The Future of Information Security Is Context Aware and Adaptive

Transcription

1 The Future of Information Security Is Context Aware and Adaptive Gartner RAS Core Research Note G , Neil MacDonald, 14 May 2010, RA Most of today s security infrastructure is static enforcing policies defined in advance in environments where IT infrastructure and business relationships are relatively static. This is no longer sufficient in an environment that is highly dynamic, multisourced and virtualized, and where consumer-oriented IT is increasingly used in lieu of enterprise-owned and provisioned systems. Key Findings Context-aware security is the use of supplemental information to improve security decisions at the time the decision is made, resulting in more-accurate security decisions capable of supporting more-dynamic business and IT environments. Context information that will be relevant to security decisions is not limited to environmental context and will include context information from multiple sources. awareness, identity awareness and content awareness are all examples of the broader shift to context-aware and adaptive security infrastructures. In static IT infrastructures, ownership became a proxy for trust. This model no longer works. Every element of our enterprise computing stack needs to be treated with a degree of uncertainty and skepticism. Binary trust will be replaced with a paradigm of trustability. Context-aware and adaptive security will be the only way to securely support the dynamic business and IT infrastructures emerging during the next 10 years. Recommendations Context awareness helps make security an enabler, not an inhibitor, of dynamic business requirements. Begin the transformation to context-aware and adaptive security infrastructure now as you replace legacy static security infrastructure, such as firewalls, and Web security gateway and endpoint protection platforms. Use the framework provided in this research as a way to evaluate security offerings for their capability to incorporate richer context information at the time of a security decision.

2 2 Question security vendors on their specific road maps for application, identity and content awareness, as well as the ability to incorporate other types of context information into their policy enforcement decisions. Remove hard-coded and static security policies from applications and other systems, and move them to externalized security policy enforcement points capable of consuming realtime context information. STRATEGIC PLANNING ASSUMPTION By 2015, 90% of enterprise security solutions deployed will be context aware. ANALYSIS 1.0 Context Awareness and Information Security Context is the circumstances within which something exists or happens, and that can help explain or understand it (see Acronym Key and Glossary Terms). Context-based computing uses supplemental context information to improve the computing experience at the point of consumption. Applying this to information security, context-based security is the use of supplemental information to improve security decisions at the time the decisions are made. Rapidly changing business and threat environments, as well as user demands, are stressing static security policy enforcement models. Information security infrastructure must become adaptive by incorporating additional context at the point when a security decision is made, and we are already seeing signs of this transformation. security solutions are evolving to incorporate application awareness and identity awareness into their offerings. Information protection solutions are evolving to deliver content awareness., identity and content awareness are all part of the same underlying shift to incorporate more context at the point when a security policy enforcement decision is made. To enable faster and more-accurate assessments of whether a given action should be allowed or denied, we must incorporate more real-time context information at the point when a security decision is made. 2.0 Why Context, Why Now? Consider a layered IT stack model of the network, device, operating system (OS), application, identity, content and process as shown in Figure 1. All these layers encompass physical or logical entities (objects) packets, machines, applications, services, users, groups, transactions and so on. Information security can be thought of as the enforcement of a series of policies (in other words, a set of security policy enforcement points) to enable action between Figure 1. Example of a Layered IT Stack Source: Gartner (May 2010) different entities in an IT stack, with the goal of protecting the confidentiality, integrity, availability, authenticity and accountability of the information and workloads being handled among them (see Figure 2). As shown in Figure 2, security decisions occur when an entity at any layer on the left side wants to take an action on an entity on the right side. For example: Can this IP address talk with this other IP address? This type of policy is traditionally enforced by network firewalling. Can this user load and run this unknown application? This type of policy is traditionally enforced by antivirus and application whitelisting software. Can this user access this content? This type of policy is traditionally enforced by access control and digital rights management mechanisms. Can this input be accepted by this application? This type of policy is traditionally enforced by application-level firewalls (such as a Web application or a database firewall) Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. or its affiliates. Reproduction and distribution of this publication in any form without prior written permission is forbidden. The information contained herein has been obtained from sources believed to be reliable. Gartner disclaims all warranties as to the accuracy, completeness or adequacy of such information. Although Gartner s research may discuss legal issues related to the information technology business, Gartner does not provide legal advice or services and its research should not be construed or used as such. Gartner shall have no liability for errors, omissions or inadequacies in the information contained herein or for interpretations thereof. The opinions expressed herein are subject to change without notice.

