Feb 17, 2009

Security in the workspace - Part 2

The word de-perimeterization is used by security experts both to describe a problem and a solution. The problem is clear: when we rely on perimeter defense, a disappearing perimeter is problematic. The solution says that instead of fighting de-perimeterization, by trying to rebuild parts of the perimeter, we should admit that perimeters will be gone soon and implement our security measures on a different level.

What is causing the problem? Here are three major factors which seem to drive de-perimeterization:
  • Networked Business: Suppliers, customers, and service providers all work with the organization on a much finer grained level than they used to. This is the result of specialization. An example is outsourcing: It can be very cost-effective to outsource certain tasks to more specialized organizations. Outsourcing requires so-called service level agreements: contracts between the organization and service provider about the quality of the services rendered. Security should be a part of such agreements as these parties operate within the perimeter.
  • Governance, Regulations, Compliance: Organizations need to comply with more and more external laws and regulations. Often these call for more transparency towards shareholders, governments and the general public. This means that these parties need to pass the perimeter.
  • Insider Threats: Employees are not the loyal workers they once were. Maybe most of them still are, yet some of them will try to gain access to your most valuable assets for personal gain. If you cannot trust your own employees, who operate within the perimeter, then you might as well get rid of the perimeter.
It is clear that each of these factors impacts the perimeter. Are there more?

The de-perimeterization factors are closely related to trends typically attributed to Future Workspaces. The difference is in the perspective. When I think of securing an organization, I tend to take the perspective of the organization. When I try to imagine what the workspace of the future will look like I tend to take the perspective of employees. We identify the following trends:
  • Relation to employer (or, perhaps, loyalty to the organization)
    • Employees no longer work for one employer for 40 years but switch jobs regularly.
    • Employees work for different employers at the same time (I used to work here and here at the same time, which rarely led to conflicts of interest).
    • Professional social network of most employees is bigger than it used to be, extending well beyond the organization’s borders.
  • Responsibilities
    • Employees are given greater responsibility in representing the organization.
    • Organizations are less hierarchically managed.
    • Employees (are encouraged to) write about their professional lives in blogs.
  • Collaboration
    • Not every organization has experts in every field. Organizations are aware of external experts (thanks to openness of other organizations) and encourage employees to collaborate with them.
  • Work in different contexts
    • Employees can work from home.
    • Employees (especially knowledge workers) travel much more and work while in transit (using mobile devices).
    • Employees work (while outsourced) at client.
    • Employees work irregular hours.
    • Employees work shorter hours, some colleagues may almost never meet in person.
At the very least we can claim that the Future Workspace trends reinforce the de-perimeterization factors. The de-perimeterization problem is made bigger and more urgent for organizations to deal with. In fact, many of the security incidents that organizations are faced with can be explained in terms of security controls which are part of the old perimeter defense interacting with employees' new found freedom.

In part 3 I will look at ways forward in the de-perimeterized future workspace.

Feb 10, 2009

Security in the workspace - Part 1


The workspace is changing. What will mostly be different is the relationship between employees and the organizations they work for. I’m interested in the consequences these changes have for the administration of information security in organizations.

Information security incidents have become part of our lives during the last couple of years. Popular media regularly report on incidents which range from lost pen drives filled with privacy sensitive data to financial fraud by employees costing financial organizations billions. The increase in reported incidents not only shows that security incidents are on the rise but it also indicates a change (yes we can!) in how organizations respond to incidents. Reputation and trust are increasingly important concepts in today’s business world, and organizations need to find ways to deal with security problems.

The openness that organizations are showing lately, both to customers, to employees, to other organizations, and to the general public is interesting. From a security perspective openness is a double edged sword: On the one hand, openness means granting access to parties which may not be trusted yet. This clearly complicates security administration. On the other hand, openness also stands for transparency and open standards which simplify matters. And simple things are easier to secure.

Security researchers who study organizational security associate the new found openness in organizations with de-perimeterization. De-perimeterization means that the perimeters of organizations are disappearing. This is problematic because most security strategies pay a lot of attention to perimeter defense: Concentrate your efforts on the perimeter and the rest of the organization is secure.

Is perimeter defense a bad strategy? Thousands of huddling Emperor penguins can’t be wrong, can they? And if you’ve ever played the board game Risk you know that the best strategy to defend a continent is to move all your armies to the border countries.

In part 2 we will have a closer look at de-perimeterization and see how it interacts with future workspaces.

Feb 2, 2009

The ePassport helps fight online identity fraud


This translation of an article in Dutch newspaper het Financiƫle Dagblad, 2 februari 2009, pp. 7 was created by Google translate (with only slight modifications by hand). The Dutch version also appears elsewhere on the interwebs.

A new tool in the fight against identity fraud has arrived. The Dutch ePassport with chip can be used as additional identification technology for Internet transactions. Without loss of privacy.

This is evident from NLnet Foundation funded research Martijn Oostdijk and Dirk-Jan van Dijk of the Telematica Institute have done. Using a simple card reader, the chip can be read on any PC. The standards to do this are public. The researchers developed software for an identity provider - a trusted party that creates digital identities and provides these to other parties - which they run on a server at the institute. Furthermore, the duo developed software that must be installed on the client's PC.

