PLENARY
Boundaryless Information Flow:
Securing the Extended Enterprise

Information technology has the impact of making the world a smaller place. Geography is no longer a barrier to sharing information, and the speed of communication is impressive. Information flow has vast benefits for the modern enterprise, yet is overshadowed by the threat of those who abuse this technology to bring down personal, corporate or even national systems and networks, in turn leading to significant financial loss and threatening national security and critical infrastructure.

Distributed Denial of Service (DDOS) attacks pose a debilitating threat to enterprise networks and the flow of information throughout the boundaryless organization. In 2000, DDOS attacks took three to four days to replicate across the Internet, but in 2003 the Slammer worm took just eight minutes. The actions of attackers - spreading viruses, stealing information and identity, undermining privacy, spoiling web sites, proving they can break security measures - need constant responses; it's a continual catch-up. The threat to the enterprise is real, is all-pervasive, and is now automated.

In response, to focus on what is most important – safeguarding information, and making IT systems as fail-safe, dependable, and reliable as possible - is critical.

This conference brought together IT security and other experts to detail the current security threats, discuss the issues for enterprise communications, and outline practical solutions.

Allen welcomed all attendees to this New Orleans conference. The plenary theme of this conference addressed how to secure the boundaryless enterprise. He outlined the line-up of excellent speakers for this plenary day, and regretted to have to announce that our advertised opening Keynote speaker - Bill Hancock - had been admitted to hospital two days previously so could not be with us as planned - Allen wished him a speedy recovery. Meanwhile the rest of the program proceeded as advertised.

Enterprise Security - Policies and Strategies for the Growth of Security in line with Changing Business Demands for Information Provision

Keynote: Designing a Secure Organization
Mick Coady, VP Security Practice, Computer Associates - Technology Services

Mick listed statistics that show the increasing extent of insecure IT systems and the damage and costs they are causing. General Internet attacks trends are showing a rapidly increasing annual rate of growth. Many of these attacks are through firewalls that are not configured correctly. The blended attacks that combine hacking, denial of service, and worm-like propagation are new developments in attack sophistication. Tools and published information on how to mount attacks are readily available on the Internet these days, making it easy for relative novices to mount attacks.

Mick described the anatomy of attacks. 80-90% of attacks are initiated by insiders - disgruntled and former employees. Other sources of attack come from hackers, domestic competitors, state-sponsored and corporate espionage, and extremist groups. Physical security is crucial to prevent unauthorized access to equipment, and to networked systems. We even find that training is available on the Internet explaining how to use telnet access through generally-known open ports to penetrate networked computer systems. Mick outlined several forms of attack and how they work to gain unauthorized access to networked systems - he classed this part of his presentation as the anatomy of attack.

Identity theft to steal customer information - credit card, phone, utility (water, gas, electric), bank, employment, loans, government records, medical records -  is also increasing at an accelerating rate. Customer care - often common sense  - is the most effective precaution against identity theft. Theft of personal information from dependent people such as medical patients, by insiders who are in positions of trust, is sadly all too easy. This information can be used to set up identity theft schemes. Mick listed ways that personal information is obtained. In employment organizations, HR is becoming the main target and source for identity theft.

Mick listed several examples of major incidents, and the response and forensic investigations these entailed. He listed the key success factors in investigations, describing the complex and time-consuming process of collecting, correlating, and analyzing data, and moving content through a network. He mentioned a few sophisticated analytical pattern detection approaches to detecting intrusions. He mentioned EnCase as one computer forensic tool for conducting non-invasive investigations. Key success factors are limiting the investigation to those who need to know, using trained professionals in the investigation, proper evidence handling, liaison with law enforcement agencies, and careful separation of criminal versus civil legal actions.

To fix the problem, the best way is to protect your environment and information from exposure to unauthorized people. Destroy records that are not necessary. Secure the data center. Mick described an enterprise security model architecture that he has developed to expose the contributory factors which help to fix the problem. He then proposed a balanced approach to addressing the problem space - balancing operational risk with security risks, and providing security controls that match the business risk in the operations of an organization. The regulatory environment is now critical to business operations, with high penalties for non-conformance. The critical issue for customers is can they trust you? If your reputation is seen as high then this is a significant business enabler.

