Chris Hoff, a friend of ours, apparently had a really slick demo of Vista last week and a heavy encounter with our compatriots at the Jericho Forum. He’s written an interesting if not excellent article on the death of network security.
He, like myself and a many others, see a gradual move back to a centralized host-based computing architecture. Not as rapidly as Sun Microsystems circa 1999 would have liked it, but we’re getting there. Back then Sun was way ahead of their time. I remember the first time I saw a Sun Ray. My (former) start up had just been gobbled up by Sun. Now I was the only person who left Sun after the transition, and so missed out on all the new cool Sun investment. The Sun Rays were among the coolest of the new money hardware. If you’ve never seen a demo, there’s this smart card that carries your credentials, allowing you to access your personal desktop as you freely move from thin client to thin client. There is no boot or awake from hypersleep, just *poof* you’re at a terminal doing your job, as your credentials link you to a hosted desktop on a VM at a centralized locale. It’s very, very cool.
It sounds like in his latest encounter with Vista, Microsoft has something somewhat similarly transparent and easy for establishing trust built into Vista. What turned Chris on ,and what I have got to see, or not be able to see as the case may be, is:
(a Microsoft rep) ….established connectivity and his machine reached out to an reachable read-only DC (after auth. and with encryption) which allowed him to transparently resolve “internal” vs. “external” resources… ….in his words “it just works.”
This “transparent, collaborative and secure functionality” is very cool. However, it and reminiscing about those Sun Rays got me to thinking that the host should be dead, too. Or at least dead to the security architect.
IT’S ALL ABOUT CIRCLES OF TRUST
Back before Web 2.0 and “Socialization” were the new buzzwords, my friend Brent told me that the future was going to be all about establishing and maintaining circles of trust. Now he was saying this based on the death of Napster and the rise of the
Spanish Inquisition RIAA. Not a groundbreaking thought (Alice and Bob have been around for ages now) but at the time his thoughts certainly had a new relevancy and a new perspective. And the more I think about risk and the role of Information Risk Management, the more I think he’s right on a much larger scale, too.
In the past, for various reasons we’ve focused on the host. We’ve also, as Chris Hoff says, tried and failed to make the Network our OS. However, the current drive towards making the client a secure little box (see Chris’ new love for Microsoft) with as few services as possible, identity management, and federated application services on servers somewhere should make it easier to make secure “Circles of Trust”.
ENTER THE SECURITY ARCHITECT
So here’s the key role of the security architect - marry the Circles of Trust we create with the business processes involved. I tend to believe that effective risk and security models revolve not around discrete assets but by taking an object oriented approach to all influencers /stakeholders (human and technological) and how they inter-relate in a business function/process. So now we can worry strictly on the business process and how best to secure it (via a Circle of Trust) rather than “the network”. It’s a very tested concept - taking a monumental task (securing a big honkin’ netowork) and break it down into manageable chunks (securing discrete processes).
This is deceptively simple. The Security/Enterprise Architect has their work cut out for them. Why? Because most of us have no idea where to start. Process maps are amazingly difficult to develop. To explain what I mean here, let me offer a Business Impact Analysis I’ve recently worked on. Now the BIA methodology we use is much more comprehensive than most others out there. We actually try to get every department to list their processes. This can be overwhelming. For example, if you were to create a process map in Visio for our mid-sized client, their accounting processes alone, made into little boxes stacked side to side, create a document 26 pages wide. The good news, however, is that centralized computing makes linking their critical processes to critical applications/hardware much easier. We’ve found that 80% of their processes use 20% of their applications. Their most critical application, for example, is utilized by 18 different departments for 90(ish) distinct critical business processes.
This makes measuring impact (or risk) for processes using that application/server object much easier, as we have the same basic TEF, Control Strength, and Probable Loss Magnitude for that application object to be used across the board in analysis. And modern science, using the power of space-age computers, can work to automate and store the analysis function. So thanks to a good taxonomy for risk, and centralized computing, creating and analyzing the circles of trust for our business gets more simple. “Simple but effective” is not just good, it’s better.
The most important outcome of switching to a business process centric view is that we don’t have to worry about Risk, Security, and the Business being at odds, as some suggest they are. They become inseparable - and that might just save our backsides from a future I don’t want to live in.
HOW THIS MIGHT JUST SAVE THE FUTURE
I think it’s important to note that this perspective is in direct contrast to the doom and gloom being spread about the future of Information Risk Management these days. If Marcus Ranum and nCircle (see this article) are correct in their prognostication, they believe that the future of IRM and Information Security is an exaggerated audit and hard skills dichotomy. Analysts become checklist based auditors - implementing the standardized (read lobotomized) risk tolerance of someone else far away in either a government building or ivory tower to their unique and distinct business and network. Resigning us into an unforgiving cycle of hoping the bureaucrats can think faster than cyber-criminals. Yeah, my money is on the bad guys, too. Worse yet, we’re supposed to think that it’s OK because “compliance” let’s us transfer risk to somewhere else (presumably the legal system) and transfer loss to someone else (the consumer).
By tying risk and security to the circles of trust we architect for business processes, however, we can make checklist compliance somewhat irrelevant. Oh, there will still be some best practice standard for desktop configuration, server configuration, and application development (and there probably should be for the latter at this point, checklist paternalism has a lot to offer that discipline), but Jericho concepts and business process based security utterly destroys the premises of most every checklist out there.
In addition, my guess is that someone real smart might be able to develop a simple taxonomy or decision tree for business processes/circles of trust and the influence various controls have on mitigating risk given a certain set of variables. Using this taxonomy and an accurate manner with which to express risk for the process should give the analyst all the quantitative ammunition they need to persuade all but the most mindless of auditors.
But that’s just a guess
Tags: compliance, information risk, information, risk, risk management, risk_management, information, security, information security, information_security, governance, compliance, enterprise_architecture(via RiskAnalys.is)
May 29, 2007, 8:23am Comments