Security and Risk Management Strategies Blog

Blogger: Diana Kelley

That’s Jack Burden, Robert Penn Warren’s aptly named narrator of “All the King’s Men.” For most of the novel, Jack tells the story of the complicated politician Willie Stark, from behind an “ignorance is bliss” façade. Over the course of the novel, as Willie’s transformation from honest citizen to corrupt politician (and almost) back again becomes painfully clear, Jack’s forced to examine his own life and reject his detachment; “It was like the ice breaking up after a long winter. And the winter had been long.”

So what’s this got to do with information security and risk management? Well, like Willie and Jack, I think we may need to go back to our past in order to make our future, to melt the hard ice that is freezing out our ability to evaluate alternatives. Specifically, I think it’s time for the industry to take a long, hard look at our assumptions about the need for fully distributed systems, ever more powerful mobile devices, and the trade-offs for risk and security. Remember terminals and centralization of data control? Have you used a Rich Internet Application (RIA) such as Salesforce.com recently? Have you really thought about what we’ve lost by insisting that every user in an enterprise needs to have a redundant copy of sensitive data on their desktop? Laptop? Phone? MP3 Player?

standing in the way of progress, let’s examine where our fantastic power of distribution has gotten us:

• A whole market-space of vendors creating products to protect content: encrypting data on distributed devices, controlling duplication of data to targets such as DVDs and USBs, content control monitoring systems policing the communication information in every packet going in or out of a network or host

• Massive amounts of consumer data going missing from stolen laptops (http://www.usa.gov/veteransinfo.shtml)

• Explosive copies of data leading to fun games such as “who’s got the canonical copy” and “where’d my customer list go?”

• Some large organizations are putting glue in USB ports (really, glue…)

• An alphabet soup of regulations (PIPEDA, HIPAA, GLBA, PCI, to name a few)

There’s more – lots more - but these data points illustrate that the distributed model has created a serious problem for content control. And I genuinely believe that quite a lot of those problems can be mitigated by returning to a more centralized model of data control. If the data is never, ever distributed, except temporarily, to a screen, the content control question changes significantly. Ask yourself, is it easier to filter content from a server to a user screen with access controls on the server or to filter that same content from hundreds or even thousands of replication points? How about application patching? Would it be easier to patch the one copy of the browser on the server that all users access remotely? Or to distribute that same patch to all of the target devices used?

Would a return to a terminal-server (or Web 2.0/RIA-server) model, solve all of our problems? To paraphrase  another  famous fictional character with the initials JB, “it’s pretty to think so” but patently unrealistic. There’s always a way around. There are the possible, but hard to execute, misuse cases such as cell phone camera snapshots of screen information. Really, with the capturing 4 Gigs of customer data using a RAZR, really? Much more concerning is the aggregation of risk issue, if all the data is one place, the single source repository becomes the target attack point. However, even in the distributed model, there is often a central repository that is supposed to hold the canonical copy of the data. And high-availability and data synchronization can provide back-up for central systems.

The trend points for a return to more centralized control of data are already real. Software developers have long used code repositories to maintain version control over code. SharePoint and other data repositories are bringing content together and replacing the recent past of sending multiple copies of documents around via email. Another leading indicator, the explosion of Web 2.0/RIA applications including streaming productivity applications such as Office Live and Google Office and portalized CRM applications such as Salesforce and SAP.

Sure, going terminal-server would change things. The model is dependent on persistent, always on network connectivity. With almost ubiquitous wireless access we’re closer to that reality today than we were a decade ago, but there are still many instances where network access is slow, prohibitively costly, or just plain not available – planes for instance. And all the expensive hardware and operating systems companies have invested in pose a real financial consideration. Dump them for inexpensive terminal, and portable terminal,- only devices? Oh – who manufactures those, yet? Or lock-down expensive, already depreciating hardware to make them dumb terminals? I didn’t say this was going to be easy.

All I’m saying is that - just because we have the ability to do something doesn’t mean it’s the best thing to do. Willie had to learn that his newfound Realpoliltik power to make shady building deals and have extramarital affairs ultimately caused more harm than good both for himself and for his constituents. I think our power to distribute data has hit a tipping point and may be causing us more harm than good and that it’s time to take a look at the past, melt the ice of our assumptions, and rethink centralization.

