Enterprise Security – Candy or Nightclub?
Often when discussing technical things we revert to using analogies. An almost throw away one that is used for security in many enterprises is the soft centred candy, a hard outer shell that once you bite through it is soft on the inside. Use it and you get many knowing looks from your audience. This is because a lot of investment and time has gone into creating a hard perimeter around and organisation, its data, people and infrastructure on the assumption that keeping the bad guys out was the answer, neglecting how easy it is when the bad guys get in or a good guy turns bad. However many organisations do care and treat parts of their soft centre differently, for these I prefer the Nightclub model, especially when discussing things like adaptive authentication.
For my model of a nightclub, I imagine a private members club within a public bar complex. Anyone can come into the bar, on occasion they may be asked to prove their age but they typically they get access without having to give any information about themselves. The bar staff will use some basic physical attributes to determine if they should be there, are they behaving reasonably, are they human, and ensuring that they are not on a picture board of banned individuals. In the security world most web sites or gateways do much the same using physical attributes such as IP address and behaviors such as port scanning or crawling to limit access to only those that look like legitimate users. The members club within the bar has door staff who are going to want to see some ID, or to give you access based on some token you have, perhaps some kind of difficult to forge guest card. Once inside the club you are free to roam all of the communal areas, but to get into the roped off areas you may need something else, and this is where this analog becomes more powerful.
Imagine for one moment that you happen to find yourself on the network inside a large organisation. After you have looked for sensitive data that has spilled out from secure systems into public areas the next best place to go and look is the places that they do not want you to go. It is often pretty easy to discover on a network where all interesting stuff probably is. You look for the places where there is no guest access and normal user credentials do not work. The roped off areas. Just like in a club you may not know what is in there but you know that if you can get in you will find something of interest. Penetrate this area and you are inside another hard shell.
I know of several clubs that have exactly this set up. They sit within a complex that is open to the public, have door staff who check ID, have roped off areas where celebrities can be spotted, but they also have really secure private areas. The entrances are not obvious, in fact you have to be met by someone to guide you there. Physical security is strict. Via the magic of one way glass and dimly lit balconies these areas are invisible from the main club. I have worked with enterprises who have exactly this replicated in IT, dedicated infrastructure that cannot be accessed from within enterprises own network where the valuable IP or other information is stored. It is why I like the nightclub analogy.
However like the 1970′s discotheques that many of todays uber clubs are based on this analogy is out of date, or at least will be very soon. It is based on the premise that there is something physical that we are trying to protect. However times have changed, we are now in the business of protecting information, and that information will legitimately need to move, so we need to add the concepts of content and context to our analogy.
I use the term content to describe what the information is. Some content is public. If we find a document that is also published on a organisations public web site it would be superfluous to secure it beyond making sure that the published version remains read only. If however it contains sensitive information be that derived from the content or the meta data associated with it we will need to treat it differently, and apply different rules to different types of content.
Context covers what is being done to information and that includes where it is. A confidential document transiting through an email gateway or sitting on a USB key must be treated differently to when it is sat on a well protected server. As the context changes the way we must treat the way the information is protected.
Of course there is interplay between content and context. At one end of the spectrum we have public content where context is on the whole irrelevant and at the other our most secret information where the valid contexts are very limited. In between is where the complexity comes and to date I have come up with no obvious analogies so we must resort to real use cases until we find one. One I have been asked about several times is how the context of location and device type could be brought in to play. An executive is working on a sensitive business plan. From their desk using their laptop or desktop computer they have full access to the document, if it is saved it will be encrypted. When they go to a meeting they may also need access to it on their tablet device, this might be restricted to read only, and again any copy held on the device will need to be encrypted. However even though it is stored in an encrypted format the document should be inaccessible to the executive when for example they leave the office and are travelling on public transport, as someone may read it over their shoulder, but may become accessible once more in their study at home, but with any ability to copy or print it disabled.
Technically, none of this is difficult to do, the challenge will be finding something to replace the candy and the nightclub so we can talk about it.