BillCan's Place

Life at Microsoft

Blogs

True Information Security?

  • Comments 2
  • Likes

I was chatting with my boss the other day, and he mentioned how experts were saying that security has moved to the host.  He was referring to the fact that in the past, most security was provided at the network perimeter, using firewalls originally, then moving to intrusion detection and prevention systems, VPNs, and so on.  Basically, all security was at the perimeter, and if the bad guy could get through that, it was party time.

As he said, we have moved into a new phase where we've done a lot to protect the network, and the focus has shifted to the host.  We are seeing lots of systems that harden servers, monitor critical files, audit access, detect incidents, etc. directly on the host.  Now the landscape has changed for the bad guy: he has to get through the perimeter defences and get onto the target host, and not be detected in either case.  With host-based security software running throughout an enterprise, it is getting more difficult to successfully break into a system without a helper on the inside.  We all know who this helper is: the user, who runs software on behalf of the bad guy by clicking on attachments and installing Trojan Horses or viruses.  Some host-based software can help with this, but it is still a big problem that is looking for solutions.  (Does anyone have any brilliant ideas they'd like to share?)

Another development is that recently companies have begun to take it to the next level: data security.  They've (hopefully) protected the perimeter and the hosts on the inside, and now want to protect their valuable data; after all, this is often what the bad guy wants in the first place.  These companies are protecting data with tools such as network encryption (TLS, SSL, etc.) for data flowing over the network, and other tools for encrypting data at rest, such as PGPdisk, Microsoft EFS, and database encryption tools.  Some companies are encrypting email messages using S/MIME and bulk data transfers using various tools such as PGP or GPG.  From my experience, this is the area where a lot of companies are concentrating their effort, and this is based on regulations such as the California SB-1386 legislation, as well as HIPAA and other regulations.

So we've gone from network, to the hosts on the network, to the data stored on and flowing between the hosts, but there is still the next level: the information inherrent in the data.  Some data is interesting for bad guys (such as credit card numbers and other demographic info), but it is information that is really valuable.  This information includes reports, strategic direction, mergers and acquisitions documents, unpublished financial information, etc.  That is, the Word, Excel, PowerPoint, etc. documents that are created based on the data and the talent of the employees.  In my opinion, these are the truly valuable assets of the company, and for the most part, they are completely unprotected.

This is why I think the next focus for information security will be rights management.  Rights management may work out to be the last line of defence against hackers ("I've made it all the way to the server storing all the executives' files, but I can't read them because they are rights protected!") and the first line of defence against users' mistakes ("I accidentally sent our unpublished financial statements to our web hosting partner rather than our accounting partner!")  In this way, I can see rights management as an important piece to the IT security puzzle.  In fact, one might call rights management the only security measure truly protecting information.

Of course, rights management is no panacea: the other security measures are still very important.  In addition, authentication is critically important in a rights management context; if I can get the system to think I'm the CEO, rights management is probably not going to help me.  Even so, I think that RM will increasingly be a focus for security professionals over the next few years.

What do you think?  Am I crazy or am I on to something?  Please hit me with some comments and let's discuss...

Comments
  • One big thing I see a lot is people inadvertently sending email to the wrong person in the organization by not being careful when using auto-complete/lookup from the GAL in Outlook. User error, but surprisingly common.

    "Protect us from ourselves!"

  • I believe this to be substantially true. I agree with you.
    Host hardening is very important, and so are application-level assessments.
    Once upon a time (read: just a few years ago) a perimeter protection was enough.
    But now that everybody has firewalls, the risks have moved up the stack.
    Everybody has to pierce those port 80 and 443 in their firewall for their web application to be visible, and so they do with port 25 and maybe 53 if they keep their DNS in house.
    This is the kind of stuff that these days every organization *has* to keep open to be able to do business. We use SOAP and XML to let our businesses interconnect, all thorough the common web ports and well known protocols, and we do need email to flow. Of course we do have to harden the machines too. And we should check that our applications that use those open ports are secure, as they must be exposed.
    Here is where application level content scanning comes in handy: see "intelligent" inline IDS modules, and application level proxies with deep content inspection such as ISA Server 2004. But we should harden the machines no matter what.
    Just imagine that they are exposed, without a firewall, even when they're in reality protected. A firewall is there, sure, but you should not rely on it as the only line of defence.
    Your webserver has to be a webserver: it has to expose port 80 and 443 - that's it. Just shut everything else off. The firewall is protecting that too, great, but what about a compromised machine in the same DMZ ? Multiple levels of defence are required.
    Those include hardening, and firewalling, Intrusion detection (network and host based), Integrity checking, strong encryption and multiple-factors authentication.
    The more measures we adopt, the better.

    Among these, Digital rights management is the *key* to data protection - when everything else should fail, the data will still not accessible to the attacker.
    When coupled with strong, multiple factors authentication, the identity spoofing scenario becomes highly unlikely too.
    Even when the attacker might have stolen to the data, he won't be able to do anything with it.
    Moreover, RMS might help the defender in tracking down where the stolen data has ended up being.