Applying military insights to enterprise data security: the application of time-tested military approaches can help address evolving computer security threats for enterprises and government.
Today's enterprises and government agencies have migrated to highly networked computing systems, with nearly all critical functions reliant on computing resources. This evolution has delivered higher productivity, but at the same time has created dramatically higher exposure to electronic attacks. Concern over information assurance has never been higher, and the range of acknowledged threats is growing: disgruntled insiders, viruses/ worms, corporate espionage, script kiddies, cyberterrorism, and information warfare in conflicts of the future.
In many senses, computer security already resembles a guerrilla war. Today, largely invisible enemies launch daily attacks on nearly every major corporation and government agency, and rapidly adapt their tactics to address countermeasures. This article highlights a number of time-tested military principles that can be applied by corporations and other organizations to prepare for such electronic warfare.
MULTI-LEVEL SECURITY: Intelligence organizations use MLS to manage and streamline access to data. By classifying each piece of data, and establishing the related levels of trust among individuals (e.g., unclassified, secret, top secret), these organizations balance risk with speed of information sharing.
Typically, civilian organizations lack the same discipline around information sharing. For organizations that deal with sensitive or regulated data, a more structured approach to assessing trust and granting access can be used to more tightly manage risk.
COMPARTMENTALIZATION: This principle is reflected in nearly every aspect of military organizations. For example, a captured special ops team does not know the locations of other units, in order to minimize risk. Often, analysts and planners have access to only a subset of the "whole picture" and, similarly, a submarine uses physical compartments to contain the damage from a hull breach.
With the move towards aggregated and networked storage, non-military organizations are increasingly at risk of massive breaches. In fact, a single breach of networked storage can yield terabytes of data and in many cases can be executed without detection. By using physical or cryptographic compartmentalization, organizations can reduce the exposure of any single breach. Typical approaches include compartmenting information by functional area (Finance, Engineering, Executive), by business unit, or by customer.
NEED-TO-KNOW: Military planners understand that the risk of leaks increases exponentially with the number of people who have information. Accordingly, sensitive data is distributed to only those who need it, and access to data is documented and audited.
According to the FBI, 50%-80% of electronic attacks originate inside the firewall. Even though the vast majority of employees are honest and trust-worthy, a single hostile individual can inflict massive damage. Instead of starting with the assumption that all data should flow freely among employees, organizations should invest in processes and systems to manage access to sensitive data, and ensure accountability. Fine-grain access controls can be used to provide flexible access to the data without disrupting user workflow or applications.
CRYPTOGRAPHY: As early as the Roman Empire, military organizations have used cryptography to protect sensitive data. Traditionally, cryptography was applied primarily to communications and data in flight; increasingly, sensitive data at rest is being protected with cryptography. For highly networked environments facing a variety of external and internal threats, cryptographic security is a necessity.
In today's networks, the volume of data in transit (megabytes) is dwarfed by the volume of data in storage (terabytes). Computer security experts increasingly recommend encryption for protecting stored data.
DEFENSE IN DEPTH: Realizing that any single layer of defense can be defeated, military and intelligence security experts typically deploy layered defense strategies.
In light of the growing insider threat, and the growing number of holes in the network perimeter (VPNs, contractors, partner networks), enterprises can no longer assume that their firewall or intrusion detection system is sufficient. Critical data and systems must be compartmentalized and protected within the perimeter. This is a challenging proposition since certain insiders, typically IT administrators, enjoy "super-user" privileges and unlimited access to data and systems. Organizations should closely review their infrastructure and implement security in layers, ensuring that sensitive information is fully protected.
CONCENTRATION OF FLOW: Military checkpoints and border crossings funnel all traffic through aggregated control points. These locations typically have a concentration of security forces, and the ability to authenticate and document all traffic.
Simplicity equals security. Many system vulnerabilities today stem from complexity; administrators cannot watch all of the different attack vectors. Security approaches that can simplify the security model and close down attack vectors can reduce an organization's risk of attack, while improving the chances of catching the attacker. Best case scenario: one way in, one way out.
ROLE SEPARATION: Many military procedures include checks and balances among multiple individuals to ensure that no single individual can sabotage or usurp the mission of the organization. Critical functions such as nuclear weapons command or air strike operations require multiple people in different functions to concur and approve an action.
