Threats, Mechanisms, and Standards

iang comments on Adam's (and friends) work on Threat Modeling. ian takes issue with the same STRIDE point that I don't like (my repudiation rant will be familiar to anyone who has taken my classes).

Threat		Security Property
Spoofing	-->	Authentication
Tampering	-->	Integrity
Dispute	-->	Evidence
Information Disclosure	-->	Encryption
Denial of Service	-->	Availability
Elevation of Privilege	-->	Authorisation

Could not agree more with changing Repudiation --> PKI to Dispute --> evidence/audit

Connecting the dots further to standards and implementations we can see how our security standards position us to deal with threats

Threat	Security Property	Standard
Spoofing	Authentication	XML Sig - widely implemented
Tampering	Integrity	XML Sig - widely implemented
Dispute	Evidence/Audit	None - (note this is why we need WS-Anasazi)
Information Disclosure	Encryption	XML Enc - widely implemented
Denial of Service	Availability	No standard
Elevation of Privilege	Authorization	XACML, SAML ADA - not widely implemented

So in a nutshell, start with a threat model, identify relevant countermeasures, the look for the standards and patterns that address them

That was fast

...the digital natives may be getting some better tooling faster than I thought. I am sure you already know there is a northern alliance and Redmond is U-Prove enabled. I fondly remember a lengthy conversation I had with Stefan Brands in Croatia several years ago, while he patiently explained to me how misguided the security-privacy collision course way of thinking is, and instead how real security is only achieved with privacy. If you have not already, I recommend you read Stefans' primer on user identification.

Here is hoping that the combination of Stefan's breakthrough innovation and some Redmond engineering talent equals a third security mechanism that we can all use (we already have the reference monitor (sort of) and crypto (ibid) a third mechanism wouldn't hurt). As iang points out its all about minimal disclosure. I guess what I see as the potential breakthrough is the mixture of the composeable CBAC packaging framework with a set of algorithms that avoid the panopticon. An obvious worst case for SOA, Web services security is that instead of optimizing and creating interop for increased (read message level) security, we instead optimize a panopticon! Instead we want to keep the interop but not enable the linkage which is the precise problem that Stefan's work addresses.

When Will We See Market Forces in Infosec?

Market forces have been instrumental in rolling out lots of good technologies. For example back in the 90s thanks to the web boom, component programming, and J2EE, BEA was the fastest company ever to $1 billion. I am still waiting for market forces to drive better security though. We have companies that are good at producing toothbrushes and toothpaste, we have companies that are good at telling you what brand of toothpaste your neighbor is using, we have companies that are good at producing conferences, and we have companies that are good at helping companies pass audits; what we don't really have though is - security companies of scale that help enterprises of scale solve real world security problems. I think it would be good if we did. The enterprises have a lot of problems, and they are in need of innovation in the security space, but the enterprises have limited ability to develop, and deploy security innovations (their top people are already spread thin), and the market has so far not listened particularly well to the enterprise's problems (or the ones who have a still fairly small) leaving us with a few billion of breached records washed up on the shore.

Instead we can find a better model in the automotive industry, Autoliv (ALV) (incidentally Motley Fool ranks them as a best international stock) is the world's largest supplier of seat belts and airbags. These are component parts that are refined and optimized by Autoliv and sold to auto manufacturers across the globe. Business Week:

Being No. 1 is a long tradition for Autoliv. Started in 1956, it was one of the first companies in the world to manufacture seat belts. It has maintained market share by constantly improving quality and design, spending 6% of annual sales on research and development. It also built up share by acquiring U.S. air-bag manufacturer Morton International Inc.'s Automotive Safety Productions Div., a world leader.

Ok, we have a company with a multi decade track record of leadership of deploying safety mechanisms, and they spend a high percentage of sales on R&D.

Autoliv's early success was helped by close cooperation with Swedish carmaker Volvo, whose marketing strategy has long been largely based on safety. But Autoliv quickly branched out. It now supplies nearly all major auto companies and has factories in 32 markets.

Hmm...close cooperation with customers instead of marketecture and throwing "suites" (in name only) over the wall....

The big challenge is to meet carmakers' increasing demands to cut prices. "The new generation [of products] has to cost less," says Westerberg. The company is moving its production to low-cost countries such as Poland and Tunisia while closing down or consolidating elsewhere. It has bought several suppliers to slash costs and production time.

Being sensitive to cost instead of marking things up by orders of magnitude simply because know that something its on the auditor's checklist.

The strategy is paying off. Sales were up 14%, to $3.8 billion, for the first nine months of 2003, with a 15% profit increase, despite a worldwide slowdown in car sales. Analysts estimate sales for the whole year hit $5.2 billion. Westerberg aims to continue the trend with more sophisticated air bags designed to comply with new U.S. standards. Westerberg can think up quite a storm on those strolls.

Wait - they listen to customers, innovate new things, control costs, and deliver safety mechanisms to market while growing their business? When will Silicon Valley answer the bell on this model?

All snarkiness aside, we do have some reasonable examples in companies innovating in the security space, I would just like to see them scale. And would also like to see companies that are already large scale to meet the size and shape of the problem, we have at least one good example of this. It is strange to me that companies like Sun, Red Hat and others, seem to approach security as a game to sell more hw/sw instead of a viable market in and of itself, why don't they step into the breach (pun intended) and work to solve these problems? Maybe they should fly to Stockholm and learn about side curtain air bags? I mean Autoliv is a $3+ billion business that sells security innovation, maybe its not as interesting to Sun as backup tapes, but that's not chump change either.

**

Gunnar Peterson teaching Web Services Security training, NYC, March 10-11