Design for securability Applying engineering principles to the design of security architectures

Transcription

1 Design fr securability Applying engineering principles t the design f security architectures Amund Hunstad Phne number: Fax: amund@fi.se Jnas Hallberg Phne number: jnhal@fi.se Swedish Defence Research Agency DEPARTMENT OF SYSTEMS ANALYSIS AND IT-SECURITY P.O. BOX 1165, SE LINKÖPING, SWEDEN POC: Amund Hunstad Design fr securability is an apprach t btain distributed infrmatin systems pssible t secure during peratin. T achieve this, three steps have t be supprted in the design f these distributed systems. Firstly, the interactins and relatins between the system and its envirnment have t be captured. Secndly, a set f security requirements n the system has t be frmulated. Thirdly, the set f requirements has t be implemented in the system. This psitin paper fcus n the third step which requires system mdels and design methds and tls. An ACSA - WAEPSSD 2002 Psitin Paper Page 1/8

2 Intrductin There are many prblems inherent with the launch and patch apprach t security. Als the mre careful apprach f using red teams/tiger teams rather than waiting fr things t break, has its limitatins and drawbacks (Gula, 1999), (Schudel & Wd, 2000). The use f vastly distributed infrmatin systems will drastically increase the risks assciated with security breaches (Schneier, 2001). Thus, the need t get it right frm the start shuld be a crnerstne in all future system develpment. Unfrtunately, systems will always cntain flaws. Thus, risk management becmes a necessity and t get it right frm the start means building systems able t handle failing cmpnents and unexpected events. This creates new demands n the ability t cmprehend vastly distributed systems and t understand the effects f events in these systems. Design fr securability, ur apprach t applying engineering principles t system security design, can be described as: integrating knwledge f the system and its envirnment and being based n the imprtance f mutual trust between system wner and peratrs and in system and rganizatin, requirements engineering, systems mdeling, methds and tls fr design supprt and finally hw risk management may be eased by such a design apprach. Engineering principles and security architectures Realizing the fact that n system can be designed t be secure, but can include the necessary prerequisites t be secured during peratin; the aim is design fr securability. The characteristics aspired f such a system vary frm case t case and is influenced by factrs such as time, cst, thrughput and risks. Thus, requirements engineering, as described in (Smmerville & Sawyer, 1997), becmes an imprtant tl fr the security engineer. There are ther reasns t use requirements engineering in the system develpment prcess. The An ACSA - WAEPSSD 2002 Psitin Paper Page 2/8

3 main benefit is the ability t decide which system functins are required and thus, decrease the ttal number f functins and number f flaws in the system. Firstly, the interactins and relatins between the system and its envirnment have t be captured. This usually results in a cmplex structure, as illustrated by Figure 1, in which trust is a central cmpnent. Trust relies n peratins perfrmed by peratrs, by infrmatin systems and n peratins perfrmed within an rganizatinal cntext. System wner Trust Security implicatin Distributed infrmatin system Human-system interactin Actins Operatr Trust Organizatinal cntext Figure 1: The relatins between a system, the rganizatin, peratrs and the system wner. At the tp level, the system wner s trust in the system relies n the perfrmance f the infrmatin system and n different actins taken by peratrs. The peratr s trust is mre directly related t the perfrmance f the infrmatin system and especially the way the system s perfrmance is experienced thrugh the human-system interactin. Actins taken by an peratr has security implicatins within the infrmatin system and the way this makes the system perfrm influences the peratr s trust r pssibly lack f trust. The actins taken by the peratr and the functins f the infrmatin system is als set within an rganizatinal cntext, which als has an impact n trust. As an example, a plicy regarding backup f data is wrthless, if yu have n rutines t implement the plicy. Secndly, a set f requirements n the system has t be frmulated. Frm this set securityrelevant requirements can be extracted, as illustrated by Figure 2. Starting with a textual descriptin f the system requirements, the general system requirements are refined int statements cncerning security. These are thereafter validated and checked fr cnsistency. Thrugh this prcess f requirements engineering, security related issues are integrated at an An ACSA - WAEPSSD 2002 Psitin Paper Page 3/8

4 early stage f the system develpment. This is in cntrast t what ften happens with add-n security at a late stage, perhaps even after the rest f the system develpment is ver. Textual descriptin f system requirements Security-related statements Validated security-related statements Cnsistent security-related statements Figure 2: The prcess f frmulating a set f cnsistent security related statements frm a textual descriptin f system requirements. Thirdly, the set f requirements has t be implemented in the system. This is a cmplex prcess that has t extend thrughut the lifetime f the system. Ideally, there wuld be a well-frmulated prcess extending frm the set f requirements t the implemented system, and als facilitating and enhancing risk management f the implemented system. Hwever, this demands, n tp f the task t design an efficient security architecture, the slutin f all traditinal system develpment issues. Therefre, at this pint, the frmulatin f a framewrk fr design and evaluatin f security architectures, based n a system implemented at sme level f abstractin, wuld be a great step frward. Such a framewrk has t be based n the ability t efficiently mdel the studied systems. Thus, systems mdeling and the design framewrk are discussed in the fllwing sectin. Systems mdeling and design framewrk The designers ability t mdel distributed infrmatin systems is essential fr the cmprehensin and assessment f the crrespnding systems and design decisins. Furthermre, design tls have t supprt such an ability. Thus, an efficient mdeling technique is a prerequisite fr the design f distributed infrmatin systems. The purpse f system mdels is t create a ntin where system requirements and characteristics meet. System mdels can be built befre the system actually has been implemented (design mdels) r fr a present system (analysis mdels). As a first step, these system mdels will enable designers t reasn abut the mdeled systems even befre any design methds have been implemented. An ACSA - WAEPSSD 2002 Psitin Paper Page 4/8

