systems and networks, along with technical standards for trusted system security measures to enforce the labels. Trusted systems that enforce labeling offer the primary means for greater assurance of security against malicious software. Ultimately, it is the owners of data who must determine the protection their data requires. A labeling standard would provide a convenient tool for users to categorize their protection requirements and for the implementers of the global information infrastructure to distinguish the sorts of protection it would provide.
Continued development of standards and processes for the independent technically-based security evaluation of trusted system products. Since trusted products will form the foundation of the global information infrastructure, users must understand how to use the results of these independent evaluations. Unfortunately, some negative characterizations of the evaluation process and rating system by general officers in the military have been widely published recently. These are of concern because of the potential for adverse impact on policy makers and customers. To be useful to vendors, developing standards must build on the strength of standards that have proven to be successful in the past. Too many draft "Common Criteria" proposals lack essential elements such as a fundamental (reference monitor) foundation and incremental evaluation. Worse, they include complex and untried approaches and have a weak common basis for comparison across products.
Novell is committed to obtaining both U. S. and European evaluations of the NetWare 4.1 network operating system at the C2/E2 level. We believe that, to ensure the quality of security features and their implementation, technically-based product security evaluation performed by independent, objective third parties will instill much more user confidence than vendor's marketing claims can.
In this AppNote, we have endeavored to enlighten users concerning the security-related issues that must be dealt with before the global information infrastructure can become a reality. In doing so, we recognize that the public in general does not care to understand the precise nature of the security attacks we have discussed, nor are they likely to comprehend the intimate details of the protective mechanisms being developed. In many cases, the credibility of "malicious software" is questioned, especially when there is a lack of first-hand experience with such as attack. Of course, this makes the malicious software attack even more appealing to an interested group. The truth is that malicious attacks do happen, whether they are detected or not.
It is not our intent to hold up the specter of malicious software and unscrupulous hackers as scare tactics to bully customers into becoming security-minded. As far as end-users, product purchasers, and system administrators are concerned, much of the underlying security mechanisms should remain abstract and undisclosed. They should be reliable, testable, maintainable, and usable, without the user having to completely understand what's going on behind the scenes. This is where independent evaluation will prove most useful. Customers, vendors, and partners must insist on credible, independent third-party evaluations of both security services and security features, based on widely accepted standards. Admittedly, customer's needs will not always be directly addressed by independent evaluations. As the need for extended security services grows on an evaluated base, the possibility for additional evaluations must be provided for as well.
For their part, product developers should recognize that security must be built in to the operating system; it cannot be effective at the application level. Developers need to design products that are capable of providing real security features based on the underlying security services provided by the operating system.
At the same time, customers and vendors must become aware that "real" security services and features can only be obtained by building from a trusted base. In a network environment, that means the evaluation must encompass the server, workstation, and wire in combination. (For more information about Novell's Class C2 evaluation for the networked workstation and server combination, see the NetNote entitled "Novell's Approach to Red Book Evaluation" on page 94 of this issue.)
Customers need to actively participate in discussions about security and vocally support the implementation of security services through account representatives, buyers, and vendor contacts. Users must communicate clearly to product manufacturers their need for real, economical security--that if a product does not have security services and features that are implementable, maintain-able and affordable, they will not buy it.
Customers must clearly state to manufacturers like Novell, as well as to application developers, their need for a clean and user-friendly interface to security services. User-friendly applications which employ security services and features coming directly from a secure base need to be at the top of customers' "must have" lists. Customers and users can only benefit when they clearly state for vendors and manufacturers that security must be "real" in the environment it is intended for, or they will not buy the product.
* Originally published in Novell AppNotes
The origin of this information may be internal or external to Novell. While Novell makes all reasonable efforts to verify this information, Novell does not make explicit or implied claims to its validity.