What do you think?

Blogger: Bob Blakley

Scott McNealy famously said "You have zero privacy anyway. Get over it."

I disagree, but let's save that for the end. If you want evidence for McNealy's position, you don't have far to look.

You could look at your typical day. Here's one of mine. Get up at 5am. Get ready for my trip, get in the car, notice that I'm almost out of gas. Head to the Shell station down the street. It's not "open" yet, so I put my credit card in the pump and fill my tank.

CREDIT CARD RECORD: BOB BLAKLEY BOUGHT $17.57 OF MID-GRADE. SHELL STATION #xxx, RM 620, ROUND ROCK, TX. 5:31 AM.

Get back on the highway. Drive a couple of blocks to Starbucks, which is open. Buy a tall coffee, black.

STRIP MALL SURVEILLANCE VIDEO: BOB BLAKLEY ENTERING STARBUCKS, CORNER OF RM 620 and IH-35, ROUND ROCK, TX, 5:37 AM.

Get back on the highway. Decide to take TX 45 to HWY 183 because it avoids some lights.

TXTAG TOLLWAY RECORD: BOB BLAKLEY'S CAR CHARGED $1.45, TX 45 SOUTHBOUND AT HOWARD LN., WILLIAMSON COUNTY, TX, 5:41 AM.

Drive to Austin Bergstrom Airport. Park car.

ABIA PARKING SYSTEM RECORD: BOB BLAKLEY'S CAR ISSUED TICKET TO LONG-TERM PARKING. TRAVIS COUNTY, TX, 6:17 AM.

Check in at the counter

US AIRWAYS: BOB BLAKLEY CHECKED IN FOR FLIGHT FROM AUSTIN TO PHOENIX (CONNECTION TO VANCOUVER), ABIA AIRPORT, TRAVIS COUNTY, TX. 6:21 AM.

Call home to assure everyone that the coffee worked & I made it safely to the airport.

CINGULAR WIRELESS: BOB BLAKLEY CALL TO KAREN BLAKLEY, DURATION 3 MINUTES. ORIGINATING CELL #xxx. 6:22 AM.

(the cynics among you may be thinking:

NSA WIRETAP: BOB BLAKLEY TO FEMALE SUBJECT, PRESUMED TO BE KAREN BLAKLEY. NO KEYWORDS OF INTEREST. DURATION 3 MINUTES. CINGUAR RECORD #yyy. 6:22 AM.)

And so on. You get the picture. If I want to do something a determined investigator can't find out about, I've got to work very hard and be very careful.

David Murakami Wood and colleagues put the situation this way: "We live in a surveillance society. It is pointless to talk about surveillance society in the future tense. In all the rich countries of the world everyday life is suffused with surveillance encounters, not merely from dawn to dusk but 24/7. Some encounters obtrude into the routine, like when we get a ticket for running a red light when no one was around but the camera. But the majority are now just part of the fabric of daily life. Unremarkable." My personal blog's entry about Wood's report, which is entitled "A Report on The Surveillance Society," is here.

I know what you're thinking – you're thinking "hey, Bob, I thought you disagreed with McNealy. Why are you making his case for him?"

Good question. Luckily, there's a good answer.

What McNealy should have said is "You have zero secrets anyway. Get over it." That's true. There are no more secrets.

Let me say that again. THERE ARE NO MORE SECRETS.

Don't believe me?

Look here.

Or here.

Or, if you don't want to use a cell phone, why not just chip the people?

On the other hand, cell phones can be used for more than just tracking.

Think you've got a friend others don't know about? Possibly not.

Think you can protect yourself by anonymizing your access to electronic resources? Think again.

There are even proposals to outlaw online anonymity.

Want to find all the pictures of yourself (or your estranged girlfriend) on the web? Try this.

Let's say it one more time: THERE ARE NO MORE SECRETS.

Luckily, privacy is not secrecy. Privacy is privacy. It has much more to do with me respecting your dignity, and you respecting mine, than it does with either of us keeping secrets. This is where McNealy got it wrong. I gave a talk about this recently; it's entitled "What is Privacy, Really?" You can find the audio and the slides here.