Mick listed a set of security tips for business, in the immediate and the longer term. Buy-in at the CxO level is critical. He suggested five initiatives of an enterprise security architecture. His concluding messages were that preparing for risks brings tangible benefits in a hostile environment, that defense in depth across an entire network is key, and that you need to implement process to manage policy and incidents.

Q: Surprised the statistics on security breaches give such low figures - why is this?
A: The facts could well be 10 times these figures - but these are the audited figures, backed by evidence. May organizations still prefer not to disclose security breaches (for fear of damaging their reputation with customers and business partners) so can't be included in the audited figures.

Q: What are the prerequisites for sensibly protected workstations in a networked system?
A: Anti-virus, firewalls, and intrusion detection systems are critical. Maintaining your systems up-to-date with official software patches is also extremely important.

Q: Where will we find best practice guides for ordinary laptop and home-users?
A: If you're building something, BS7799 is a good place to start. For business purposes, Sarbanes-Oxley and Cobit are good things to follow.

Q: Technological solutions to security are OK, but are business operators like credit card companies not culpable too?
A: Yes, and they are addressing this problem, because they are taking an increasingly large hit with losses due to fraud and identity theft.

Q: Is the time coming when ISPs will refuse connection to users who neglect to maintain acceptable security on their workstations?
A: Yes - ISPs are already recommending use of protective systems. However, the business case of turning away customers is a problem, so these companies prefer to educate their customers rather than refuse to give them service. Corporate organizations are increasingly insisting on proper configuration of devices connecting to their network - they can do remote audit and reject connection of an insecure device to their network.

Security in the Schools Interoperability Framework
Mark Reichert, CTO, Schools Interoperability Framework

Over the past three years Mark has been involved with the SIF. He disclaimed any technical information security expertise, but gave a case study account of the success of the SIF initiative. The business objective is to enable the secure transfer and sharing of XML-based sensitive student-related data between disparate applications installed in their K-12 educational environment. This environment ranges from applications communicating within a single school to sharing at district, state, and federal, levels. Mark described their three-prong security model used by SIF (encryption, authentication, access control) which is based on adoption of open systems standards. Mark also described the role of the SIF "zone administrator" in securing the network of applications which interoperate in a SIF zone.

They use five levels of encryption for each zone, and messages using a higher level than that in use for a given zone will not be delivered to that zone. They use four levels of authentication, and again lower levels of authentication are not allowed to see messages rated for higher-level authentication. They have 86 object types and assign roles (read, write, delete, respond, etc.) for operations on objects. Their experience to-date is that this access control does not yet provide the required levels of granularity, so extending these roles is an area where they are working to improve.

In the SIF system, the administrator has an important role. Human understanding of the toplogy of the system helps greatly. The student environment encourages hacking, so administrators need to be alert and highly aware, not only of the student-temptations to test the inner security of the SIF system, but also of security concerns beyond their SIF network structure.

Q: Is there any co-operation between the SIF and the universities?
A: IMF share their data model, and they are co-operating on the infrastructure they are using.

Q: How widely is SIF being deployed?
A: Currently there are 2.5 million student records in the system. Schools are now mandating SIF for the applications they procure, because they see the benefits and successes that the SIF has demonstrated.

Q: Does SIF mandate any specific information security standards?
A: Not to Mark's knowledge.

Q: Interested in knowing more about the SIF authentication system - how is it structured?
A: Authentication is performed primarily on applications. They encourage use of just one Certificate Authority for each school, to avoid cross-certification complexities.

MIL-Spec vs. COTS Standards: A Necessary Harmony to Advance Homeland Security
Ben A. Calloni, Chairman of The Open Group Real-Time & Embedded Systems Forum; and Research Program Manager and Principle Investigator, Common Platform Infrastructure and Architecture, Lockheed Martin

Ben explored the value of products and components based on MIL-Specs versus those based on Commercial Off-The-Shelf (COTS) standards - and proposed we must achieve a necessary harmony between the use of these standards to advance Homeland Security.