Organizations with sensitive data may wish to eliminate single points of vulnerability, but many security managers today find that they do not have the tools to extend security policies into the storage infrastructure. Implementing role separation can help. For example, an IT organization may establish separate roles for security administrators and system administrators. Access to sensitive customer data, or sensitive administrative changes to systems, should require approval from multiple functional managers.
TWO-MAN RULE: This is a corollary to the Role Separation doctrine. For critical operations, two individuals must exercise authority to act. The classic example: nuclear silo operators turning two keys simultaneously to launch a missile.
Critical systems should never be designed with single points of failure or vulnerability. For sensitive operations, such as accessing archived data or recovery of failed systems, a quorum of trusted employees can be used to ensure that no individual can defeat security.
TWO-FACTOR AUTHENTICATION: Access to secure facilities almost always requires both knowledge (what you know, e.g. passwords) and official identification (what you have). Increasingly, token-based or biometric systems (who you are) are used to prevent forgery of credentials.
For sensitive systems, traditional username/password mechanisms are too weak. Humans are simply not good at choosing strong passwords, and there are many well-known instances of this sort of attack. In the case of computer systems, administrative functions are the most sensitive, because they typically enjoy access to all data and security measures. Implementing two-factor authentication methods can significantly reduce the possibility of common spoofing attacks.
KEY ROTATION: Physical and cryptographic keys are regularly rotated to limit the duration of exposure in case of a breach. Following a confirmed or suspected breach, keys can be instantly revoked or invalidated.
Enterprise and government security systems must have the infrastructure to regularly or instantly rotate keys, including both physical tokens and electronic or cryptographic keys.
This infrastructure includes mechanisms for cataloguing the database of keys needed to access archived data.
KILL-SWITCH: In military practice, it is common to protect systems that can be physically breached or overrun with some type of kill-switch mechanism to instantly destroy sensitive data or technology. The U.S. spy plane that was forced to land in China provides a good example of the need for electronic kill-switch capabilities.
Computers and storage systems that are physically insecure pose a difficult challenge to enterprises as well. Even the best firewall settings are irrelevant if an attacker can simply remove terabytes of cleartext data on disk drives. For physically insecure systems, it is advisable to make the default state of data secure, using encryption. Smart cards and cryptographic keys can be destroyed much more quickly and reliably than terabytes of cleartext data.
DOCUMENTATION AND AUDITING: Military organizations are notorious for extensive paperwork and documentation. However, when dealing with sensitive information that could cost lives or lose a war, this layer of accountability and deterrent is a smart investment.
Organizations must find ways to automate and harden their systems that track access to sensitive data. In the case of typical Unix and Windows systems, electronic logging and auditing functions are easily defeated by any user with "root" or administrator privileges. Secure logging and auditing systems that are tamper-resistant and cryptographically signed add a layer of deterrent on top of actual security.
Security-conscious organizations must create processes to constantly evaluate systems, evolving attack tactics, and overall risk profile. Several practical implications emerge:
* Designate a "Chief Security Officer" that has the training and resources to manage security on an ongoing basis. Security is a process, not a one-time project.
* For individual operating units, designate a trusted "security administrator" to manage sensitive systems that protect the overall organization. For smaller organizations, this role may overlap with other responsibilities, but ideally this role separation can create checks and balances for administrative staff. Use strong authentication to ensure the integrity of this role separation.
* Design systems that can shield sensitive data from administrators. In light of the growing insider threat, and the almost unlimited system privileges that root users enjoy, this is a major exposure point for every organization.
Centuries of experience, high stakes, and organizational discipline have helped military and intelligence organizations create sophisticated security doctrines. The design and execution of these doctrines is never perfect, but they nonetheless hold valuable lessons for organizations that are increasingly sensitized to the importance of security. Through a combination of strategy, process, and systems, civilian organizations can use these lessons to make profound improvements in their security posture.
[c]2004 Decru, Inc.
Used by permission.
Kevin Brown is vice president of marketing at Decru. Inc. (Redwood City, CA)
|Printer friendly Cite/link Email Feedback|
|Title Annotation:||Disaster Recovery & Backup/Restore|
|Publication:||Computer Technology Review|
|Date:||Jul 1, 2004|
|Previous Article:||WORM-enabled tape storage: early birds get compliant.|
|Next Article:||The cost benefits of a SAN: an analysis of total cost of ownership (TCO) of an iSCSI SAN, fibre channel SAN, and direct-attached storage.|