Recently Richard Bejtlich has been on a roll of thought provoking posts. Starting here with Technical Visibility Levels:
The trustworthiness of a digital asset is limited by the owner's capability to detect incidents compromising the integrity of that asset.
This post is followed by "Protect the Data" Idiot! in which RIchard makes the valid point that data doesn't exist outside of a container (such as file, memory, network channel), so its really all about context. He then drills down on "Protect the Data" from Whom?, "Protect the Data" Where?, and "Protect the Data" -- What Data? which describes various real world challenges to actually deploying data protection. Its good analysis, but one issue is that data protection is not limited to or even primarily about DLP.
As I mentioned, before I don't recall seeing that the history of enterprise computing includes a single, high integrity system. So if we accept Richard's assertion that digital assets trustworthiness is predicated on detecting integrity beaches (and I am inclined to because of its asset centricity), then shouldn't we be asking "Deliver Integrity" - Where?, "Deliver Integrity" - to what?, "Deliver Integrity" - for whom, and most importantly "Deliver Integrity" - how exactly?
I doubt there's an easier point in your system to deliver integrity than in Web service XML messages, yet even here where it's straightforward to sign XML, integrity services are deployed here in less than 28% of the cases we know about.
The necessary conditions to fully deliver on the above integrity goals require that the enterprise systems in use today are rewritten top to bottom. That's pretty clearly not going to happen any time soon, so that leaves us in a mode of what I loosely render discretionary integrity. But even this is likely to be watered down due to existing weak capabilities in audit logging, which are further reduced by lack of separation of privileges that enable it.
Our ability using today's technologies to deliver vastly improved audit logging is, I believe, a worthwhile and achievable goal. But its fair to ask - why hasn't it happened yet? I mean, let's just take WS-* as an example. A lot of effort has gone into building capabilities such as BPEL, WS-Security, WS-Addressing, WS-ReliableMessaging and so on, but as far as I know almost none into WS-Eventing (Event logging standard). Its not that building much better audit logging is technically difficult it just doesn't make it into the high priority feature list and so it does not happen. Its a very similar story to the authorization weaknesses that we see.
So the audit logging that's required at the software level is lacking in today's system to give the visibility, and as far as the integrity side goes I think all the same "how exactly?" questions still apply. Richard is quite right to point out that "Protecting the Data" is all about context of the container, but the exact same issue applies in the case of integrity - what did you sign, what did you hash and so on. The container boundary whether defined by authN/authZ/encryption "protection" or defined by hash/signature is what matters and of course this is heavily contextualized by use. So really its all about reference monitors or lack thereof and my money says we're better off building better audit logging first (the monitor part), while we try to figure out the "how exactly?" questions around integrity.
For IEEE Security & Privacy, Anton Chuvakin and I documented some ideas and issues with regard to audit logging in an eventually consistent world, some of the architectural challenges in doing so and descirbed a starting point for building an event model of events interesting from a security point of view (AAA, changes, threats,...). But even these are in most companies custom, one off efforts led by people with an interest not driven as standards. As Bob Blakley says "we've been wandering in the audit desert for too long."
So before we chase after a grandiose goal like "Protect the Data" maybe a more realistic starting point is "Audit Log the Events" to which you'll reply "what events?" But I think that's a question we can (and should) answer today.
Comments