Ben described a MIL-Spec standard as an elephant specification to define a mouse component. He described in entertaining manner the "50G coffee pot" that could withstand extreme G forces in a military aircraft, the "6000lb dog whistle", and the cockpit windscreens that withstand huge impacts - not just unfortunate birds but in one case of a tree-top hopping airplane, a bird with fur and no feathers which was presumed to be a monkey that was in mid-leap between trees as it and the aircraft collided. He also described a Vietnam era military pilot's wrist watch designed to MIL-Spec standards, and compared it with the Casio calculator-watch that was also available at that time; over a five-year period, the costs of equipping pilots with the MIL-Spec version far exceeded the costs of replacing the shorter-life COTS standard Casio calculator-watches. The lesson here is that a balance has to be made over what is necessary to be built to MIL-Spec standards and what can be perfectly acceptably built to commercial standards -  noting that cost of MIL-Spec components invariably far exceeds those of COTS components.

In 1999, MIL-PRF-46374G changed the way of thinking on the value of MIL-Spec products, by putting more trust in manufacturers and removing the DoD from the business of designing and ultra-detailing the engineering of military components. Ben described the way the DoD now works with COTS, where they place trust in manufacturers to design components that meet stated requirements and rely on good test procedures for verification. Ben explained how the DoD is now working with vendors in a partner collaboration to procure the components they need. A part of this new thinking and approach is to take a hollistic view of the components that are required to work together in the same environment. It is nonsense, for example, to specify a single-board computer for 15,000 hours MTBF when the life of the aircraft they are fitted into is less than half that number of hours.

Why do we need security in embedded systems? Because embedded systems exists throughout our infrastructure, in cars, in utilities, all over. These real-time systems were never designed with security in mind. NSTISSP #11 now requires information assurance in all DoD embedded systems. Ben showed the cost benefit to centrally funded COTS product certification with NSA participation. The message here is that NIAP certified COTS products are needed.

Ben then summarized the position on the MILS program today. There is clear DoD and commercial synergy, giving mutual benefits. The key is standards-based products that require more commonality in components. He noted that The Open Group's charter includes its role as a specialist in certification programs. He also noted that we have value-add related work underway in The Open Group's RTES Forum and the Security Forum. However, The Open Group's membership needs to expand its efforts to dovetail with Common Criteria and NIAP certification efforts. How can we do this? It is a good topic for discussion, and he encourages members to take it up.

Ben closed by noting that in the 21st century, information superiority is the highest priority in warfare and terrorism. Therefore for military procurements, we need to give our armed forces the best possible weapons by providing the greatest superiority in information availability.

Architecting Security - Implementation of Security throughout Systems, Protocols, Applications, and Data Components

Mapping Security to a Services-Oriented Architecture
Mark O'Neill, CTO, Vordel

Now that Services-Oriented Architectures (SOAs) are moving from the whiteboard to reality, what new challenges do they present for security?

Mark noted that an SOA involves complex applications being exposed as high-level “services”. Rather than developing new applications directly on top of legacy or ERP systems, new applications can be developed by linking these services together. Many of the ideas behind SOA have been around for many years, but new specifications such as SOAP and XML have made them easier to achieve.

Mark discussed the design of a typical SOA, referencing experience from Vordel customers in the Financial Services and Telecoms sectors. He then examined the security requirements at the SOA: how they map “down” to security at underlying layers, and map “up” to security at the user (authentication, single sign-on) and partner (B2B trust) levels. He explored where newly defined security specifications, such as WS-Security and SAML, fit in relation to this architecture, and also examined how the traditional security infrastructure components, such as Identity Management products, integrate into the SOA environment.

He mentioned the STRIDE (Spoofing, Tampering, Repudiation, Information disclosure, Denial of service, Elevation of privilege) and application of a DREAD category (Damage potential, Reproducibility, Exploitability, Affected users, Discoverability) to asses each threat on a scale of say 1-10. Then calculate the average to arrive at a DREAD number for each threat.