5 T efficiently mdel systems, system characteristics have t be extracted bth frm high-level descriptins f the system and frm mdels f system cmpnents, as illustrated by Figure 3. Mrever, the mdels have t be able t capture the system requirements. This is essential in rder t be able t verify, validate, r assess system requirements and alternative implementtatins. Systembeskriv requirements ningar System descriptin System mdel System cmpnents Figure 3: A system mdel has t capture bth the requirements put n a system and its characteristics (frm high-level descriptins and cmpnent mdels). T build the system mdels a mdeling technique is required. An adequate mdeling technique has t fulfill design prcess requirements and enable the capturing f securityrelevant system characteristics. Thus, the frmulatin f an adequate mdeling technique requires knwledge f the security-relevant system characteristics that have t be captured in rder t efficiently design a security architecture. Cnsequently, a set f security-relevant system characteristics is needed fr tw imprtant tasks: t assess the security f a system and t frmulate an apprpriate mdeling technique. It is imprtant t realize that this results in a strng influence n the mechanisms t be included in a mdeling technique, e.g. mechanisms t capture system structure r data flw. Still, a mdeling technique can hpefully be frmulated is such a way that the demands f a dynamic set f security-relevant system characteristics will nt require redesign f the mdeling technique. A cnclusin is that the mdeling technique has t be flexible and expressive. T be able t enumerate imprtant security-relevant system characteristics, a tree structure with the three rts cnfidentiality, integrity, and availability (CIA) can be used. The tree structure is extended by detecting which security characteristics are descendants f C, I, and A respectively, as illustrated by Figure 4. An effrt alng these lines, resulting in a structure with 55 distinct characteristics, is presented in (Stjerneby, 2002). The quest fr a set f security-relevant system characteristics enabling exact assessments f the security level f a system is indeed a difficult task, as discussed at the ISSRR wrkshp 2001 (ACSA, 2002). Still, a set as detailed as pssible will supprt the frmulatin f adequate mdeling An ACSA - WAEPSSD 2002 Psitin Paper Page 5/8

6 techniques and the mdels created with this mdeling technique will enhance the awareness and assessment f security-relevant issues. Cnfidentiality Integrity Availability Figure 4: Security characteristics in a tree structure. Figure 5 illustrates the cncept f a framewrk fr assessment and mdificatin f system descriptins. System requirements, high-level descriptins, and cmpnent descriptins are used t build system mdels. The system mdels are analyzed and mdified using design methds and tls. Finally, the result is fed back t the system descriptins and requirements. The number f ways this prcess can be perfrmed with a mix f manual wrk and autmatic tls is infinite. Hwever, even assuming all analysis, mdificatins, and feedback t be manual, a systematic design prcess facilitated by system mdels wuld enable the security engineer t validate the requirements specified fr the system. T build cmprehensible mdels capturing all the necessary infrmatin, an expressive mdeling technique supprting hierarchies (abstractin) and several different views f a system is required. Using a standardized mdeling language has several advantages, e.g. utilizatin f all the wrk put int the frmulatin f the language, the pssibility f designers already being familiar with the language, and the pssibility t use tls develped accrding t the standard. Cnsidering the requirements n the mdeling technique and the advantages f using a standardized language, the unified mdeling language (UML) is a strng candidate as a base fr the aspired mdeling technique. UML is biased twards bject riented sftware develpment. Hwever, it cntains diagrams fr mdeling f the structure f a system, althugh these mechanisms are rarely used (Akehurst & Waters, 1999). The diversity f UML pens the pssibility t create mdeling techniques fr a number f mdels and mdel views supprting the use f engineering principles thrugh the whle (security architecture) design prcess, enabling design fr securability. An ACSA - WAEPSSD 2002 Psitin Paper Page 6/8

7 Security analysis Mdel mdificatin Systembeskriv requirements ningar System descriptin System mdel System cmpnents Figure 5: A framewrk fr analysis and mdificatin f system mdels. Cnclusins There is a need t frmulate methds cvering the chain f develpment steps frm mapping the structure f a system and its envirnment, via the requirements engineering prcess, t the design f security architectures. Systematic design f security architectures requires pwerful mdeling techniques and design methds and tls. The prcess is called design fr securability since a system cannt be designed secure. Even thugh the feasibility f creating a set f security-relevant system characteristics is an pen questin, we believe that system mdels enabling designers and design tls t assess and mdify current and future systems are viable. The frmulatin f the crrespnding mdeling techniques is greatly imprved by the presence f sets f security-relevant system characteristics. Reference ACSA (2002). Prc. Wrkshp n Infrmatin Security System Scring and Ranking. Applied Cmputer Security Assciates. Akehurst, D. & Waters, A. (1999). UML specificatin f distributed system envirnments. Technical Reprt : Cmputing Labratry, University f Kent at Canterbury. UK. Gula, R. (1999). Bradening the scpe pf penetratin-testing techniques - The Tp 14 Things Yur Ethical Hackers-fr-Hire Didn t Test., Schneier, B. (2000). Secrets & Lies Digital Security in a Netwrked Wrld, Jhn Wiley & Sns. An ACSA - WAEPSSD 2002 Psitin Paper Page 7/8

8 [Schudel,Wd00] G. Schudel and B. Wd, Adversary Wrk Factr as a Metric fr Infrmatin Assurance, Prceedings f the New Security Paradigms Wrkshp, Crk, Ireland, Sep , Smmerville, I. & Sawyer, P. (1997). Requirements engineering: a gd practice guide. Chichester: Wiley. Stjerneby, A. (2002). Identificatin f security relevant characteristics in distributed infrmatin systems. Master s Thesis. Linköping University. An ACSA - WAEPSSD 2002 Psitin Paper Page 8/8