Layer upon Layer (Defense in Depth) ◾ 139
SIDEBAR: RISKS ASSOCIATED WITH OUTSOURCED SERVICES
Unfortunately, the required emphasis on shared-risk and service-provider management often isn’t there. The ten-
dency is for the consumer to trust the provider and the provider’s protections, but this isn’t prudent. Once, during an
assessment of a provider’s site Bill found a hole in a fi lter that allowed one consumer to create database connections
to a server in a neighboring enclave. Fortunately, it was found before it could be exploited, but this was a collabora-
tive application development site; just imagine how much damage could have been done! It is imperative that the
consumer fully understand the risks associated with using outsourced services and resources. There is no such thing
as a free lunch; every scenario has an associated set of risks. A decision to use outsourced services does not change
your obligation to keep your data secure. You cannot transfer this responsibility to the provider, and it is guaranteed
that the provider has no intention of taking on that responsibility either. The data belongs to you; make sure you
understand what it will take to ensure its security.
Provider Objectives
Consistency is the best scenario for a service provider. It is far better to have one standard set of
security objectives to work from than it is to provide customized security scenarios for individual
customers. For example, if the service provider has fully hosted customers, it may be advantageous
for the provider to treat every scenario as if it were fully hosted. While a “one size fi ts all” approach
is the most cost eff ective, it can be diffi cult to reconcile it to the customer’s particular require-
ments. is is especially true in hybrid scenarios where a high level of integration is present. e
security objectives discussed in the fully hosted scenario (uncompromising application security,
exceptional customer data isolation, shared-risk mitigation, and superior accountability) apply in
the hybrid scenarios as well. is section covers objectives that are specifi c to the diff erent hybrid
environments.
Uncoupled Scenarios
Uncoupled services are based entirely on consumer-initiated actions. e connection is typically
a secure socket layer (SSL) connection on a public network (i.e., the Internet). e connection is
primarily used to confi gure or update content on the service. e primary concern on the provider
side is boundary protection because these services are exposed on a public network. e concern is
not with the security of the service per se, but with the utilities and tools. For example, if the con-
sumer uses FTP to transfer content to their site, how does the provider support this functionality
in a secure manner? To a lesser extent, distribution attacks are also of concern because it is possible
for the consumer to knowingly or unknowingly upload malicious code to the site. Providers must
address these risks in the security objectives for uncoupled services.
Loosely Coupled Scenarios
e concerns in this scenario are the same as those in the uncoupled scenario, but the shared risk
and distribution issues are amplifi ed because the connection is bi-directional and in most cases,
code must be installed on the end-user system for the service to work properly. e code could be
a browser add-on, script, or a custom application. Web-based conferencing is a typical example
of this scenario. e service is exposed to the Internet and uses SSL connections for conference
scheduling, confi guration, and attendance. Presenters may upload content, and attendees may
stream content in real time or download saved/stored records (i.e., video or audio records, stored
presentations, etc.). e end user must download and install browser code to support the confer-
encing functionality, and in some cases (e.g., Netmeeting) the end user may install a stand-alone
client application. e provider must establish security objectives to guard against the corruption
TAF-K11348-10-0301-C008.indd 139TAF-K11348-10-0301-C008.indd 139 8/18/10 3:08:41 PM8/18/10 3:08:41 PM
140 ◾ Security Strategy: From Requirements to Reality
or compromise of the code they are distributing and must establish objectives for securely deliver-
ing that code and subsequent updates.
Fully Coupled Scenarios
is scenario is characterized by dedicated connections and bi-directional data exchanges initiated
by either party. ese connections may be across a public network, but the services involved in
the connection are not exposed on the public network. Nonetheless, the main concern here is still
boundary protection. Each of these connections represents a potential attack vector; not from the
Internet, but from the consumer, and the more services supported on the connection, the greater
the potential risk.
King Edward built his castles on waterways for resupply and reinforcement purposes because
his enemies had no real means of attacking water-based targets. Consequently, these activities
could take place unharassed. is is also one of the advantages of dedicated connections between
provider and consumer enclaves, but it does not dismiss the need for good access controls and
boundary protections. e castle’s water entry was a potential source of an attack; it had to be
guarded and access carefully controlled. e depiction of the castle water entry in the movie e
Man in the Iron Mask is a superb example; the steel gate completely sealed the water entry (it
couldn’t be climbed over and no one could swim under it), and the dock area had a single nar-
row passageway into the castle. Like the castle water entry, dedicated service connections must be
protected against attacks. Security objectives for fully coupled scenarios must address the shared
risks associated with dedicated service connections.
Fully Integrated Scenarios
e same attack vector issues noted earlier apply to the fully integrated scenario (see Figure
8.5) as well and may be somewhat amplifi ed because of the increased integration of the sys-
tems. Scenarios that include co-located customer security management systems also increase
the need for accountability; the provider must be able to account for all interactions they
have with these systems should a security issue with these systems surface. Say, for example,
someone enabled the guest account and it was used to compromise a system. e provider
better be able to prove it wasn’t one of their personnel that enabled the account; otherwise
there is a high probability that the provider will be blamed for the breach and will therefore
be liable for damages.
Fully integrated scenarios require a greater emphasis on shared-risk mitigation and account-
ability objectives, as well as well-defi ned access control objectives. Under no circumstances
should the provider trust the expertise or capabilities of the consumer and, where possible, the
provider should include shared-risk responsibility and cost recovery in the service contract.