Mark noted that implementing security for an SOA involves the techniques and technologies of XML security, but it also has an architectural aspect. An SOA presents problems for traditional models of security, and requires a new, message-based model which does not place any preconditions on network topology. An SOA presents security problems that are not insurmountable. They require:

• A solution that takes into account the full transaction - the security bus, and a security context from the user to the system they subsequently access
• Security services - re-usable security services that can be useful across the enterprise
• XML threat-blocking - awareness of new XML-based threats and blocking of these threats

He gave real-life examples of successful SOA exploitation from case histories on a large North American telco, and from a European public utility company, as proof that SOA is an effective solution.

Q: What was the mention of damage from XML about?
A: XML content filtering is important. Attachments to XML messages need special care to avoid introducing threats. Message-level security is also important.

Q: It is tempting to use RTF to augment XML with semantic information. What are the threats and opportunities here?
A: The structure of XML can be used to recognize types of message traffic. Semantics are a hard part of the problem space, but there are signs of early progression on the semantic web.

Secure Software for the Extended Enterprise
Lee C. Cooper, Security Program Manager, Oracle

Lee said that security is now more than ever before seen as a major business driver. It is more regulated, and it is increasingly costly, in an environment where there are more and more nasty hacking trends taking longer to crack and with zero-day exploits. If civil engineers built bridges like developers write code, then there would be many damaged and collapsed buildings and bridges.

What is needed is a culture of security. Security must be built into code, and verified by an independent third party. Customers should be much more assertive in demanding that suppliers deliver safe, dependable, robust, security-aware products. The concept of Security-as-DNA is that security must become part of the corporate material (nature) of a business, as implemented by its plans, policies, and processes (nurture).

Cultural challenges exist in every corporation, and these are often the hardest to overcome. They are especially challenging for vendors. They include time-to-market pressures encouraging short-cuts, ignorance of fault-tolerance, difficulty in balancing what is fit-for-purpose against achieving perfection, and an attitudinal problem among some code developers that risk is and should remain an acceptable aspect of all code.

Lee explained that in Oracle, secure product development covers four main  areas:

• Secure engineering practice and quality assurance among developers
• Information assurance - using security evaluation by a third party, to the Common Criteria (ISO-15408), and the FIPS-140. Also NSTISSP #11 is required for government procurements.
• Product assessments - evaluations are good, but "ethical hacking" is also a valuable test of robustness, yielding risk analysis. It is better to find weak points before hackers do, and this reduces costs of issuing fixes.
• Incident response - has to be aggressively responsive. Oracle issues timely security alerts, and aims to give all customers equal service in availability of patches.
• Secure configuration - includes implementing best practice, product shipped configured secure by default, and security health checks.

There is a continuous process of improvement, learning from past experiences to ensure best practical value is achieved from hard-won experience.

Lee listed several issues to evaluate when considering smart security buying. These include:

• Using cost of ownership experience
• Demanding suppliers produce total cost of ownership information for customers to assess
• Buying products that have undergone formal evaluation - or better still, certification as compliant to known criteria
• Being wary of immature products
• Running code-checking tools

Lee closed with a warning about the need to assess your security in the extended enterprise - you have to consider interoperable security issues holistically. For example, how secure is your business partner? Are your extended enterprise partners and contractors and customers using secure software? Are they up-to-date with applying patches? Is their security policy good enough?

Q: Oracle says it certifies its products to the Common Criteria. What cost is involved in certifying to the Common Criteria?
A: Do not know the figures, but Oracle routinely certifies all its main versions.

Security in Data
Bob Blakley, Chief Scientist Security & Privacy, IBM-Tivoli

Bob started off by asserting that information wants to be free. The second law of thermodynamics (irreversibility of time) dictates this, and the network effect is that information has more value when it is available in the right ways. He then answered the question "what has this to do with information's aspirations?" by analogy with a dog, which also wants to be free, pointing out that it's a dangerous world out there and bad things could happen to your dog if it were free.

