mon - am - 3 - whitlock.ppt location unknowable information ephemeralization 4d - soa client-server...

Gemini Dream:C th T i S O D t ?Can the Twins Save Our Data?

Stephen T. WhitlockStephen T. WhitlockChief StrategistInformation Security

BOEING is a trademark of Boeing Management Company.Copyright © 2008 Boeing. All rights reserved.

The Boeing Company

Setting the SceneBoeing Technology | Information Technology Information Security

Introduction• Introduction1. The value of Information2 Risks to Information2. Risks to Information3. The Twins

Digital Access Management (DAM)Digital Access Management (DAM)Standard Meta Information

• Note 1: I’m using the term DAM (Digital Access Management) to avoid use of the traditional term, DRM. The goals of DAM in this context (Limited E2E Access Control) are different fromcontext (Limited E2E Access Control) are different from multimedia focused DRM goals (play anywhere). What we really need is E2ERM – Enterprise to Enterprise Rights Management.

• Note 2: There are many references to Dan Geer’s recent book, Economics & Strategies of Data Security – they are abbreviated

Copyright © 2008 Boeing. All rights reserved.

g y yas ESDS.

Stage 1: Hand CopyingBoeing Technology | Information Technology Information Security

• Physical object• Physical object• Unique• Theft noticeable• Theft noticeable

Stage 1 Protection - Primitive EncryptionBoeing Technology | Information Technology Information Security

Nebmaatre (Amenhotep III’s Throne Name) encrypted by using -

1) A Moondisk for Ra instead of a Sundisk2) A baboon instead of a goddess for Maat2) A baboon instead of a goddess for Maat

i t n (sundisk)

m i w (cat)

n b (basket == lord)

h s i (vase == favored of)

n b (basket lord)

i m n == Amon: Scarab says “Someone Favored of Amon”

Stage 2: PrintingBoeing Technology | Information Technology Information Security

• Physical object• Not UniqueNot Unique• Theft less noticeable,

depending on number p gof copies

Stage 2 Information ProtectionBoeing Technology | Information Technology Information Security

• Evolutionary from Stage 1• Manual ciphers• Manual ciphers• Simple mechanical devices

Stage 3: Transmission & Transmission ProtectionBoeing Technology | Information Technology Information Security

Data is transmitted• Virtual object• Virtual object• Not Unique• Theft unnoticeableTheft unnoticeable

Protection• Automated mechanical ciphers

inserted in transmission process• Symmetrical encryption required• Symmetrical encryption required

identical machines and settings for decryptionyp

Stage 4: Computer Based AutomationBoeing Technology | Information Technology Information Security

4E Cloud Computing4E - Cloud Computing Externalized SOADATA is trusted to third party servicesData location unknowable

InformationEphemeralization

4D - SOAClient-server with relaxed protocols –User defined to self describing protocolsReturn of time share but DATA is everywhere

4C - Distributed Client-ServerMultiple computersMove Computing to the DATA

Return of time share but DATA is everywhere

4B - Time ShareSingle computer - Time independence

p gData location independence

4A - Stand Alone

gMove DATA to the ComputerData not only had value but lived in the care of others

Single userMinimal DATACreation of concept that data was a repository of value

Time (For definitions of 4A-4D see ESDS, p9-18)

The Value of InformationBoeing Technology | Information Technology Information Security

Some day on the corporate balance sheet thereSome day, on the corporate balance sheet, there will be an entry which reads, “Information.” for in most cases the information is more valuable than the hardware which processes it.p

Adm. Grace Murray Hopper, USN 1987, ESDS p 42

The information about the packages we ship is more valuable than the packages themselvesmore valuable than the packages themselves.

Fred Smith, Federal Express, 1990, ESDS p 43


The Value of Information Gratuitously IllustratedBoeing Technology | Information Technology Information Security

New technologies will accelerate the needNew technologies will accelerate the need for federating not just identity but also access control.

SOA & Web 2.0 are really federated applications, and mashups aresimply federated informationue

Meta Information Assets(info about the info)simply federated information.

E2E business really needsto federated securityve

Val

u

Information Assets

(info about the info)

to federated securityservices.

Information TechnologyRel

ativ

gyAssets (hardware)

Physical Assets (factories, trucks, etc.)


Time

Stealing InformationBoeing Technology | Information Technology Information Security

Wh t k i f ti th ft diff tWhat makes information theft different from physical object theft:p y j

1 Information leaves no vacuum when stolen1. Information leaves no vacuum when stolen2. Information theft occurs at the speed of light3 O i f ti i ’t t it3. Once information is gone you can’t get it

back

(paraphrased from Dan Geer)(p p )


Stealing a Bible – And Other Theft ExamplesBoeing Technology | Information Technology Information Security

PhysicalPhysical Representations of Information Objects

Physical Object

Digital or Information Objects


60 Seconds Later…Boeing Technology | Information Technology Information Security

Physical Representations of Information Objects

PhysicalObject

Theft easy to noticeTheft easy to notice

InformationTheft hard to notice


InformationObjects

Classical Information TheftBoeing Technology | Information Technology Information Security

Faster than a Minox, slower than a USB Drive Physical Representations of

Information Objects

Theft hard to notice

Physical Copy off

Theft hard to notice

Physical InformationObject


Modern Information TheftBoeing Technology | Information Technology Information Security

InformationObjectsObjects

Internet


Do you know where all the physical or logical copies of your information are?

