All Contents © 2003 Burton Group. All rights reserved.

The Tower of Babel andThe Walls of Jericho:Complexity and Simplicity in Security

Thursday, May 27, 2004

Fred Cohen

Principal Analyst

fcohen@burtongroup.com

www.burtongroup.com

2Complexity and Simplicity in Security

Agenda

• The Tower of Babel• The Walls of Jericho• Complexity and Simplicity in Modern Enterprises• A Perspective on the Conference

3Complexity and Simplicity in Security

Agenda

• The Tower of Babel• The Walls of Jericho• Complexity and Simplicity in Modern Enterprises• A Perspective on the Conference

4The Tower of Babel – Genesis 11:1-9

The whole earth spoke the same language and thereby everybody was able to communicate

The people joined forces to build a tower into the heavens

God confounded their language so they could no longer talk to each other

The people were scattered

all over the world, the

tower was never completed

Sound familiar?

5The Tower of Babel

Protection today

• Those designing protection measures build products that don’t talk the same language

• Trying to get them to interoperate creates all sorts of complexity that becomes unmanageable

• Attempts at language unification fail for the most part – because of competitive advantage as well as many other technical reasons

• ALSO – we keep piling junk on top of junk. Without a proper foundation, this house of cards is certain to fall

This comes down to a software quality issue

• Can we make software that works reliably & securely?• Can we do it at the complexity levels we are approaching

6The Tower of Babel

The Simplicity Principal (GASSP)“Information security professionals should favor small and simple safeguards over large and complex safeguards.”

• The simplicity principal was lost in the new GAISP!!!• Simple safeguards can be thoroughly understood and

tested• Vulnerabilities can be more easily detected• Small, simple safeguards are easier to protect than

large, complex ones• It is easier to gain user acceptance of a small, simple

safeguard than a large, complex safeguard

7Complexity and Simplicity in Security

Agenda

• The Tower of Babel• The Walls of Jericho• Complexity and Simplicity in Modern Enterprises• A Perspective on the Conference

8The Walls of Jericho – Joshua 6

Canaanites on the inside, Hebrews around the perimeter

• Only Rahab the Inn keeper’s house was not destroyed• An insider who hid the Hebrew emissaries

Sound

Familiar?

9Jericho continued

80% of losses involve insiders

• This figure changes a bit from year to year• Insider and outsider are now more blurred• Losses ≠ incidents

The hard outer shell and the gooey center

• Jericho was protected only by a wall with guards• No forces in front of the wall• No internal fortifications

Historical note:

• Fixed fortification perimeter defenses undermined• Current explanation Earthquake… but who knows

10Complexity and Simplicity in Security

Agenda

• The Tower of Babel• The Walls of Jericho• Complexity and Simplicity in Modern Enterprises• A Perspective on the Conference

11Complexity and Simplicity

Complexity issues

Effective information protection has always been limited by complexity – too complex and it fails

• This led to the ‘simplicity principal’• Recently abandoned - leading to widespread failures• Still ineffective against insiders and lacks redundancy

But big organizations perceive a need for complex controls

• Because they have complex infrastructures• Because of high cost and lack of expertise• Because of the need for compliance that changes• Because non-centralized implementations do not support

controls homogeneouslyIs this a house of cards?

12Complexity and Simplicity

Simplicity Issues

Simple defenses have always worked well

• Except against insiders• They are easier to manage locally• They are easier to verify• They tend to work for a long time• They are easily understood and analyzed

But they have failings

• They are usually easily undermined by insiders• They tend to lack redundancy• But so are complex defenses!!!

Can we do it more simply and still have it work?

13Complexity and Simplicity

It’s all about balance

Occam’s Razor, Einstein’s comment

• As simple as it can be• and no simpler

Occam and Einstein were right

Regulatory compliance and change management are key

• If you can’t meet regulatory requirements you lose

• If you can’t handle infrastructure-wide changes, you lose

• Cost drivers are getting extreme

Bloat

• Most SW has bloat• Much SW is mostly bloat

• Excel’s Flight Simulator

• Bloat also creates holesRedundancy

• If properly implemented…• Assures against weakness• Reduces impact of failures• Increases administration

Insiders still a problem

• None of these adequately address the insider issues

• Redundancy has potential

14Complexity and Simplicity

Can the industry build

• High assurance complex infrastructures• That support complex, changing, integrated protection

• Answer: We don’t really know yet

• IBM, CA, others trying to implement aggregated control from policy to fine grained access control

• And making some progress• Large scale is necessary to both drive and do development• Very substantial investment is required to change over• Central control produces enormous exposures• Significant conversion costs

15Complexity and Simplicity

Some things seem clear

• Very few contenders for it• Once it is built, it may become far less expensive

through economy of scale• Higher consequences lead to increased assurance

requirement• Higher consequences and higher volume may lead to

higher quality• Conversion and upkeep costs are non-trivial

Can we reach the volume needed to make it work well?

Will we invest in it?

16Complexity and Simplicity

Can simple solutions work in complex enterprises?

• Can we devise simple solutions to complex problems?• I think we can in some cases

• Are we asking too much of information protection?• I think we are asking more than it can currently handle

• Will the load become so high that it cannot be handled?• It already is far beyond what we can handle perfectly, but perfection

should not be our objective

• When will all the complexity end in favor of a small number of higher quality simple protection measures?

• Not when, but under what circumstances• Driven by risk, not by time!

17Complexity and Simplicity

It’s all about risk management

• Enterprises believe, for example, that when you order a toaster over the web, your order should automatically and instantaneously increase aluminum production

• In order to do this, they make it possible for an error in your toaster order to have a dramatic effect on the global aluminum markets

• As long as the risk of an aluminum collapse is justified by the desire to link your toaster order to production, this is how it will work

• The question is: Do the risk managers understand that this is the implication of these decisions?

18Complexity and Simplicity in Security

Agenda

• The Tower of Babel• The Walls of Jericho• Complexity and Simplicity in Modern Enterprises• A Perspective on the Conference

19Conference Perspective

Is this identity management thing really too complex to do well?

20Conference Perspective

Or is this an issue of making better languages and standards?

21Conference Perspective

If we get systematic, can we do identity administration right?

22Conference Perspective

Does the VEN simplify to where we can manage the issues?

23Conference Perspective

Is an 11-element infrastructure too hard to handle?

XACML Access Policy Enforcement Model

eXtensibleAccessControlMarkupLanguage

24Conference Perspective

Enterprise architecture

Regulatory compliance

Provisioning

Privacy management

Roles and Rules

Federation

Scalability

Middleware

Data centers

Perimeter protection

Next-generation anything

Distributed security

IP telephony

25Conference Perspective

We are at a crossroads

• Will we really abandon simplicity?• Can we handle the complexity?• Do we have a choice?• Will we centralize or distribute?

• Policy?• Jurisdiction issues, federation issues

• Brittleness and risks of central controls

• Controls?• The gooey center?

• How do we deal with insiders?

26Conference Perspective

Complexity of mechanisms forces us to consider

• How trustworthy can we make these complex mechanisms?

• How is innovation stifled by these controls?• Will we cede control to vendor parochialism?

Software quality is the key issue

• We are building towers of Babel• If we don’t get a lot better at software it will collapse• Attackers are well aware of complexity exploits• To succeed in this direction we will need

• Some dramatic changes in the way we do software• Standardized requirements for safety in interoperability

27Complexity and Simplicity in Security

Conclusions

• Beware complexity• Loose vs. tight coupling – polyarchy

• As simple as possible - but no simpler• Go with standards-based solutions• Achieve clarity through models• Understand the tradeoff between

• Efficiency and effectiveness• Simplicity and complexity• Centralization and distribution

• Over time, simplicity wins out, and then it gets complicated• If none of these work, fire all the insiders

28Complexity and Simplicity in Security

References

• Burton’s Directory and Security Strategies• “Securing the Virtual Enterprise Network: Layered Defenses,

Coordinated Policies”

• “Disappearing Security and the Disappearing Perimeter”

• “Directory and Security Strategies Reference Architecture”

• “Risk Management: Concepts and Frameworks”