Diverse Groups Share Information Assurance Quandaries

August 2002
By Joseph McKendrick

Open systems require multilevel security solutions.

Government agencies and commercial companies that are striving to share data to protect citizens or improve service to customers are discovering that as access to data increases, information security challenges grow exponentially. To address this concern, trusted security approaches emerging from government applications offer information assurance at both the operating-system and relational-database-management levels.

Today, companies that open their data to as many end users as possible have the competitive edge. Firms are leveraging previously inaccessible data to support business partners, e-commerce initiatives, business intelligence and analytics, data warehouses and data marts, customer relationship management, and mobile and wireless data access.

The opportunities that Web-enabled openness offers, however, increase risk. Grievous losses of proprietary information have already occurred as a result of breaches launched from outside systems. A recent Evans Data Corporation survey of the managers of 700 databases finds that in more than one of 10 companies’ databases were directly breached in 2001.

This figure does not include incidents of internal data corruption by unauthorized employees. Internal violations are just as much of a problem as external threats to databases. And while popular network security tools such as firewalls may offer some protection against outsider intrusions, they provide no protection from security breaches instigated by insiders. Innumerable disgruntled employees have destroyed data.

Some commercially available software packages—both operating and database-management systems—are not properly configured to provide robust, trusted security that will protect valuable corporate data. Many organizations assume that security can be ensured with features within operating or relational database management systems (RDBMS). However, protection at one layer offers no protection at another layer. In addition, most commercially available operating systems and databases do not meet the criteria for trusted security.

Trusted or mandatory security addresses four fundamental elements in computer systems: confidentiality, integrity, authentication and access. Confidentiality controls access to information. Integrity ensures that information and programs are changed only in a specified and authorized manner, that computer resources operate correctly and that the data is not subject to unauthorized changes. Authentication verifies that a claimed identity is legitimate and belongs to the individual accessing the system. Access standards allow authorized users to view information resources on an ongoing basis.

Enterprises are now able to benefit from the technologies and experiences developed within some units of the U.S. Defense Department and the National Security Agency (NSA). These organizations have developed and deployed trusted solutions both at the operating system and RDBMS levels. The NSA’s definition of trusted refers to a system component, such as the operating system or RDBMS, that operates according to the mandatory access control policy and is subject to rules for labeling files and accessing records. The NSA also contends that in trusted computing environments, the definition of policy logic and the assignment of security attributes are tightly controlled by a system security policy administrator.

Such policies support a trusted path mechanism that provides a means to ensure that the end user is interacting with trusted software. This prevents users from supplying sensitive data to malicious software that may be spoofing trusted software, or it guarantees a mutually authenticated channel. In addition, data can be maintained at a centralized, integrated database, reducing the need for separate systems at different sensitivity levels. Users and data are assigned varying sensitivity labels. If users have the appropriate sensitivity label, they are allowed access to the data; otherwise, access is denied.

Common security flaws that occur in commercially available operating systems include a lack of sufficient security policies or robust support for these policies and little support for privileged access. In addition, problems exist with inconsistent or insecure password usage, lack of protection from malicious code, misuse of system administrator privileges, little support for trusted path or protected path mechanisms, and access by users who bypass cryptographic-key systems. Vulnerabilities arise in corporate data stores as a result of such flaws.

“The threats posed by the modern computing environment cannot be addressed without support from secure operating systems,” NSA officials say. “Any security effort that ignores this fact can only result in a fortress built upon sand.”

Because of its popularity, Microsoft’s Windows operating system has been the target of attacks from around the world. Recently, after criticism that its products were too vulnerable to attack, Microsoft’s Chief Executive Officer Bill Gates announced that security was Microsoft’s top priority. However, one month after Gates’ directive, critical flaws were discovered in at least six products, including the Windows XP operating system and SQL Server 2000 RDBMS.

The mandatory security mechanisms of an operating system ensure that subsystems are tamperproof and cannot be bypassed. Such mechanisms also may be used to confine an application to a unique security domain that is separated from other domains in the system. Applications may still misbehave, but the resulting damage can be restricted to the single security domain. Currently, only one operating system, Trusted Solaris 8 from Sun Microsystems, is certified to operate at the high levels of functionality and assurance specified by the NSA and the Defense Department.

The database layer is even more vulnerable and less protected than the operating system. Most commercially available RDBMS vendors claim their systems may be “unbreakable” or secure, but still require extensive configuration.

