ZDNet:  Reviews | News | Downloads | Prices

Sign up to get the Tech Update daily e-mail newsletter 
Subscribe today:

More newsletters

Tech Update Centers
Enterprise Applications
App Dev ASP
Back Office Collaboration
CRM Data Mgmt
Desktop SW ERP
Finance HR
Mgmt Systems Sys Utils
XML more...

Hosting Net Mgmt
Telecom Web Ops
Wireless more...

Anti-Virus Encryption
Firewalls VPN


Enterprise Hardware
Desktops Mobile
PDAs/Handhelds Printers
Servers Storage

Java Linux
NT/2000/XP Unix

Online Classes
Salary Survey
Search Tech Jobs
View site map
View product catalog

IT Product Finder
IT Jobs
RFP Center
Letters to the Editor
Subscribe to Newsletters
IT Events Calendar
Register for Classes
Web Hosting
Research Center
Contact the Editors

Search:   Premier sponsor

Combating the plague of insecurity
By Peter Coffee
March 1, 2000

REDMOND, Wash. -- While meeting Tuesday morning with PC Week's Corporate Partner advisory board and a team of Microsoft's Windows 2000 security engineers, I suddenly found the words to describe the fatal flaw in almost every current approach to securing our enterprise information systems.

Coincidentally, in the month just ended, the publication of an MIT PhD thesis gives us an opportunity to look at new ways of closing this enormous gap in our defenses.

Most security solutions have no power to guard against the acts of authorized users. It may seem self-evident that authorized users are the clients, not the targets, of information security technologies, but fraud and abuse are most often committed by persons authorized to access or modify data as part of their jobs.

If you've already spent, hypothetically, a million dollars protecting a system against intrusion or attack, and someone offers to double your security budget, it's far from clear that the added million dollars should go into added protection against outside threats. The unmitigated risks are more likely to lie within, but how can one reduce them?

On the Internet, information risk is a paradox. There is risk in aggregation: A person who steals 100,000 credit card numbers in a single act is a bigger problem than a person who steals a waste-basket's worth of carelessly discarded receipts. But there is also risk in isolation: A user may be able to frame a query about average salary for a group of employees, defining group criteria so that a single employee's salary can be deduced from the results -- even though the inquiring user is not supposed to have access to other individuals' information.

The fleas on the rats

It's a losing battle to attempt the containment of information risk by application- or component-focused campaigns of design review and source code audit. To do this, as I said in our meeting at Microsoft, is to try to keep track of the fleas on the rats that carry the plague of insecurity.

The owner of a system must be able to articulate policies such as, "A user may not issue a query that returns a result set (or its statistical aggregate) that includes the salary field but has only one member." Policies must be relatively few in number and automatically applied across entire populations of applications and users -- as opposed to present-day reliance on every link in every separate chain of data, application and user privilege configuration.

The serendipity of the Web is a wonderful thing. When I returned from the meeting where I raised this concern, I plied Google with the four-word search group, "security isolation aggregation policy." One click later, I was reading someone's trip notes on last May's IEEE Symposium on Security and Privacy, which included two promising papers: "Hardening [Off-the-Shelf] Software with Generic Software Wrappers," by employees of Trusted Information Systems Inc., and "Flexible Policy-Directed Code Safety," by MIT researchers David Evans and Andrew Twyman.

Evans and Twyman acknowledge that the Java Virtual Machine has the germ of a policy-based approach to system security, with the JVM's facilities for controlling (for example) the precise locations and operations of allowable access to a user's data files. But Java's designers "were hamstrung into providing only a limited number of checks by a design that incurs the cost of a safety check regardless of whether it matters to the policy in effect," observes Evans, who is now an assistant professor at the University of Virginia.

In his MIT doctoral thesis, Evans suggests an approach that "statically analyzes and compiles a policy." He asserts that this method "can support safety checks associated with any resource manipulation, yet the costs of a safety check are incurred only when the check is relevant."

Attacks on our information systems are more than matters of convenience, or even of business continuity. In an Off the Cuff column earlier this week, News Editor Michael Zimmerman refers to China's uneasy relationship with Taiwan and the implications for our current presidential campaign. It's worth recalling that, late last summer, those Taiwan Strait tensions expressed themselves in a bilateral campaign of Web site attacks.

Information security has become the world's concern, and new ways of approaching the job are timely contributions to making this a better world in many ways.

Are you tired of counting the fleas that carry the plague? Tell me at peter_coffee@zd.com. Off the Cuff, an online exclusive column, appears Monday, Wednesday and Friday.

Visit the Tech Update Center

E-mail this story!
Printer Friendly

This story originally appeared in

Services: PC Updates | Tech Jobs | Magazines | Price Drops | COMDEX | Hot Products | Gift Guide

      CNET Networks: CNET | GameSpot | mySimon | TechRepublic | ZDNet

About CNET Networks 

About Us | Feedback | Your Privacy | Service Terms | Advertise | ZDNet Jobs
Copyright � 2001 CNET Networks, Inc. All rights reserved. ZDNet is a registered service mark of CNET Networks, Inc. ZDNet Logo is service mark of CNET Networks, Inc. Content originally published in Ziff Davis Media publications is the copyrighted property of Ziff Davis Media. Copyright � 2001 Ziff Davis Media. All rights reserved. Titles of Ziff Davis Media publications are trademarks of Ziff Davis Publishing Holdings Inc.