Thursday, 15 March 2007

And I repeat...

I have admit I didn't expect to make a big splash when I entered the world of data integrity. We're up against digital signatures, TripWire, encryption and access controls, and everything else that's been wedged into this space by poorly thought out compliance regulations, over eager sales people, network engineers, silver tongued pre-sales, security guys...
Yes, I place the blame squarely at my own feet. I have been all of these things, apart from a poorly thought out compliance regulation of course, that would be odd.
The fact is, data integrity still doesn't exist, and here we are basking in the swimming pool of security whilst the administrator of false senses dances through our data, happy in the knowledge he is king and no one can catch him. A bad mixed metaphor, but quite picturesque I think.

Let me explain. In the beginning there were firewalls, this kept out some Bad People. Then there was AntiVirus. This kept out some Bad Things, written by Bad People. Then there was IDS, followed by IPS, then IDP, then app firewalls and UTM. Basically it's all sewn up at the perimeter. Then we realised the attacks were coming from inside. Alan Shimel calls it M&M security, crunchy on the outside, soft in the middle. I call it armadillo security for exactly the same reasons (anyone in the UK will remember the Dime advert along the same lines).

Of course for perimeter security to work, user security has had to work. RSA had SecurID all figured out years ago, and I've still to see a better answer to strong authentication. Every year I expect to see something to challenge it at Infosec, and still nothing. CryptoCard, Entrust, OK, they're pretty good as cheap alternatives, but they aren't as secure, and that's what I like, security.

So, we move inside the network and start to rely on Cisco for everything. Ooops. Cisco are the dogs danglies when it comes to networking, but networking security? They try bless them, but they just can't move fast enough. I've mentioned ConSentry in the NAC space already in this blog. I spoke to Sean Remnant there this afternoon and it seems he's getting busy now. When he last visited me in the UK, he and Bill Wester (SE Director) looked a little nervous of how sales might go. Despite my full support (and who wouldn't be delighted with that?) they seemed worried that Cisco and Micro$oft (why do they persist with that silly name, surely trading standards should have had them by now, MegaHard, that's much closer), would be able to knock them out of the market by their sheer size. Cisco even threw them out of the NAC Consortium because they were too much of a threat. Ooops again Cisco, don't think we didn't notice!

As far as I'm concerned then, NAC has the network sewn up pretty well, again, as long as your users are authenticating properly, all the network needs is good access controls. But then, what about your data? Do I sound like a stuck record? Do I? Do I?

Right, let's assume you have encryption. What happens when superadmin walks in and disappears with your financial accounts? What about the CEO, the CFO, etc, etc.? OK, apply some clever data centric access controls. Now the security admin has control. What happens when he walks off with your data? Now apply some separation of duties. What happens when the security and network admin get together and decide to rip off the company because they aren't paid enough. The solution? Pay your techies more! No, obviously not, that would be counter productive, if you do that, they hold you to ransom more.

OK, so we apply separation of duties, and implement TripWire. They still walk off with the data, but at least they didn't change anything on the network whilst they were doing it. PHEW! Email still works! Sorry, I don't mean to disrespect TripWire for a second, they are a vital piece of network security, which no-one else addresses, but they are monitoring controls, not data controls. OK, so now assume you have the data access logs streamed, encrypted, controlled for access, duties separated, and a digital signature of the data taken every time a log is saved, just for good measure. Apart from the incredible amount of data that would create in new signatures, what does it prove?

Now my superadmins, who know where this logging information is kept, just go in and delete the entries which show where they stole valuable data. The digital signature is broken, the files don't match up when I come to read them, if I come to read them at all, etc...

There are still holes, that's my point. We need something which gets around this, something which follows the data, not the network or the user. Something to go with the encryption and access controls, with the user security, with the network security. The rest of it we've had sewn up for a while, and we're just banging on down the same old path of tweaking it and polishing it, before we've even finished the whole story.

You wouldn't have had to spend $/€ 50k a year on firewalls, chasing your tail and wondering why your data was still going awol, if you'd just waited and insisted on the security being tighter. Understanding your security even. Getting a security guy in who knows what he's doing. The problem is, we're the only ones who know how it's done, us, the security guys, and we don't tell anyone. I don't think even we understand it properly, that's the real issue, and until we're prepared to admit that, we're not going to make any progress.

My previous posts have explained it in part, but I don't think people will even try to understand until the penalties are high enough. Compliance is one thing, fines are another, what we really need is a tight disclosure law. The only thing that really affects people is reputation, banks put aside money to deal with fines and breaches, did you know that? They EXPECT to be hit. Why?

These are all the themes I cover on a weekly basis and I wish I didn't sound like I was repeating myself. The fact is, I have to.

No comments: