Striking at the Root
Stephen T. Whitlock
Chief Security Architect
Information Security
The Boeing Company
BOEING is a trademark of Boeing Management Company.
Copyright © 2007 Boeing. All rights reserved.
What Are the Roots?
Boeing Technology | Information Technology
Information Security
There are a thousand hacking at the branches of evil
to one who is striking at the root
Copyright © 2007 Boeing. All rights reserved.
Henry David Thoreau
Value Shift
Boeing Technology | Information Technology
Information Security
1) IT value increases faster than physical asset value
2) Information value increases faster than IT value
Relative Value
Physical Assets
Information Assets
Time
Copyright © 2007 Boeing. All rights reserved.
Population Shift
Boeing Technology | Information Technology
Information Security
1) An extended enterprise business model across its value chain requires –
Tighter integration of IT systems across this extended enterprise
Non-enterprise users require onsite and logical access to enterprise hosted systems
Non-enterprise users require external access to their home and public internet
2) The workforce becomes mobile, virtual, and geographically distributed
Non-Employees
60%
38%
Boeing Employees
Identifiers Granted Intranet Access
2001
Copyright © 2007 Boeing. All rights reserved.
2002
2003
2004
2005
2006
2007
Principal Shift
Boeing Technology | Information Technology
1) New principal types develop: devices, services, applications
2) Application services require direct application to application interaction
3) Factory automation requires sophisticated protection for limited
functionality devices
Copyright © 2007 Boeing. All rights reserved.
Information Security
Regulation Proliferation
Boeing Technology | Information Technology
Copyright © 2007 Boeing. All rights reserved.
Information Security
Technology Gaps
Boeing Technology | Information Technology
Information Security
1) Solutions often designed for B2C (Business To Consumer) and don’t work well in an E2E (Enterprise To
enterprise) environment
2) Presumption that all of your supply/delivery chain will buy from the same technology from the same vendor
3) Too much focus on protecting IT assets and infrastructure – not the information itself
B2C:
Asymmetric
Relationship
E2E: Symmetric Relationship
Copyright © 2007 Boeing. All rights reserved.
The CAP Principle
Boeing Technology | Information Technology
Information Security
CAP Principle: Consistency, Availability, Partitioning – Pick 2
Example 1 - Perimeter based security between enterprises
Example 2 - Certificate revocation status between enterprises (partitioning)
CRL == Availability, != Consistency
OCSP == Consistency, != Availability
1) Conjecture: Harvest, Yield, and Scalable Tolerant Systems, Eric A. Brewer, UCB & Armando Fox,
Stanford; Principles of Distributed Computing, Portland, OR, 2000
2) Proof: Brewer’s Conjecture and the Feasibility of Consistent, Available, Partition-Tolerant Web
Services, Seth Gilbert, MIT & Nancy Lynch, MIT
Availability
Partitioning
Consistency
Copyright © 2007 Boeing. All rights reserved.
Users != Computers
Boeing Technology | Information Technology
Information Security
1) Poor user interfaces prompt users to make decisions they are unqualified to make
2) The properties that make passwords strong make them hard to remember
CPU Speed
Innovation,
Adaptation
Memory
Copyright © 2007 Boeing. All rights reserved.
Multitasking
Pattern
Recognition
Cryptography
CPU Speed
Innovation,
Adaptation
Memory
Multitasking
Pattern
Recognition
Cryptography
Summary
Boeing Technology | Information Technology
Information Security
We ask people to do things they are not designed to do and are
not good at
We protect our globally connected enterprises with tools and
technologies from the Pre-E-Business age
We have traded the security principle of Defense-In-Depth and
Least Privilege for collections of systems tied together by
exceptions
We have (unwillingly) traded Simplicity, Usability, Manageability,
and Scalability for Unmanageable Complexity
Most of this won’t change any time soon
Copyright © 2007 Boeing. All rights reserved.
Where Are We Going?
Boeing Technology | Information Technology
If you don't know where you are going,
any road will take you there.
Lewis Carroll
Copyright © 2007 Boeing. All rights reserved.
Information Security
Once In Every Architecture Talk, There Comes A Slide Like This
(Apologies to Eric)
Boeing Technology | Information Technology
Information Security
Information Protection Services
Labeling Services
Information
Classification
Services
Information Recovery
Services
Cryptographic
Services
Key Management
Certificate
Management
Signature
Services
Message Integrity
Encryption
Services
Bridge Certificate
Authorities
Privilege Management Infrastructure
Audit Services
Identity Management
Services
Log Analysis
Log Collection
and Management
Domain Unique
Identifier Services
Digital Rights
Management Services
Federated Identity
Management
Identity Provisioning
Services
Attribute Provisioning
Services
Authentication Services
Authorization Services
SAML Token
Services
Certificate Services
Biometric Services
One Time Password
Services
Smart Card Services
Password
Management
Network
Authentication
Single Sign On
Policy Enforcement
Policy Decision
Policy Management
Services
Principal Data
Management
Resource Data
Management
Environmental Data
Management
Account
Provisioning
Access Log Services
Infrastructure Protection Services
Server Protection
Services
Anti-Virus
Host Based
IDS / IPS
Server
Vulnerability
Scanning
Centralized
Security
Management
Services
Desktop Protection
Services
Anti-Virus, AntiSpam, AntiSpyware
Client Based IDS /
IPS
Desktop
Encryption
Port and Device
Control Services
Hardware Based
Trusted Platform
Services
Application Protection
Services
Application Specific
Firewall Services
Virtual Machines
Web Services
(SOAP, XML)
Protection
Application
Vulnerability
Scanning
Secure Messaging
Secure
Collaboration
Business Continuity
Services
Copyright © 2007 Boeing. All rights reserved.
Directory Services
Network Protection
Services
Firewall / Filtering
Encrypted VPN /
Tunnel Services
Networks Based IDS /
IPS Services
Network Vulnerability
Scanning
Wireless Protection
Web Proxy Services
Network Resiliency
Services
Attack Containment /
Recovery Services
Link Layer Network
Security Services
Physical Layer
Network Security
Services
Direct Access
Services
DBMS
Repositories
LDAP
Repositories
X.500
Repositories
Active
Directory
Services
Directory
Provisioning
Services
Indirect Access
Services
Proxy Services
Virtual
Directory
Services
Meta Directory
Services
Intelligent Access
Services
Registry
Services
Location
Services
Federation
Services
Simplified (User Friendly) Security Services
Boeing Technology | Information Technology
Information Security
Information
Protection
Services
Infrastructure
Protection
Services
Privilege
Management
Infrastructure
Supporting Services
Copyright © 2007 Boeing. All rights reserved.
Privilege Management in Eight Words
Boeing Technology | Information Technology
Identification
Information Security
Authentication
Who are
you?
Prove it!
Authorization
Here’s
your stuff...
The fine print (Open Group XDSF, ISO 10181-3)
• Identification: The presentation of
an identifier so that the system
can recognize and distinguish the
presenter from other principals
• Authentication: The
exchange of information in
order to verify the claimed
identity of a principal
• Authorization: The granting
of rights, including access,
to a principal, by the proper
authority
Principal: An entity (people, devices, applications, etc.) whose identity can be authenticated
Copyright © 2007 Boeing. All rights reserved.
Future Infrastructure Security Services
Boeing Technology | Information Technology
Information Security
Trusted Infrastructure Services
Public Internet
DNS, DHCP, Routing, Directory, System Management,
Identification, Authentication, Authorization, Audit, etc.
Boeing Intranet
(untrusted)
Date Center Hosting
Services (Access Zones)
End User Devices
Copyright © 2007 Boeing. All rights reserved.
An Information Centric Future of Access Controls
Boeing Technology | Information Technology
Information Security
Effectiveness
Network Controls
Application Controls
Data Controls
Time
Copyright © 2007 Boeing. All rights reserved.
Industry Security Technology Scorecard
Boeing Technology | Information Technology
Information
Confidentiality
& Integrity
Information
Protection
Services
Privilege
Management
Infrastructure
Infrastructure
Protection
Services
Copyright © 2007 Boeing. All rights reserved.
Availability or
Denial of Service
Protection
Information Security
Secure
Collaboration
Audit in Support
of Regulatory
Compliance
Capability
Maturity
What Should We Build?
Boeing Technology | Information Technology
Some men see things as they are and say why –
I dream things that never were and say why not
George Bernard Shaw
Copyright © 2007 Boeing. All rights reserved.
Information Security
Whitlock’s Laws for Access
Boeing Technology | Information Technology
Information Security
1. Policy Driven – Policy, regulations, and business
rules directly drive access decisions.
2. Automated - Access decision and enforcement is
automatic.
3. Disintermediated – Access control services are built
using separate, loosely coupled components.
4. Standardized – Access control services use a
common set of standard interfaces and protocols to
decide, communicate, and record access.
5. Integrated – Access control services use common
administration, accounting and auditing services.
Copyright © 2007 Boeing. All rights reserved.
1) Policy Driven
Boeing Technology | Information Technology
Governance
Processes,
Regulations
Local Access,
Business
Requirements
Information Security
Rules, Roles,
Attributes,
Responsibilities
Access
Control
Decision
Function
Access Control
Administration Function
Rule, Identity, and
Attribute Repository
Copyright © 2007 Boeing. All rights reserved.
2) Automation
Boeing Technology | Information Technology
Information Security
Access Control
Enforcement Function
Principal
Access
Request,
Identity
Resource
Access
Additional
Principal
Attributes
Request,
Identity,
Attributes
Decision
Access
Control
Decision
Function
Decision
Support
Information
Resource and
Environmental
Information
Rule, Identity, and
Attribute Repository
Copyright © 2007 Boeing. All rights reserved.
3) Disintermediation
Boeing Technology | Information Technology
Public
Web
Information Security
Will’s Web Services
Security Gateway
Internal
Web
Paul’s Premium
Portal Protector
Factory
Proxy for
Limited Devices
Evelyn’s Excellent
Encryption Engine
HR
Fred’s
Frugal
Firewall
Portal
Sales
Bob’s Better Access
Control Automaton
Alan’s Access
Control Engine
Diane’s Divine Directories
Copyright © 2007 Boeing. All rights reserved.
4) Standardization
Boeing Technology | Information Technology
HTTP
HTML
XML
Information Security
HTTP
HTML
XML
SAML
SAML
SAML
SAML
XACML
XACML
LDAP
Copyright © 2007 Boeing. All rights reserved.
LDAP
5) Integration
Boeing Technology | Information Technology
Common Administration
& Policy Management
Copyright © 2007 Boeing. All rights reserved.
Information Security
Common Logging
& Audit Services
Centralized Encryption &
Key Management Services
Access Control Summary
Boeing Technology | Information Technology
Information Security
Coordinated Layered Controls
Coordinate all layers of security mechanisms,
including application, information and governance
Network Based Controls
PMI / Application
Based Controls
Drive by a common, enterprise-wide, policy-based
access control decision mechanism that incorporates
local control requirements
Information Based Controls
Applications
Whole
Disk
File
Encryption and Signature Services
Access
Control
Enforcement
Function
Copyright © 2007 Boeing. All rights reserved.
Tunnels
E-Mail
IM
Boeing Technology | Information Technology
Copyright © 2007 Boeing. All rights reserved.
Information Security