Upload
others
View
2
Download
0
Embed Size (px)
Citation preview
All Contents © 2003 Burton Group. All rights reserved.
The Tower of Babel andThe Walls of Jericho:Complexity and Simplicity in Security
Thursday, May 27, 2004
Fred Cohen
Principal Analyst
www.burtongroup.com
2Complexity and Simplicity in Security
Agenda
• The Tower of Babel• The Walls of Jericho• Complexity and Simplicity in Modern Enterprises• A Perspective on the Conference
3Complexity and Simplicity in Security
Agenda
• The Tower of Babel• The Walls of Jericho• Complexity and Simplicity in Modern Enterprises• A Perspective on the Conference
4The Tower of Babel – Genesis 11:1-9
The whole earth spoke the same language and thereby everybody was able to communicate
The people joined forces to build a tower into the heavens
God confounded their language so they could no longer talk to each other
The people were scattered
all over the world, the
tower was never completed
Sound familiar?
5The Tower of Babel
Protection today
• Those designing protection measures build products that don’t talk the same language
• Trying to get them to interoperate creates all sorts of complexity that becomes unmanageable
• Attempts at language unification fail for the most part – because of competitive advantage as well as many other technical reasons
• ALSO – we keep piling junk on top of junk. Without a proper foundation, this house of cards is certain to fall
This comes down to a software quality issue
• Can we make software that works reliably & securely?• Can we do it at the complexity levels we are approaching
6The Tower of Babel
The Simplicity Principal (GASSP)“Information security professionals should favor small and simple safeguards over large and complex safeguards.”
• The simplicity principal was lost in the new GAISP!!!• Simple safeguards can be thoroughly understood and
tested• Vulnerabilities can be more easily detected• Small, simple safeguards are easier to protect than
large, complex ones• It is easier to gain user acceptance of a small, simple
safeguard than a large, complex safeguard
7Complexity and Simplicity in Security
Agenda
• The Tower of Babel• The Walls of Jericho• Complexity and Simplicity in Modern Enterprises• A Perspective on the Conference
8The Walls of Jericho – Joshua 6
Canaanites on the inside, Hebrews around the perimeter
• Only Rahab the Inn keeper’s house was not destroyed• An insider who hid the Hebrew emissaries
Sound
Familiar?
9Jericho continued
80% of losses involve insiders
• This figure changes a bit from year to year• Insider and outsider are now more blurred• Losses ≠ incidents
The hard outer shell and the gooey center
• Jericho was protected only by a wall with guards• No forces in front of the wall• No internal fortifications
Historical note:
• Fixed fortification perimeter defenses undermined• Current explanation Earthquake… but who knows
10Complexity and Simplicity in Security
Agenda
• The Tower of Babel• The Walls of Jericho• Complexity and Simplicity in Modern Enterprises• A Perspective on the Conference
11Complexity and Simplicity
Complexity issues
Effective information protection has always been limited by complexity – too complex and it fails
• This led to the ‘simplicity principal’• Recently abandoned - leading to widespread failures• Still ineffective against insiders and lacks redundancy
But big organizations perceive a need for complex controls
• Because they have complex infrastructures• Because of high cost and lack of expertise• Because of the need for compliance that changes• Because non-centralized implementations do not support
controls homogeneouslyIs this a house of cards?
12Complexity and Simplicity
Simplicity Issues
Simple defenses have always worked well
• Except against insiders• They are easier to manage locally• They are easier to verify• They tend to work for a long time• They are easily understood and analyzed
But they have failings
• They are usually easily undermined by insiders• They tend to lack redundancy• But so are complex defenses!!!
Can we do it more simply and still have it work?
13Complexity and Simplicity
It’s all about balance
Occam’s Razor, Einstein’s comment
• As simple as it can be• and no simpler
Occam and Einstein were right
Regulatory compliance and change management are key
• If you can’t meet regulatory requirements you lose
• If you can’t handle infrastructure-wide changes, you lose
• Cost drivers are getting extreme
Bloat
• Most SW has bloat• Much SW is mostly bloat
• Excel’s Flight Simulator
• Bloat also creates holesRedundancy
• If properly implemented…• Assures against weakness• Reduces impact of failures• Increases administration
Insiders still a problem
• None of these adequately address the insider issues
• Redundancy has potential
14Complexity and Simplicity
Can the industry build
• High assurance complex infrastructures• That support complex, changing, integrated protection
• Answer: We don’t really know yet
• IBM, CA, others trying to implement aggregated control from policy to fine grained access control
• And making some progress• Large scale is necessary to both drive and do development• Very substantial investment is required to change over• Central control produces enormous exposures• Significant conversion costs
15Complexity and Simplicity
Some things seem clear
• Very few contenders for it• Once it is built, it may become far less expensive
through economy of scale• Higher consequences lead to increased assurance
requirement• Higher consequences and higher volume may lead to
higher quality• Conversion and upkeep costs are non-trivial
Can we reach the volume needed to make it work well?
Will we invest in it?
16Complexity and Simplicity
Can simple solutions work in complex enterprises?
• Can we devise simple solutions to complex problems?• I think we can in some cases
• Are we asking too much of information protection?• I think we are asking more than it can currently handle
• Will the load become so high that it cannot be handled?• It already is far beyond what we can handle perfectly, but perfection
should not be our objective
• When will all the complexity end in favor of a small number of higher quality simple protection measures?
• Not when, but under what circumstances• Driven by risk, not by time!
17Complexity and Simplicity
It’s all about risk management
• Enterprises believe, for example, that when you order a toaster over the web, your order should automatically and instantaneously increase aluminum production
• In order to do this, they make it possible for an error in your toaster order to have a dramatic effect on the global aluminum markets
• As long as the risk of an aluminum collapse is justified by the desire to link your toaster order to production, this is how it will work
• The question is: Do the risk managers understand that this is the implication of these decisions?
18Complexity and Simplicity in Security
Agenda
• The Tower of Babel• The Walls of Jericho• Complexity and Simplicity in Modern Enterprises• A Perspective on the Conference
19Conference Perspective
Is this identity management thing really too complex to do well?
20Conference Perspective
Or is this an issue of making better languages and standards?
21Conference Perspective
If we get systematic, can we do identity administration right?
22Conference Perspective
Does the VEN simplify to where we can manage the issues?
23Conference Perspective
Is an 11-element infrastructure too hard to handle?
XACML Access Policy Enforcement Model
eXtensibleAccessControlMarkupLanguage
24Conference Perspective
Enterprise architecture
Regulatory compliance
Provisioning
Privacy management
Roles and Rules
Federation
Scalability
Middleware
Data centers
Perimeter protection
Next-generation anything
Distributed security
IP telephony
25Conference Perspective
We are at a crossroads
• Will we really abandon simplicity?• Can we handle the complexity?• Do we have a choice?• Will we centralize or distribute?
• Policy?• Jurisdiction issues, federation issues
• Brittleness and risks of central controls
• Controls?• The gooey center?
• How do we deal with insiders?
26Conference Perspective
Complexity of mechanisms forces us to consider
• How trustworthy can we make these complex mechanisms?
• How is innovation stifled by these controls?• Will we cede control to vendor parochialism?
Software quality is the key issue
• We are building towers of Babel• If we don’t get a lot better at software it will collapse• Attackers are well aware of complexity exploits• To succeed in this direction we will need
• Some dramatic changes in the way we do software• Standardized requirements for safety in interoperability
27Complexity and Simplicity in Security
Conclusions
• Beware complexity• Loose vs. tight coupling – polyarchy
• As simple as possible - but no simpler• Go with standards-based solutions• Achieve clarity through models• Understand the tradeoff between
• Efficiency and effectiveness• Simplicity and complexity• Centralization and distribution
• Over time, simplicity wins out, and then it gets complicated• If none of these work, fire all the insiders
28Complexity and Simplicity in Security
References
• Burton’s Directory and Security Strategies• “Securing the Virtual Enterprise Network: Layered Defenses,
Coordinated Policies”
• “Disappearing Security and the Disappearing Perimeter”
• “Directory and Security Strategies Reference Architecture”
• “Risk Management: Concepts and Frameworks”