INFORMATION SECURITY ARCHITECTURE
Newcomers to the field of information security may wonder where on earth to start, given the rapidly shifting technological landscape that exists today. Even over the past decade, IT has moved from being an arm’s-length set of capabilities – as corporate systems, mostly accessed via fixed desktops – to becoming an intrinsic part of everything that the business, its employees and customers do.
The good news is that we do have a starting point, which is to remember what we are trying to secure – not technology for its own sake, but the information it processes and transmits. In this chapter we review some of the areas that are making information security so challenging. We then look at the essentials of information security in the context of the modern organisation, to see how and where security architecture needs to respond.
INFORMATION SECURITY IN A CHANGING WORLD
The latest waves of information technology have profoundly affected business and economic models across all sectors and geographies, and are having a significant impact on the nature of business risk. Just a few years ago, for example, email was seen as relatively new and a major target for attack; then came instant messaging systems, open to malicious communications and offering the potential for fraud; shortly after that, Voice over Internet Protocol mechanisms such as Skype were considered to be high-risk and needing to be treated with some urgency.
Each generation of technology has been seen to constitute a major threat when it emerged, and no doubt each still does. However, just as past technologies have been superseded, so more recent developments are creating new opportunities for both the malicious and the stupid to do harm:
Teleworking is becoming the default way of working, rather than the exception, for large numbers of staff at many organisations. This has a highly disruptive impact on the notion of physical protection. For example, traditionally the idea of securing ‘on-site’ versus ‘off-site’ equipment made sense; today, however, two staff members may meet in a café to exchange information using a non-corporate-issue USB stick. Security managers can quickly become unstuck if they treat remote workers and equipment in the same way as office-based, corporate IT.
Mobile devices, smartphones and tablets are rapidly overtaking desktop computers as end-user computing devices, changing the way people interact with online and corporate services. While they enable people to work more flexibly, they are also easier to steal or lose. An added complication is the fact that people are increasingly using their own devices at work – so-called ‘bring your own device’ (BYOD). New device capabilities are causing new issues – for example cyber-bullying via photo apps such as Snapchat, or the use of encrypted messaging such as Blackberry Messenger, which was used during the riots of 2011.
Payment cards and associated information have emerged as a significant area of concern for IT security professionals. Such is the significance of payment card data that the major card providers have established an independent organisation, the PCI-DSS Council, to deliver a fully regulated model which defines mechanisms and practices for its protection. This requires organisations to employ independent accredited approved security vendors and their employed qualified security assessors to assess and certify in-scope payment card data environments in accordance with PCI-DSS Council rules.
Public cloud computing involves the delivery of scalable IT services running on hosted servers and using the internet as transport. Benefits are variously cited as scalability, cost-effectiveness and ease of deployment. However, security ramifications include dependency on (potentially untrusted) third parties, location sensitivity and increased potential for surveillance, as well as consumerisation-linked risk from individuals subscribing to services themselves. Cloud computing models are also diversifying – for example, hosting and co-location companies are now offering hybrid models such as ‘private hosted cloud’.
Social networking builds on the public cloud, enabling people to interact, collaborate and share information using publicly available, free-to-use services such as Google, Twitter and Facebook. Many corporate, entertainment and sport websites also build in a social element. As a result customers can have more direct relations with organisations; the downside is that they may also complain, loudly and globally. Some social sites have been criticised for failing to protect the privacy of their users – as the adage goes, ‘If the service is free, you are the product.’ Hackers are also known to trawl social networks for personal information that can be used for targeted email attacks.
Data center virtualisation is where computer servers run multiple workloads using software to emulate a physical computer. Today’s top-end servers can run tens of ‘virtual’ machines. While these can be relocated relatively easily, they have to be secured as individual computers. In addition, they rely on a virtual machine management console, which is often seen as the weakest link from a security perspective – a username/password breach can deliver access to the entire estate of virtual machines. Third-party software suites that deliver management information for virtualised environments also create a significant attack surface for hackers.
Broadband and mobile networking make it easier to work from home or on the move. While higher-bandwidth connections tend to be restricted to municipal areas (which is as much a problem for itinerant workers as those living in rural areas), the level of available bandwidth continues to increase, driving the demand for remote working. Note that the latest 4G mobile technologies operate more quickly than Wi-Fi, potentially driving people towards using their own, potentially less secure mobile devices, connected to less trusted networks, for data transfers and communications. Access control and authentication, end-point security, and the protection of corporate data across multiple devices will continue to deliver complex challenges for the IT security professional.