To protect your dog, you typically take precautions, maybe by tagging it with information. This tagging information helps protect the dog if someone finds it and takes care of it. However, the tagging information cannot provide full protection - like it being attacked by some predator, run over by a vehicle, etc.

Even so, without labels, information cannot be both free and safe. To follow the concept of the semantic web, labels should be part of the information schema, and unlabelled information should be considered hazardous. Labels that contain adjectives - secret, private, owned by, low integrity, etc. - as opposed to verbs, can be readily understood and enforced by policy engines.

But labels alone do not make free information safe - the environment (context) that the information is in is also important.

This led Bob to pose the question "What does code want?". His answer - for which he hopes to become famous as the originator - is that "Code wants to be wrong". His reasoning was that a small coding error can result in a big effect.

So what does Bob's assertion about code's aspirations here have to do with security? Bob presented four examples of how code errors have caused bad problems. He asserted that we have known for years how to fix this problem. The wisdom of our elders is to use reference monitors that are invulnerable to attack. The logical model for this is that the decision point is controlled by a Policy Enforcement Point (PEP). To prevent the PEP being influenced by the code that is running, it needs to be operating in a different address space to the code. Given this analysis, the future then has the operational code running in a run-time environment, with the PEP running in a separate and independently addressed protection environment in which the data is attached to a label that contains the protection information about it.

Q: In the scenario of separation of code and data, what happens if I replace the disk on my system?
A: You use disk partitioning to maintain the separation.

Enterprise Email - Balancing Security and Ease-of-Use
Mike Lambert, Fellow of The Open Group; and Director of The Open Group Messaging Forum

Mike explained that the current situation is that the existing email system is mature and still working well, despite being stretched well beyond its original design goals. It can carry any payload (attachments, etc.), and because it is broadly deployed it is resistant to change. No-one understands fully how the existing Internet email system works, so changing it is risky and with so much world-wide dependency on it keeping running and not being degraded in its existing, widely agreed as satisfactory performance levels, no-one is willing to take that risk. We need an architected approach to move things forward .

Security in email is a big issue because of risks to business information, increasing legislation, increasing demand from business partners, and the problem of spam. Security here is not just encryption - it includes AAA, tamper-proofing, non-repudiation, auditing, etc.

Technologies exist today to address all the needs of secure email. PKI assymetric key technology is the only solution available today. So why is email not secure today? Reasons include lack of interoperability, lack of an overall trust model, lack of an overall infrastructure, complexity of management, and poor usability of desktop encryption at the client.

The solution space currently includes:

• The outcomes from the EMA secure messaging challenge - succeeded in multi-vendor exchanges of encrypted emails, but this ignored the generic PKI problem of certificate handling.
• Bridge certificate authorities, to enable CAs to work together - the Federal bridge CA, the European Bridge CA, SAFE (pharmaceuticals), Certipath (US Defence Contractors), are examples of vertical industry bridge CAs that have demonstrated success.
• Domain-gateway security - which implements security at the domain boundary and allows all users within the boundary to leave their email security issues to the gateway for correct implementation. This would solve the usability challenge. However, it raises new issues, on the legal significance of domain signatures on messages, and on protection against internal attack

Moving on to a new major issue among the email standards community, authentication of the sending domain is a very hot topic today. Sender authentication is a necessary precursor to solving the spam problem, though it is not the complete solution. Mike listed the contenders - Sender-Id/Sender Policy Framework, Client SMTP Validation, and Domain Keys. He characterized each one, and concluded that Sender-Id/SPF is the only realistic contender. However, Sender-Id and SPF use different mechanisms to determine which domain sent the message. Both work, and the technology to do both is available now. However, there is a major argument over licensing terms on offer from Microsoft. This is hindering adoption of a common solution.

