The ideal state of security would be when a threat agent gets inside your domain, or gets access to your secrets, property etc., but it doesn’t matter.
Hoff kicked off quite the discussion on the Jericho Forum (follow up here with links to the blogs that discussed JF).
This slide deck (pdf), by Andrew Yeomans, Chairman of the Jericho Solutions Working Group, is a brief intro to the Jericho Forum. It more or less mirrors the enlightening comments by Mr. Yeomans that Rob Newby published today.
As for the arguments against the Jericho Forum, they can be divided into two groups as far as I can tell:
Those that that think the JF is right, “but we will still have a perimeter”. (Lonervamp)
This is partly an issue of semantics and partly an inability to map the way we use networks to the way we defend our network assets. Our assets, (data) aren’t contained within a traditional perimeter. Why surround a network with a perimeter when you really just want to protect the data. (OK, I’m sounding like Rob, but he is right.) This doesn’t mean trash firewalls, but really, we need to trash the perimeter model. The data are all over the place and won’t forever be inside the protection of a UTM device. Furthermore, as noted by Yeomans on Robs blog and on the slides, we are letting outsiders and threats through the perimeter, so we should design our systems to withstand these threats. In a way, this is getting rid of the perimeter. Yes, we will be setting up protection closer to the data. You can call this a perimeter, but I really think we should trash that word. We need to consider the “placelessness”” of data in the future and design our defenses accordingly. “Perimeter” implies a fence of sorts that protects things within it’s boundaries. This doesn’t map to the way business is done now or will be done in the future. That is the problem with the perimeter model in network security. Note: I said trash the word; not trash the firewalls. But the edge devices shouldn’t be considered the cornerstone of the de facto security model. Maybe they will exist to ensure clean pipes, but that doesn’t need to be thought of as a perimeter.
Those that have a vested interest in selling edge appliances. (Stiennon)
JF causes them to stammer in fear because they are scared they might really be tossed in the dumpster for good. They try to argue that things will remain the same to justify what they currently are selling. The nice thing about selling is there will always be something to sell, so don’t let the changes and improvements scare you.
I think the reason I like the Jericho Forum’s ideas are that they remind me of a security ideal that has eluded me since I read it in an article in college. I think it was in Wired by Bruce Schneier, but I can’t remember. It went something like this:
The ideal state of security would be when a threat agent gets inside your domain, or gets access to your secrets, property etc., but it doesn’t matter. The safety of the object is an attribute of the object itself.
At least that’s how I remember it. Ever since then, I wondered how I could give my home this attribute. How could I make it so a thief that makes it into my house is powerless to do anything to my things? E.g. I could make them invisible to him. I could make them unmovable by him, etc. I’m interested to see if the JF’s ideas will help us move closer to this ideal.
4 responses so far ↓
1 Rob Lewis // Sep 30, 2007 at 8:58 am
Hi Jon,
Some nice insights in this post. I think what you and the JF are both alluding to, and which is simply not being said “simply”, (but you have just come closer), is that network security is not the same thing as data-centric security.
Obviously, protecting the containers (servers etc.) is not the same thing as protecting the contents (data). You are right. It is not a matter of moving the perimeter closer to the data. It is a matter of moving from network-centric thinking to data-centric thinking, and I think that deperimeterisation requires data-centric security to take place.
From what I have observed, end-point security is simply a more granular network security that has moved inward, but is still device oriented. I never see any mention of how user access to the data is governed. It is somehow implied that a compliant endpoint used by an authenticated user means that there will solve the problem of unauthorized access and use of data at the file level. How does that come about? This is just an extension of network-centric thinking.
As you say though, one must deal with the threats that we are letting in now and I would like to add a few comments to this thought.
We must not trash firewalls as they are needed to prevent leakage in a data-centric security model. After all, DLP devices are really turned around firewalls with similar filtering ideas. So firewalls can still help eliminate with the obvious garbage trying to infiltrate the network and provide defense in depth the other way in a data centric model.
I agree with the quote by Schneier bit have trouble with the bit about “The safety of the object is an attribute of the object itself.”
That statement does not map to the way business is done now or should be done in the future. I think that this is a real problem for data classification methodologies and for trying to approach data-centric security.
What I am referring to is the level of complexity required to classify data (which would be required for de-perimeterization) using object-centric rules.
The approach that is necessary that maps to business data flow is rules that are owner-centric (users, groups, roles).
This is a subtle difference but rule making becomes much more intuitive and practical when you can say, “If Jon opens a doc >secret level 5, then deny Jon acces to the USB bus”, as opposed to attaching ACL lists to every doc greater than secret level 5 that Jon might one day access.
An additional bonus though is that when using this approach, default-deny becomes more intuitive as well, so that any threat that reaches your domain that is not on the white list for data access will not be able to do anything.
2 Jon Robinson // Oct 1, 2007 at 7:42 am
I was actually thinking more about data or object centric rules that follow the files around with them. I’m going to have to think about your subtle difference making the rules user centric. I’m not sure they are so different or that one is less complicated that the other. You will probably have to explain it to me. Are you saying a company can just make a whitelist of users allowed to open their secret documents? Is this enforced using data encryption?
3 Rob Lewis // Oct 1, 2007 at 8:32 am
That is basically it. A company would rank users in user groups and labelling is implicitly done. All work created is automatically labelled the same level as the user going forward. The group permissions manager and security officer could allow the release of info to other groups or a lower ranking, but it takes a deliberate effort. In the meantime, you can have an unlimited number of groups and people of different ranks in each. Your outside contractors can then only access that what you want him to see and rule creation is allow John access to system z, or files xyz. (just an example) any other access attempts are denied by default.
If you are at a level where you can access highly sensitive docs, when in that user group, you can not cut and paste to lower level people in the same group or to anyone not in the group. You can easily make sure that no one outside of accounting sees accounting docs (IT staff, engineers) and vice versa.
To use the example rule that I used again, to make the same policy using trusted solaris of SELinux would apparently take about 2 pages of rules and even then you may not be sure that you have attained the same protection. M uch room for error due to complexity.
This approach is one single sentence, as you read.
This is done by digital data separation at the kernel level. It is enforced by a kernel level policy enforcer.
One of the benefits is that this thinking does map to business data flow because we think of data flow in terms of users and roles.
4 andar909 // Aug 10, 2008 at 9:20 pm
hi, andar here, i just read your post. i like very much. agree to you, sir.