With passport in hand, the user may enter a web shop. The shop might need to know if the buyer is older than 18. The identity provider filters out only the information from the passport required for the purchase, and forwards that information to the shop. The buyer remains in charge of his own data and can terminate the transaction at any moment. The process is intended as additional evidence. Often, a user needs various account names and passwords to use various online services. But such credentials, also credit cards, etc. may fall into the wrong hands. Of course, a passport can also be stolen. "This is why the passport by itself should not be used as identification. But in combination with other authentication means it could stop simple forms of identity theft", said Michiel Leenaars, strategy director of Stichting NLnet. According to Martijn Oostdijk, the system is suitable for all forms of identification. "It's not just for online purchases. The system might play a role in safe surfing by children or patient access to electronic health records, etc."

Identity fraud is costing society billions of euros per year. In the U.S., the damage last year was 31 billion euro. At present, slightly less than half of all Dutch citizens have a passport or identity card with chip. In 2011, that will be the case for all citizens.

NLnet Foundation is committed to an open information society and supports projects that contribute financially. Software developed within the projects are published as "open source" and is freely available for parties who wish to further develop it. The Telematica Institute combines innovation power and knowledge of IT to achieve breakthroughs in how we live.

Feb 1, 2009

A "Game-Theoretic" Analysis of De-perimeterization


De-perimeterization is a word which (despite being impossible to pronounce or spell correctly) is used more and more in discussions about security of organizations. Studying the effects of the disappearing perimeter in practice is difficult because organizations are complex and it is difficult to measure the quality of newly deployed security measures. Instead, let’s describe some of the issues of de-perimeterization here using an analogy with the well known board game Risk.

In Risk players occupy countries by placing armies on them. Given a configuration of the board where every player has a number of countries with armies, players can attack countries owned by other players from a neighboring country. If all armies of the defending player are completely defeated then that country is conquered and the attacker can place a number of armies on it.

Although luck is certainly a factor (the game uses no less than five dice) the general rule is that the more armies you bring to a fight, the bigger the odds that the country will (still) be yours at the end of the attack. When attacking, a great number of armies can be moved on to the newly conquered country. Armies can also be moved from one country to a neighboring country if owned by the same player when not attacking, but the number of movements is limited per turn. Playing Risk demonstrates that logistics is one of the most difficult parts of administering security.

Countries are organized in six continents. Continents are a lot like organizations: they contain assets (countries, armies) and they have a perimeter. A player receives bonus armies at the start of every turn in which a continent was completely owned by that player and was successfully defended.

Countries on the border of a continent form the perimeter of that continent. Perimeter countries need special attention because enemies need to first travel through perimeter countries before they can attack an inner country. Recall that if an attacker occupies any country of a continent held by a player, then the defender will not get his bonus at the beginning of their next turn. For the defender, moving most armies to the border countries seems therefore a good strategy. We will call this strategy Perimeter Defense.

At first, Perimeter Defense seems like a good idea. All players are each other’s enemies, after all. In practice, however, what happens is that players form temporary alliances so as to effectively attack a common enemy. The common enemy is typically the player with the most armies. This means, for example, that the members of an alliance agree to follow a certain attack strategy and agree not to attack each other for a number of turns so that they can keep borders between alliance-owned continents minimally manned. The armies no longer needed to defend alliance-owned borders can be better used to attack the common enemy with greater force.

But there are far more complex forms of cooperation possible within an alliance. A pattern that is often seen is that one player in the alliance allows another player to move troops over territory owned by the first player. The first player creates a corridor of countries occupied with only 1 army on them. The countries in the corridor are easily conquered by the second player when he attacks them with a great number of armies. Since moving armies during an attack is free, this allows a player to move a great number of troops towards the common enemy’s border, circumventing the per-turn troop movement limits. The second player also leaves only 1 army on the countries in the corridor, allowing the first player to easily recover the original countries of his continent later on.

So what are the alternatives to perimeter defense? It is tempting to think of Defense in Depth as the complete opposite of Perimeter Defense. In the Risk analogy naive Defense in Depth means equally distributing one’s armies over every country of a continent, both inner and border countries. Obviously this means that it becomes easier for a single enemy to occupy a border country (which means the defender won’t get his bonus armies). Yet at least the continent is more difficult to completely conquer by attackers. It very much depends on the situation (the agenda of other players, alliance agreements) whether Defense in Depth is a good strategy.

Defense in Depth also makes it more difficult to move armies to specific places, for example to allow a fellow alliance member to move troops across your continent. Yet, if one doesn’t completely trust the other players in the alliance a certain degree of Defense in Depth is actually a good thing. After all, when alliance member are moving troops through our corridors they should not be tempted too much to occupy our complete continent while they’re at it.

The real world consisting of real organizations is in many aspects much more complex than than simple board game world, if only because the goals of organizations are much more complex than simply ‘winning the game’. Still, real organizations also deal with security strategies. Two organizations will work together if it is of benefit to both of them (although usually not to mount an attack on the security perimeter of some competitor). At the same time organizations need to restrict access to their assets from outsiders as much as possible.

The problem is not that the perimeter is disappearing. The problem is that it is continually changing. The quality of a security strategy depends greatly on external forces such as the goals of other organizations. That these external forces change dynamically makes things even more complex.

Perimeter Defense and Defense in Depth are still good concepts to use when defining a mixed security strategy but much more important seems to be the ability to quickly change strategy. If security controls are resilient rather than brittle (see Schneier’s book Beyond Fear for an explanation of these concepts) then they can easily be used as part of a dynamically configurable perimeter.

(Thanks to Tim, Marcella, Victor, Suzana, Dragan, and Georgi for playing numerous games of Risk. Disclaimer: The author lost most of these games.)