A Thief’s Perspective on Risk Versus Reward Boeing Technology | Information Technology Information Security

Theft Chance TheftWill B

Chance Property Will Chance of

K i ResaleTheftSpeed Will Be

Noticed

Property WillHave to BeReturned

Keeping aCopy

ResaleValue

PhysicalObjects

PhysicalInformationInformation

Objects

InformationObjects


An Information Centric Future of Access ControlsBoeing Technology | Information Technology Information Security

Network Controls

sstiv

enes

Host Controls

Effe

c

Host Controls

Data ControlsTime


See: Dan Hitchcock, Evolution of Information Security Technologies, 2005 at http://movetheworld.wordpress.com

Protecting Information Boeing Technology | Information Technology Information Security

A rising threat requiresA rising threat requires any defensive perimeter to contract, and that ,statement is true for the military, it is true for the

ild b t d it iwildebeeste, and it is true for data.

Data

A contracted perimeter for data shifts the unit of Hostfor data shifts the unit of protection from networks and servers to Network

Host

individual data objects at their point of use.


Dan Geer, ESDS p176-77

Information Protection Tools TodayBoeing Technology | Information Technology Information Security

• Signature• Signature• Content integrity• Origin attestationg

• Encryption• Signature + Confidentiality

• Appliance based encryption services• PGP Universal• Identity Based Encryption (IBE) several vendors• Identity Based Encryption (IBE) – several vendors

• Rights Management Technology• Encryption + Destination & Operation ControlEncryption Destination & Operation Control

• Limited Technologies• Assured Delete (Sun Microsystems research project)

– Cryptographic based data destruction via key management using ephemeral secret keys

• Constructive Key Management (CKM - TecSec)


Constructive Key Management (CKM TecSec)– Very fine grained cryptographic based access control

Limitations of EncryptionBoeing Technology | Information Technology Information Security

• Public Key cryptography has solved the key• Public Key cryptography has solved the key distribution problem by creating an unsolved public key identification problemkey identification problem.

• With a few exceptions, cryptographic vendors provide limited scope point solutionslimited scope point solutions

• A typical enterprise will have different encryption products for E-Mail, VPNs, File Encryption, Whole Disk Encryption, etc. all using different sets of keys and all leaving the information unprotected in between. This is expensive.

• Most enterprises decrypt VPN tunnels at the perimeter or• Most enterprises decrypt VPN tunnels at the perimeter – or the most exposed part of their infrastructure. This is bad.

• Data is at risk when and where it changes from at-rest to in-motion… That point-of-use, where that state change occurs, becomes the locus of your data security efforts Dan Geer


becomes the locus of your data security efforts – Dan Geer

ISO Authorization ModelBoeing Technology | Information Technology Information Security

Access ControlE f t F ti ResourcePrincipal Enforcement Function ResourcePrincipal

AccessRequestRequest,Identity

AdditionalPrincipal

Access

PrincipalAttributes

DecisionRequest,Identity,

Attributes

AccessControl

Resource and Environmental

DecisionSupport

Information

DecisionFunction

Rules Identity and

Information


Rules, Identity, andAttributes Repository

Rights Management Is Access Control (Authorization)Boeing Technology | Information Technology Information Security

RM ContainerRM C t API InformationPrincipal RM Crypto API Informationp

AuthorConstraintsConstraints,

Identity

AdditionalPrincipal

Access

PrincipalAttributes

AccessAccess

Author

Ri ht M t S i

AccessDecision

ResponseRequestProtocolReader

Rights Management Service

AccessM tManagement

DecisionFunction

Rights, Rules, Identity,Attributes, Meta Data

Repository

DecisionSupport

Information


Limitations of Current Rights Management TechnologyBoeing Technology | Information Technology Information Security

No interoperability between vendors limits its• No interoperability between vendors limits its usefulness for e-Business

• Limited object granularity• No common information protection modelp• Weak protection, dependent on operating

system health and sound identity managementsystem health and sound identity management

We need a strong, scalable, usable federated i f ti t ti bilitinformation protection capability


Attack Surface / Trust Boundary Boeing Technology | Information Technology Information Security

Typical EncryptionTypical EncryptionTrust Boundary

IdentityRM

ServersManagement

SystemTypical RightsManagementManagementTrust Boundary


Digital Access Management (DAM) StandardizationBoeing Technology | Information Technology Information Security