Another important consideration when defi ning the objectives of this scenario is the impact
these objectives may have on service performance, as well as the impact (required changes) they
may have on the customer’s computing environment. Backup services are a great example; they
almost always require an agent to be installed on the consumer’s system, which could poten-
tially confl ict with other installed system software and applications. Backups may require that
the system be offl ine for a period of time, or customer processes can be impacted by consuming
excessive amounts of network bandwidth or system processor power. e provider must also
consider shared support services (trouble ticketing, monitoring, backup, etc.) when establishing
the security objective of this scenario.
TAF-K11348-10-0301-C008.indd 140TAF-K11348-10-0301-C008.indd 140 8/18/10 3:08:42 PM8/18/10 3:08:42 PM
Layer upon Layer (Defense in Depth) ◾ 141
Conclusion
Defense in depth is a multilayer and multidimensional protection scheme designed to absorb and
progressively weaken an attack, thus providing the responder with suffi cient time to organize the
resources and weaponry required to repel the attack. Defense in depth applies multiple overlap-
ping protections at the people, technology, and operational process levels. Some defenses protect,
some detect, and others respond by alerting operations staff and activating additional controls.
e primary objective behind defense in depth is time.
irteenth-century castles are classic examples of defense in depth. ey not only provided
multiple barriers (layers) that the attacker had to overcome, but they also addressed the essential
dimensions of a good defense: observation, rapid response, and weaponry. Watchtowers provided
early warning of attack, and moats, walls, and reinforced gates proved formidable obstacles to
attackers. Wide passageways atop and inside the castle allowed troops to rapidly deploy to the
points of attacks, and defensive positions such as archery slits and kill holes cached with an ample
supply of arms gave defenders a decided advantage.
Castle fortifi cations evolved over time with two key goals: increasing and strengthening the
defensive barriers; and improving the defender’s ability to actively fi ght back. A similar evolution is
needed in the information security realm. It begins with the establishment of computing enclaves
based on the value of the assets being protected, and it continues with the identifi cation of specifi c
Business intelligence
electronic mail
Directory
server
Pass-thru
backup data
Content
server
Instant messaging
sharepoint services
Backup
server
Management
server
Management
enclave
Services
enclave
Customer
enclave
Internet
Figure 8.5 Fully integrated scenario.
TAF-K11348-10-0301-C008.indd 141TAF-K11348-10-0301-C008.indd 141 8/18/10 3:08:42 PM8/18/10 3:08:42 PM
142 ◾ Security Strategy: From Requirements to Reality
security objectives for controlling the transactions within the enclave, as well as the inbound and
outbound data fl ows with systems in other enclaves.
ree common information processing environments to consider are: in-house, fully hosted,
and hybrid. In-house environments have an enclave that is under a single controlling authority
governed by corporate policy. In a fully hosted environment, the consumer only has end-user sys-
tems that connect to service enclaves. One or more service providers supply all the applications and
services the consumer needs to conduct his or her business. e services are governed by contract
(service-level agreement). e hybrid model has both in-house and outsourced (service provider)
applications and services under the control of diff erent authorities, some governed by corporate
policy and others by contract. In-house is the most costly, but also the most secure because it does
not have to deal with shared risk. Fully hosted is the lowest cost option but does not allow for
any security customization. e consumer must accept the provider’s “one size fi ts all” security
management scheme. Hybrid environments are a combination of in-house and hosted applications
and services. ere are hundreds of diff erent hybrid confi gurations that fall into four major types:
uncoupled, loosely coupled, fully coupled, and fully integrated. ese types defi ne the level of con-
nectivity between the parties. Uncoupled is primarily a “push” connection that is always initiated
by the consumer. Sending content updates to a website is an example of this type of connection.
Loosely coupled involves two-way communications between the consumer and the service, but
the connection is not full time and it is initiated by the consumer. Web-based mail is an example
of this type of connection. Fully coupled is bi-directional communications that can be initiated
by either party, and fully integrated is where the provider’s enclave functions like an extension of
the consumer’s environment. Both of these environments are based on full-time dedicated con-
nections between the consumer’s and the provider’s enclaves. e principal diff erence is the range
of services using this connection; fully integrated environments may share a number of common
services including naming, time, identity, monitoring, and backup services. e security objec-
tives for each scenario are diff erent for consumers and providers, and each scenario emphasizes
the need for excellence in certain control structures over others. ese factors must be taken into
consideration when identifying defense-in-depth security objectives.
Today networks are the primary conduits of modern commerce, but their architectures remain
remarkably similar to the ancient castle bastides (a fortifi ed security perimeter with multiple open-
ings to support trade with partners, vendors, and customers). ere is this one important diff er-
ence, however: ere is no place to retreat to for better protection! Understanding this analogy
is critical to the design and deployment of secure enclaves. “Bastide”-style enclaves are not now,
nor will they ever be, defensible. IT environments must implement the strategies that made castle
defenses so eff ective—layered defenses, limited access, outstanding observation and alarming
(monitoring and alerting), preparedness, and rapid response. Defense in depth at every level of
service means people, process, and technology.
TAF-K11348-10-0301-C008.indd 142TAF-K11348-10-0301-C008.indd 142 8/18/10 3:08:42 PM8/18/10 3:08:42 PM
..................Content has been hidden....................
You can't read the all page of ebook, please click here login for view all page.