I used to think that we had security problems to solve, and that the role of a security architect was to identify threats and to design, implement, and integrate controls. I was wrong.
We don't have security problems. Not really. Our protocol life span is measured in decades. SSL, Kerberos, SDSI and SPKI, these have been around for decades. The problem is not the protocols.
The hard part isn't mapping threats to controls either. True the industry as a whole isn't great at this, but it can be learned and its getting better.
No, the problem is integration.
I used to think we had security problems, and then we figured out how to integrate the security solution.
Actually, the security basics are long figured out, its the integration that's killing us. We don't have a security problem with integration requirements. We have an integration problem with security requirements.
When you go to RSA or any security conference, the show floor is awash in products. They all do something other but can you get them to work in your production system? And will you get the same quality as they show in the cooked up demos? Probably not. Why not? It works fine in the demos, aren't those real examples? Sure, but they are not your examples. We can think of a solution, but will it work with Google? Does Websphere support? What about the keystore? Can we bind it to OTA? And on it goes.
Its not just solutions, its threats, vulns and countermeasures too. Go right down the OWASP list.
SQL Injection? Need to integrate input validation to front end handlers and to the data model. Need to integrate prepared statement, parameterized queries, and stored procs to the backend DAO.
CSRF? Need to integrate a nonce to every request. Need to convince the team that spent the last decade keeping state out of the middle tier, that we should put it back in. Need to find a way to reboot a server even with the middle tier state.
Broken authentication? Need higher assurance creds, need to integrate those to session bootstrap mechanisms.
Elevation of privilege? Need to insert a security pipeline to extract the attributes from the signed token and integrate that to the internal authZ code.
The mapping from the problem to solution is figured out, so are the protocol choices, what is left is the hard part - integrating to real systems. The security industry has not really tackled this problem at scale, and that's where we need to go next - security integration patterns - what's necessary for this to collaborate in the system factoring in the first mile and last mile integration, communication protocols, persistence, session state, and interfaces.
The security industry very much wants you to think there are security problems. There aren't. There are integration problems.
I will leave it here with an illustrative excerpt from Brilliant Orange:
"Schipol established itself as the world’s most admired and eagerly studied airport. It grew rapidly and became a central hub of Holland’s economy and transport system. In the late 1980′s, to resolve the problems of ever-growing congestion, architects Jan Benthem and Mels Crouwel were given the job of enlarging and improving Schipol.
The partners have been dubbed ‘the Houdinis of the Polder’ by critic Art Oxnaar for their ability to solve complex architectural problems. They have designed such high-prestige buildings such as the Anne Frank Museum and are now integrating a new subway line and bus station into Amsterdam’s Central Station, a projec likely to change the face of the city…instead of using separate buildings (or parts of buildings) for separate functions (arrivals, departures, shopping, etc.), the architects insisted on just one sleeks grey-white steel and concrete building, in which everything was integrated…’Normally, everything is split up and problems are solved separately,’ says Jan Bentham, the airport’s chief architect since 1985. ‘That makes individual problems easy to solve, but the connections between problems become very complicated and something simple ends up in a real mess. If you integrate it in the first place, that turns out to be the most simple solution.’
Schipol’s integrated structure allows huge volumes of freight and passengers to circulate at high speed and with remarkable precision. The simplicity and flexibility of its basic grid design (the grid is even visible on the airport’s floor tiles) means different elements in the building can be switched around constantly to meet ever-changing needs. The complex and huge flows of people and cargo are shifting constantly. Even small changes in one area will ripple consequences through the entire system. For example, if fewer passenger use one ‘finger’ of the site, the customs desks, shops, or bus station all have to be modified. The key to solving these problems is a mixture of quick thinking and careful preparations. ‘You must have a plan, but you also have to be ready to change it at the last minute or to make a decisive, sudden completely unexpected movement to arrive at the place you want.’ A rigid approach would be doomed. ‘You must never say: “I’ve done my work in advance and nothing will keep me from my path.” We don’t plan the track; but we plan where we want to be. We have several tracks in mind and we are always ready to change track or re-group or have a new solution or be able to react at the last moment. We tried to make Schipol so flexible that you can always change course. You need a simple system where, if something goes wrong, you always have a second, third, or fourth solution at hand. For example, we always insist that the buildings have strong floors. When you build an area you must always expect that it will be used for something else. It starts out as a waiting area, but maybe they want to build shops there. Maybe they want a bank, too, which has a heavy safe in it. When the traffic flow changes, it becomes perhaps a baggage-handling area with heavy machines or a big hole on the floor…no grand visions, but clever solutions’
Schipol, meanwhile is grappling with barely less complex questions of identity of scale. As it grew from seventeen million passengers in 1989 to thirty-eight million a decade later Schiphol mutated into a small city, with burgeoning numbers of offices and cafes and a shopping centre. the airport has become so large – and its attendant congestion and pollution so irksome – that plans even floated (before being rejected as too expensive) to relocate it to an artificial island twenty miles into the North Sea connected to land by a high-speed rail-link. The culture is changing too. “The whole airport environment has changed in the last ten years. From a functional machine for traffic it has become much more of an environment for spending time and and money in.’ says Bentham. ‘Airports of the past were places where you basically didn’t want to be, just a space to pass. It’s nice to make spaces where people enjoy themselves and like to be.’
The authority at Schiphol has come up with a radical new problem. ‘They always said to us: “We want sober and functional.” Now the new manager thinks the time for sober and functional is over. He says he likes the cosy atmosphere of the airport at Christmas. It’s very nice at Christmas. We have lights everywhere, trees every ten metres. The manager said: “We need to have the airport like Christmas all year round.” Well, Holland is an entirely artificial country. You want Christmas all year round? We can fix that, no problem.
The airport has fundamentally altered, though. It makes most of its income form shopping rather than anything related to flying. That means Bentham must juggle totally contradictory imperatives. ‘In an airport you want the best flows, the most obvious route from one point to another. In a shopping centre, you want people to get lost. You let them in and never let them go out again! So you have to combine that in the airport where it is changing from a machine for traffic into a machine to generate money. So you have to have a fine balance between finding your way and losing your way! You have to realize the problem and make the best of both worlds. What is the shortest way from your car to the airport bu that makes it impossible to miss the shops? That’s the clever solution.’
Solutions, solutions. Problems, problems.
In football, Johan Cryuff says, ‘Simple play is also the most beautiful. How often do you see a pass of forty meters when twenty meters is enough? Or a one-two in the penalty area when there are seven people around you and a simple wide pass around the seven would be a solution? The solution that seems the simplest is in fact the most difficult one.’ Benthem takes the idea a stage further: ‘I think it is very Dutch to look for a simple solution. And the biggest thrill in our work is to find an even simpler solution. That is what we like. In the end the most satisfying solution is the one where you have cleared everything away and there is no solution at all anymore but, at the same time, the problem has been solved. That’s the nicest way of doing it.’”
Integration metrics are the key component in Visible OpsSec.
I don't agree that we don't need to map threat-vulnerability scenarios to information security management controls, but I do disagree with the way we do it now (and the way that we are capable of doing it now).
Posted by: Andre Gironda | November 15, 2013 at 09:48 AM