DAM ContainerInformationPrincipal

DAM Crypto APIInformationPrincipal

AuthorConstraintsConstraints,

Identity

AdditionalPrincipal

Access

PrincipalAttributes

DAM

Author

Di it l A M t S i

ProtocolReader

Digital Access Management Service

AccessM tManagement

DecisionFunction

Rights, Rules, Identity,Attributes, Meta Data

Repository

DecisionSupport

Information


Necessary Rights Management StandardsBoeing Technology | Information Technology Information Security

• An open standard container for encapsulating• An open, standard container for encapsulating protected information

• An open programming interface (API) that can be used• An open programming interface (API) that can be used to apply and query the associated rights

• An open inherently secure protocol forAn open, inherently secure protocol for communicating between consumers of DAM protected data and the server or enterprise that controls thedata and the server or enterprise that controls the data’s DAM attributes

• A standard, extensible set of information classifications (meta data) for information required to ( ) qprocess the document


E2E DAM - ExamplesBoeing Technology | Information Technology Information Security

Manufacturing Client PEP Applet

Locally Built PEP

ManufacturingSubcontractor

DesignSubcontractor

pp

SharePointOracle IRM

Customer

Lead ContractorEMC IRM


Microsoft RMSEMC Documentum

Information Attribute StructureBoeing Technology | Information Technology Information Security

Is located in

Belongs to

Defines

Sanctioned by

INDIVIDUALActor Id (FK)

BEMS IdIndividual Name, etc.Individual Country Id (FK)Individual Export Status (FK)

CONTROL CATEGORYExport Control List Id (FK)

CONTROL LISTControl List Id

Control List NameControl List DescriptionCountry Id (FK)

COUNTRYCountry Id

Country Name

Is citizen of

Manages

Owns

Categorizes

Sanctioned byp ( )Individual Environment (FK)

INFORMATION OBJECTInformation Object Id

Information Object NameInformation Object TypeOwning Id (FK)Information Id (FK)

SENSITIVITY VALUEInformation Object Id (FK)Protection Dimension Id (FK)

Sensitivity Value Id (FK)Sensitivity Level Assignment

ORGANIZATIONOrganization Id

Name

Export Control Category Id

Control Category NumberControl Category NameControl Category Description

AccessControl

2 3

INFORMATION INTERRELATIONSHIPParent Information Object Id (FK)Child Information Object Id (FK)

Information Object Interrelationship

NameType Control

DecisionFunction1

1) An Information security governance model defines information attributes, relevant principals and their attributes, and relationships to the information being protected

3) Information attributes drive 2) Standardized information attributes are extracted from the model and populated by

)information access control decisions which enforce confidentiality and integrity


directly appending to or linking to the information

Ideal Meta Data PropertiesBoeing Technology | Information Technology Information Security

• Most meta data values are automatically created when• Most meta data values are automatically created when information is created

• The information creator/owner/manager has the ability• The information creator/owner/manager has the ability to modify meta data during workflow for entire information lifecycleinformation lifecycle

• The schema structure is extensibleThe schema structure is extensible• The schema structure supports generic, industry, and

enterprise specific tagsenterprise specific tags

• The access control service can obtain and understand the meta data using standard protocols and programming interfaces


p g g

EXIF as an Information Meta Data ExampleBoeing Technology | Information Technology Information Security

• Produced by the Japan Electronics and Information Technology• Produced by the Japan Electronics and Information Technology Industries Association (JEITA) as CP-3451

• Image and audio tag specifications• Not currently maintained

• Multiple, extensible tag categories with vendor specific fields • Intersecting compatibility with the DPOF (printing) standardIntersecting compatibility with the DPOF (printing) standard

DPOF meta data extracted and used

Meta data saved when photo archived

Photo editormodifies meta data extracted and used

in printingphoto archivedmodifies meta data

EXIF tag createdPhoto specific meta

data added


Vendor specific meta data added

Meta data deleted when photo deleted

Summary Boeing Technology | Information Technology Information Security

• Information is valuable• Information protection options supporting collaboration are

limited• The TwinsThe Twins

• Current rights management shows promise… (but needs standard access control and information models)

• Meta-Information standards are almost non-existent

Homework Assignment1 Start the DAM trust chain with a protected private key1. Start the DAM trust chain with a protected private key

• Smart Card • TPM (Trusted Platform Module)

2 Create and publish DAM standards:2. Create and publish DAM standards:• Information container• Programming interfaces• Rights management protocols• Rights management protocols

3. Create an E2E information meta model that is• Usable and scalable• Supports collaboration


• Supports collaboration• Follows entire information workflow life cycle

Boeing Technology | Information Technology Information Security


mon - am - 3 - whitlock.ppt location unknowable information ephemeralization 4d - soa client-server...

Documents