Mike proposed that next steps should embrace the following actions:

• Support development work on bridging the bridges. Work is currently underway with the aim of cross-certifying between Certipath and the US Federal Bridge CA.
• Establishing your organization's Sender Policy Framework now, to establish a critical mass of users and so bring the right pressure of overwhelming adoption to bear on the IETF as the standards authority in this area.
• MTA vendors - make sure your product supports SPF record checking at your next product release.
• Support certification to the Secure Messaging Gateway.

Q: This approach is heavy on policy. Physical spam is less volume than electronic spam because the cost of paper spam is fixed whereas the cost of electronic spam is disappearingly low.
A: Agree. However, any charging mechanism for email would slow up email delivery. Appreciating that hash-cash exists, it does require a small computation which will inevitably take up time.

Q: In the Internet, short-term never is, so the SPF issue is unlikely to be resolved quickly. Also the official statements from IETF about Sender-Id say that even without IPR issues the technical issues remain significant.
A: Accept that SPF is not the whole answer, but it remains the best option for us open systems standards supporters to support.

In the application environment, Tony noted that allocations for IPv4 addresses are rapidly being consumed - IPv6 is necessarily going to take over very soon. On access control, Tony reviewed the client/server versus the peer models.

Tony explained that NAT is not a security tool. He listed each function that NAT addresses and identified the perceived benefits in IPv4 compared to IPv6.

Internet environment diversity means that there are many different views of what needs to be done in each context. Tony split these into three broad environments - service provider, enterprise, and unmanaged.

On firewalls, Tony concluded that to a large degree they have to continue to exist. IPsec standards apply to both IPv4 and IPv6.

Tony considered the impact of IPv6 on a range of issues, including scope of accessibility, communities of interest, layered access, traceability issues, and tunneling.

Q: Will the inertia of unwilling users fight against introduction of IPv6?
A: Resistance to change is inevitable, so people have been putting effort into NAT. However, IPv6 is inevitable given the continuing growth of the Internet. Better to embrace this change than to resist it.

Q: Why do customers have to push for "challenges" to produce solutions rather than vendors take the lead to provide what the marketplace want?
A: Mike - challenges are very focussed and are set within a constrained scenario, which helps achieve effective outcomes within their context
A: Bob - challenges rarely seem to achieve practical solutions that can be converted into marketable products.

Q: Is interoperable security impossible?
A: Bob - today's systems are almost all on the surface so you need a lot of security to cover that surface. We have a wide range of security solutions on offer in the marketplace and may people selling them. Until we use a standards-based approach we will continue to find we have non-interoperable security systems.
A: Lee - agree - for example, in Web Services we have OASIS and we have WS-I.

Q: Mobile security - when will all the pieces work together?
A: Bob - there are lots of things we know how to do securely, and many of them already can work together, so mobile security is in general no worse off than the non-mobile world.
A: Tony - good progress is being made in IETF and OMA on mobile security - it is being well addressed.

Q: How big of a security nightmare does the panel see the Global Information Grid becoming?
A: Bob - we need to define the problem we are addressing, in particular distinguishing between different types of information and how real-time or strategic the information is. Information value and time-criticality is a major issue that needs to be resolved to avoid the non-sensical demand that all information is critical and so must be instantly available.
A: Ben - there is still a lot of inter-service rivalry in the US DoD which gets in the way of adopting truly interoperable solutions throughout the military. Duplication is rife - with parallel functions in each of the army, navy and airforce, where the needs of the COE program demand that these services learn to co-operate, depend, trust, and share in installing common solutions. In addition, there is rarely a generic solution to a set of requirements - the right level of detail needs to be addressed.

Allen Brown brought the panel session to a close, observing two items that are challenges to The Open Group members:

• There seems to be significant support to address Bob Blakley's proposal for Security in Data.
• Ben Calloni has challenged not just the Real-Time and Security Forums, but all Forums in The Open Group, to expand efforts to dovetail with Common Criteria and NIAP certification efforts. Perhaps the Customer and Supplier Councils should be the catalyst for take-up on this issue.

Home · Contacts · Legal · Copyright · Members · News

© The Open Group 1995-2012  Updated on Wednesday, 27 October 2004