Big data analytics relies on the continuing phenomenon of Moore’s law – that the number of transistors on a chip will double every 18 months. Just as data volumes are expanding as we become able to generate data in greater and greater quantities, so the ways in which data can be stored and analysed are expanding, for example using analytics platforms such as Hadoop. However, such technologies also create new opportunities for hackers, not least because greater volumes of data need to be protected; equally, privacy concerns exist around the ability to identify individuals from analysis of aggregated data.
The Internet of Things (also known as machine-to-machine communications) presents another manifestation of Moore’s law, in that as processors become cheaper and more powerful, it becomes possible to connect an increasing range of devices to the internet. This creates new possibilities – for example, smarter buildings and cars – but also creates a new set of security risks. Not least among these is the protection of connected equipment and generated data; for example, the Stuxnet computer worm was designed to attack industrial control systems running the Supervisory Control and Data Acquisition (SCADA) protocol. Equally, the internet of things raises a number of potential privacy concerns, illustrated by the case of London bins being used to track passers-by, via their mobile phone signatures.
Trends such as these are leading to new ways in which governments, corporations and individuals procure, design and use computer systems and services. In 2012, for example, the UK Cabinet Office announced the G-Cloud initiative, ‘developed to give customers access to pay-as-you-go services as a cheaper alternative to traditionally sourced ICT’. For providers, cloud computing is also leading to new system architecture approaches – as illustrated by NoSQL databases or the ‘built to fail, but gracefully’ design principles of online services such as Netflix.
Simultaneously, these trends create opportunities for malicious individuals and organisations to breach corporate security and put businesses at risk, with potentially expensive consequences. Hacker groups may target both businesses and customers with attacks with names such as ‘man in the middle’ and ‘watering hole’, exploiting weaknesses across the evolving technology ecosystem. Equally, employees may foolishly seek to find out colleagues’ salaries, or inadvertently lose corporate information; in 2012, for example, Greater Manchester Police was fined £120,000 for the loss of a USB stick containing data about people linked to serious crime, which was stolen from the house of a police officer. Just as technology continues to diversify, so do the number of ways things can go wrong.
OVERVIEW OF INFORMATION SECURITY CONCEPTS
How can traditional security stand a chance of responding to such challenges? A generally accepted principle of technology-related security, which remains valid even through such change, is that the ‘core asset’ at the heart of what we want to secure is information. Other types of security exist, of course – such as physical security to protect buildings and working environments. However, just as information technology exists to enable the creation, processing, communication and storage of information, so information security exists to protect information assets against threats by limiting their vulnerabilities and reducing risks.
As shown in Figure, information security provides a protective layer that allows authorised access to information assets while preventing unauthorised access. Information assets constitute any items of information that are seen as having value to the organisation. Size is unimportant, as the following examples show:
- A paint manufacturer has a master list of discounts offered to each of its major customers, stored as a simple office document, such as a word-processing file or spreadsheet. Disclosure could result in different customers seeking renegotiation of their own discounts, and the document may be a target of industrial espionage.
- A hospital system holds the personal details of a famous actor who has just been admitted for unexpected surgery. Junior clinical staff may find it difficult to overcome the temptation of calling the press and receiving payment for the ‘scoop’.
- An industrial machine is connected to the internet for monitoring purposes, using the SCADA protocol. In this case, the risk is that it can inadvertently be controlled or compromised by the actions of a third party, which could damage the machine or compromise the process it serves.
- A retail organisation stores customer payment card information unencrypted, and is hacked. Resulting fines amount to a significant percentage of the organisation’s annual turnover, and the damage to its brand is enough to push the organisation into administration.
In such cases as these, the potential outcome of a security breach (the impact) could come with a price tag greater than the information suggests. An organisation can lose money directly – through the costs of resolving a breach, responding to customer calls or lost sales – or indirectly – for example, dealing with litigation or repairing reputational damage. In some cases, the cost of a breach can be many times that of the mechanisms that could have been implemented to avoid it, a fact that security vendors are often keen to emphasise.
The core notions of security architecture extend the principles of defence in depth and tiering. In the earlier days of computing, the concentric circle idea worked well – for example, a decade or so ago we would talk about intranet, extranet and internet as valid tiers. An additional implication was that the chief security officer held the keys to the entire ‘fortress’.However, to secure today’s highly distributed computing models, incorporating cloud computing, virtualisation and mobile networks