The end of secrecy has implications far beyond privacy, of course. Secrecy has been at the heart of information security from the beginning – some of the earliest computers were built to compute, and break, ciphers. The biggest annual computer security conference is hosted by a cryptography company (RSA).

Ironically, cryptographers have never been big believers in secrecy. I recall (from memory, so probably somewhat inaccurately) a quote attributed to Robert Morris, Sr. (formerly NSA's chief scientist): "World War II represented a brief period of sanity in cryptographic history; during the war, people spoke of using encryption to protect messages for hours or days, whereas both before and after the war they spoke of protecting the messages forever."

The skepticism continues; Mihir Bellare and others have done extensive work on frameworks for proving cryptographic protocols correctly under a small number of carefully stated assumptions. I've never been comfortable with these results, because I can't figure out how to reconcile them with Shannon's definition of "perfect security" of a cryptosystem, which doesn't require assumptions and which I can understand and believe.

Shannon said that the best you can do is to use one bit of key material to protect one bit of plaintext material – and whenever the text is longer than the key, statistical correlations (which can be exploited by an adversary to attack the security of the cipher) begin to creep into the system. Public-key cryptosystems, of course, use short keys to protect long texts.

Neil Koblitz and Alfred Menezes recently published a paper entitled "Another Look at Provable Security" in the Journal of Cryptology; they argue that keeping secrets using cryptography is much harder than is envisioned in many of the proposed proofs of security.

Even if our cryptographic primitives and protocols were unbreakable, though, we'd still be in a lot of trouble as concerns keeping secrets. The analog hole guarantees that conversations can always be wiretapped, and texts can always be read, the old fashioned way (it also guarantees that DRM will always be broken). A key is fine as long as it's you – instead of the trojan horse you picked up last week – in the driver's seat when the key is used to unlock your secret. And so on.

I'll be focusing on "The End of Secrecy" and its implications (for privacy and also for security) at our Catalyst conference in San Francisco in June. If you're interested, why not make plans to join us there? If you disagree, email me or leave a comment – or just come to the conference and we'll discuss it in person!

Blogger: Dan Blum

This blog is created with the following in mind:

Industry perspectives: Whether it’s a denial of service attack on DNS servers, a rule covering electronic evidence or a hot vendor acquisition such as Cisco snapping up Reactivity in February, SRMS wants the option to weigh in. We have a unique perspective from many years of experience, many months of in-depth research on any number of topics, and hundreds or thousands of insightful customer interactions and probing vendor briefings.

Analysts unplugged: Have you ever sat down for 15 minutes to read your inbox, but an hour later you’re still at it? This happens all the time for me, but often as not it is a rewarding, not frustrating experience. Our analysts and consultants get into incredible discussions from time to time; I’ve often thought “I wish he/she would publish this!” Now we can, as a team. This blog won’t be like our architectural Technical Positions – where we bend over backwards to achieve consensus – it’ll be more of a backstage view.

Realism about security: SRMS promotes a systematic, comprehensive approach to security. However, we understand that information protection is more than a model; it must always happen within the larger context of the business. There are so many aspects to this that it’s hard to know where to begin. Even risk management - which is where we say to start - can be treacherous, and this has led us to addressing methodologies for both quantifiable and non-quantifiable risks.

Thematic focus: In our recent VantagePoint 2007 webcast, we identified five themes that we’ll be tracking closely: proactive security, de-perimeterization, raising the bar on OS (and endpoint) security, creating information-centric security architecture and achieving sustainable compliance. As important events or thoughts on these themes emerge, we’ll be sure to address them in the blog.

Make a difference: Information security is not a game; bad things are happening to people and organizations all the time. Yes, we’re in this business to make money, but what also keeps us motivated is the opportunity to score wins for the defense. Whether it’s improving the thought process, encouraging responsible behavior or promoting better practices, standards or better ways for information protection to work, we want to be on it. In keeping with current coverage themes, we’re very interested false positives reduction, reputation based trust, data redaction, endpoint and data virtualization, security event standards and other areas where breakthroughs are needed.

Feedback loop: Comments are turned on, and we’ll use them to have a discussion with the industry. If you have further ideas on what we’ve covered, or even if you disagree with something we wrote, please chime in. Time permitting, we’ll also to participate in ongoing blogosphere discussions, even if they occur on other blogs.