Time for a new security model

Confidentiality, integrity, availability: The security industry declares these the goals of computer security. While this goal-oriented approach to defining security needs, known to security folk as the "CIA model," is good as far as it goes, it no longer goes far enough.

Forged in the early days of the Internet's commercialization, the classic CIA approach took on authentication, access control and nonrepudiation as goals in the mid-1990s. Since then, this model has become standard security fare.

But the goal-oriented approach neglects today's critical security needs, where attacks are more sophisticated, frequent and from a wider range of sources. For instance, the traditional architecture for implementing the CIA model - the firewall-based perimeter - is increasingly ineffective. (See related story Fortifying the firewall.)

Worse still, the goal-oriented approach does nothing for the other half of good security planning: risk assessment. Risk assessment, which guides security managers in prioritizing security spending, is sorely neglected even in organizations that acknowledge its importance.

"We use CIA as a guideline, but the majority of what we do now is a 'disaster-recovery' model. What can we live without, and what is the impact of without? But our company unfortunately has not done a lot of risk assessment - only to say, if we lost it, what does it hurt?" says a senior network security engineer for a global, Fortune 100 food corporation who asked not to be named.

Despite these shortcomings, the security industry and users overwhelmingly assume that CIA is the best way to achieve high security. Network executives can't afford to buy into that assumption. True, confidentiality and its five siblings forever will be security goals; yet goals are only a portion of the plan. Other portions should be risk assessment and a modified version of the "tried and true" demilitarized zone (DMZ) perimeter. Critical, too, is the need to recognize new goals as they emerge.

Time will tell

CIA thinking has turned security planning into a product game. Security equals the installation of point products that perform goal-oriented tasks. You install encryption for your confidentiality, tokens for your authentication, firewalls for your access control, and so on. If a failure occurs, the theory goes, execution is to blame (a missed patch or faulty setup), not the underlying design.

But chasing after goals with products is a flawed tactic on several counts. It can lead to times when the goal is achieved but security isn't. For instance, 128-bit key encryption will endow critical e-mails with confidentiality, and maybe integrity, but it won't stop a worm at the ISP from munching messages before recipients read them. So while the security goals for messages were met, the business goal of ensuring safe delivery of critical information was not.

Basing security on achieving goals sets you up for failure because it requires always-perfect product implementations (not a real-world expectation), or at least one back-up system for every product (not fiscally feasible or responsible).

Far wiser is basing your security architecture on an acceptable percentage of time goals should be met, which is what risk assessment tells you. If you know how much money a specific breach will cost the company, you can determine the acceptable percentage of time a security goal can be missed and how much to spend on defense.

This risk assessment will let you conquer what users say is security's biggest hurdle: obtaining adequate budgets.

"Security is a hard sell because if I'm doing my job right, nothing happens," says Matt Raymond, manager of information security for employment agency Robert Half International, in Pleasanton, Calif.

Risk assessments often are neglected because network executives are typically technology specialists, not risk analysts. One model that simplifies the task is time-based security, says its developer, Winn Schwartau, security consultant, author and Network World's "On Security" columnist.

Time-based security lets security managers "mathematically quantify" security risk, Schwartau says. It assumes the worst-case scenario - no security - and calculates how much damage could be done in the time it takes a company to detect a hack and react to stop it.

"With a jewelry store, a thief could easily breach security - just hammer through the window. But that triggers an alarm. How much a thief can steal in the time it takes the police to get there is the risk," Schwartau says. "Detection plus reaction equals risk. This is identical in the cyberworld." The trick is assessing the value of the stolen data, he adds.

When following this model, security executives determine which files could be accessed in a specified amount of time, such as the four days Schwartau says it typically takes to realize a breach.

Dividing file size by bandwidth will pinpoint the amount of time a hacker would need to grab that file and, therefore, which files are at risk. Myriad other formulas give security managers other measurements of risk, which they can turn over to risk-assessment specialists. Those specialists can determine the value of that data (a research and development database or customer billing information) and what it's worth to secure.

And that, users say, is the Holy Grail. "Executives recognize that things need to be done for computer security but don't have a real understanding of what the computer systems do. I need to present it to them in actuarial tables - the way they understand," the senior network security engineer says.

No more Tootsie Pops

Network executives must also revise their traditional models of implementation, says Howard Schmidt, vice chairman of the Critical Infrastructure Protection Board, an advisory board to the federal government on national IT security defenses. This means overhauling the traditional DMZ design.

"I call it the Tootsie Pop syndrome - hard outer shell/soft chewy center. The traditional way we look at network security is to create the firewalls and environment to keep people out. But once someone is inside, he can pretty much do what he wants," he says.

Rather, network executives should concentrate on securing all pieces of the network puzzle - clients, wires, servers and applications, Schmidt says.

But securing every PC and node individually can create a support nightmare, users say, particularly in companies with thousands of them, in hundreds of offices across half-a-dozen countries.

The new Virtual Enterprise Network (VEN) security model, created by research firm Burton Group, offers a compromise.

"The hard-shell/soft-chewy center model no longer works in an era of virtual enterprises," contends Daniel Blum, Burton's senior vice president and research director, and Network World "Intranet Advisor" columnist. "VEN is a layered defense."

Specifically, the VEN model defines four logical layers: the resource layer, which houses clients, servers, applications and data; the perimeter layer, which defines an organization's physical boundaries and contains firewalls, proxies and gateways; the control layer, where authentication services reside as do controls for security policies across layers; and the extended perimeter, where companies engage technologies or services to secure resources physically located outside the perimeter.

The upshot is a model that builds on the existing infrastructure, but plans for a distributed perimeter, Blum says.

Missing the goal

While goals might not be an appropriate basis for your entire security model, they remain an important part of security planning. But you shouldn't be able to count off the whole list on one hand. One addition should be the protection of a company's reputation, Schmidt says.

Users agree. "If you have a Web site and all of a sudden someone's selling all of your [customer] names off your site, or they end up putting their name on your Web site, your reputation will be damaged," Robert Half's Raymond says.

Likewise, brand protection also needs to be a security goal, say Schmidt and other experts.

Taken together, a top-notch risk assessment, revised DMZ implementation and expanded goals make for complete computer security today. Yet this plan is only one leg of the three-legged cybersecurity table. The other two are physical security and trustworthy people, Schwartau says.

A company's maintenance or building security staff traditionally has handled building access and other physical security systems, without input from security professionals in IT. That needs to change so that the swipe of a building-access card is not a stand-alone event, Schwartau says.

"That [building-access card] database should talk to the other databases and say, 'Hey, how come Bill is logged into his machine if he wasn't in the building?' " he says.

As for people, Schwartau and Schmidt make two points. The first is that all the technology in the world won't help if your people don't follow your processes for auditing, patch maintenance and other ongoing support. The second is that you should verify the trustworthiness of anyone to whom you will be giving significant network access by running background checks. This is particularly important when hiring IT contract workers in countries known to harbor terrorists, Schwartau says.

Strong IT security can only be accomplished if all of the table legs are equally sturdy.