Most leading RDBMSs typically operate independently from the security of the operating system. Perhaps one of the most damaging attacks on a database occurs when a hacker enters a backdoor through a remote access channel and gains database-administrator-level access to the system through an attack called privilege escalation. Once the attacker makes it past the network safeguards and encounters inappropriately configured databases, a company’s data is wide open. The threat is greatest from current or former employees who know where important data reside. External attackers will use the same mechanisms, though the assault may take longer than an internal intrusion.

From an RDBMS, an intruder could use the database to gain access to a highly secure operating system and potentially compromise the security of the entire network. For example, an intruder could gain access to the operating system through an RDBMS feature called stored procedures. These procedures grant administrative-level command-line access to the operating system and full access to all of its resources.

Without trusted operating system support for mandatory security and trusted path, application-space mechanisms for database access control cannot be implemented securely. “If a malicious agent can tamper with any of the components in the access control mechanism or with inputs to the decision, then the malicious agent can subvert the control mechanism,” NSA officials warn. Targeted RDBMS solutions, such as Trusted RUBIX, developed by Infosystems Technology Incorporated, Falls Church, Virginia, leverage security both at the operating-system and database levels.

In multitier Web-based architectures, strong authentication techniques such as digital certificates as part of a public key infrastructure usually provide security. By the time an end user accesses the database, identification and authentication are presumed to have occurred. Identification and authentication issues often are inadequately addressed at the application layer, leaving backdoors into the RDBMS under the application’s anonymous global identification.

Web-based architectures are constrained by practical considerations about performing identification and authentication in the application software rather than at the operating system or the RDBMS layer. External attackers can exploit security vulnerabilities or backdoors in the application software to gain access to the RDBMS. In this case, they can access information commensurate with the privileges of the application’s anonymous global identification, for example the administrative account.

The security features of a trusted RDBMS can effectively encapsulate the application layer and limit the access that any one user has to the RDBMS resources. This access is a subset of the privileges associated with the application’s anonymous global identification, used when the application software interacts with the RDBMS. As a result, backdoors and data access errors in the application layer are closed in the trusted RDBMS layer. This moves management of the system security policy to the policy’s administrator rather than leaving it to the joint management of the software developers.

Government defense and intelligence agencies have been leading the way with the deployment of trusted operating systems and databases. While almost all operational systems within these organizations contain classified data, there also is an increasing requirement to be able to share such data across networks “from the White House to the foxhole,” as one Defense Department expert describes it. In addition, most future military actions will likely take place within a coalition framework, requiring secure, dynamic policy-driven data sharing among national governments.

Current multilevel security systems consist of several networks that are operated in system high mode, with various data interconnections. However, even in environments where parties have the ability to authenticate one another and thereby establish a relationship of trust, the computers of both parties are likely to be untrusted and vulnerable to attack.

The U.S. Air Force has put trusted technology to work in its F-22 Integrated Maintenance Information System (IMIS), a distributed task and decision-support system for F-22 fighter jet maintenance. By providing diagnostic data and interactive electronic technical order data, IMIS reduces the time needed to service, troubleshoot and repair aircraft systems.

The database segment of the F-22 IMIS consists of all data items allocated to the storage control facilities provided by a Trusted RUBIX database management system. Databases are defined to support specific functional requirements as well as to optimize data availability, security, integrity, decision support, query response time, transaction recovery and transaction throughput performance, Robert Hardin, system architect for the IMIS team, says.

The lessons learned by government agencies can be applied across a range of commercial networks. Strict security practices dictate that network information should never be the basis for user-level access control.

The National Academy of Sciences recently produced a report calling on the U.S. Congress to make it easier to punish companies that produce nonsecure software that puts businesses and consumers at risk. There would be additional criminal penalties beyond the civil liability. For example, the Health Insurance Portability and Accountability Act (HIPAA) mandates that health insurers provide appropriate security for all data that can be individually identifiable with a patient. In the financial services industry, the Gramm-Leach-Bliley Act signed into law November 1999 requires banks to safeguard customer data.

The best defense against legal action in the information technology arena is proof that management followed security best practices. The NSA is promoting a methodology for independent third-party testing of commercial information assurance technologies against commonly accepted standards. These standards are known as the International Common Criteria for Information Technology Security Evaluation. Beginning in July 2002, members of the U.S. national security community only may buy products that have been evaluated against these criteria.

The best approach to protecting data is multiple lines of defense that include a trusted operating system, a trusted database and rigorous management controls and auditing.

Joseph McKendrick is a researcher and author who specializes in data security issues.

Additional information on Information Technology Incorporated is available on the World Wide Web at www.rubix.com.