3 When IT and business infrastructures are fairly static and welldefined, these security decisions are simpler, and there are fewer of them. In most cases, for the past 30 years, our organizations owned and controlled most of the entities shown in Figure 1 and Figure 2. In static IT infrastructures, ownership became a proxy for trust. Because we owned and controlled most of the pieces, information security policy enforcement points were typically only placed at the demarcation point (perimeter) between something we owned and something we didn t own (and, therefore, didn t trust). For example, we placed network firewalls where our network connected to the outside world, placed security gateways where we received outside and placed antivirus software where our systems accepted unknown executable code from the outside world. This model of trusting us (we own it, we control it) and not trusting them (they own it, they control it) and placing security policy enforcement points only where we had a handoff between us and them has worked reasonably well, but is coming under extreme pressure. This model fails in a world where we increasingly don t own all the pieces of our business and IT infrastructures. Multiple converging trends in business and IT are tearing down the silos of traditional IT infrastructure, and tearing down the traditional, well-defined boundaries of our businesses. Collectively, these six trends are driving the need for adaptive, context-based security: 1. Mobilization. Our increasingly mobile workforce requires us to support anywhere, anytime access to our systems from a variety of locations using devices that vary in their trustability, including home machines. 2. Externalization and collaboration. This is the business imperative to open our IT systems to the outside world for the purposes of collaboration. By 2015, in most enterprises, more external users will access internal systems than employees. 3. Virtualization. The decoupling and abstraction of the entire IT stack and movement to next-generation virtualized data centers means that workloads and information will no longer be tied to specific devices and fixed IP addresses, breaking static security policies based on physical attributes. 4. Cloud computing. The shift to cloud-based computing resources means that we no longer own or control the infrastructure or applications that hold and process our workloads and information. 5. Consumerization. The increasing use of technology designed for consumers (devices and applications) in the enterprise requires that we now allow a wide variety of devices, not all of which are owned by the enterprise, to connect to our systems (e.g., smartphones and USB memory sticks), and users that demand access a wider variety of consumer applications (e.g., Facebook). 3 Figure 2. Example Information Security Decisions Among Entities Can this entity take this action Examples: Open Read Write Communicate with Execute Copy Print Paste Attach to Insert inside of Mount Migrate Start Stop Archive Recover on this entity? Source: Gartner (May 2010)

4 4 6. Industrialization of hackers. The shift from mass to targeted attacks requires a shift in protection strategies where we have less trust of internal users and systems, either as a result of a compromised insider or a targeted attack launched from a one of our own internal systems that has been compromised. 3.0 Real-Time Context Leads to Measures of Trustability The six trends identified here will collectively force a shift to contextbased, adaptive security infrastructure. Instead of binary and static yes/no, us/them decisions that we can anticipate and define in advance, security decisions in emerging computing and business environments are not as clearly defined and not known in advance. Traditional approaches of whitelisting (allow known good, block everything else) and blacklisting (block known bad, allow everything else) assume we have excellent, high assurance information as to what is trusted and what is not. This is no longer the case. Every element of our computing stack will need to be treated with a degree of uncertainty and skepticism. Security decisions that were largely black and white, and where policies were set statically in advance, become decisions with a multitude of shades of gray made dynamically at the time the request is made. Instead of perceived absolute trust (which we never really had), we will shift to a paradigm that embraces variable levels of trustability adaptive and context-aware security policy enforcement mechanisms that help us answer the real question: Do I have enough trust in the entities involved to take the requested action at my current level of risk tolerance and given the current context to allow the action to take place? For example, This user wants to execute this financial transaction should this be allowed or not? Adaptive and context-aware security infrastructure would look at the context of the request before allowing or denying the request. Is the device trustable? Is the network connection trustable? Where is the device currently located? When was the last access? How strong was the authentication credential used? What time of day is it? Does the transaction requested fall within historical patterns of being normal? To enable faster and more-accurate assessments of whether a given action should be allowed or denied, we must incorporate more real-time context information at the time a security decision is made. This is the heart of adaptive and context-aware security. 4.0 Types of Context That Are Relevant to Security Decisions Today, context-aware computing is most commonly associated with the use of environmental context information (such as location and time of day) to improve computing experiences. In a simple security example, a sensitive application could be restricted for use from only within an enterprise s physical location and only during working hours. In Figure 3, we have extended Figure 2 to include environmental context information. However, in Gartner s definition of context-based computing, there is no restriction that environmental information be the only type of information that can be used to improve the computing experience. An Information Model for Context-Enriched Services maps out a four-layer model for different types of context information that provides a more detailed framework for this information. There are many types of contextual information that can be used at the point of the security decision to improve the security decision. In addition to the community and environmental context from Gartner s context information model, any of the layers shown in Figure 3 can provide additional context for improved security decisions. Table 1 contains some examples. All these layers environmental, community, process, content, identity, application, OS, device and network can provide useful context to real-time security decisions being made at the layers below them. For example, identity-level and application-level information can provide additional context to a network-level firewalling decision. Content-level information can provide additional context to a decision as to whether a document should be allowed to be ed. Indeed, there are multiple real-world examples of the shift to the incorporation of context information in security decisions. 5.0 Examples of Context-Aware, Adaptive Security Infrastructure Today We are seeing a shift to context-aware, adaptive security infrastructure across all areas of information security today. -level firewalls have been among the first to be transformed. Being lower in the stack, they are the most affected by the six trends identified in this research. As workers become more mobile, as businesses open up to collaborate, as computing shifts to the Web and cloud-based computing models, and as workloads are virtualized, traditional security policies based on static device and network-level attributes (such as port number or IP address) are increasingly ineffective. In Defining the Next- Generation Firewall, we highlight the importance of application awareness (incorporating context information from the next context layer up, as shown in Table 1) as a key requirement of a nextgeneration firewall. In Introducing the -Aware, we highlight the importance of incorporating identity information into next-generation network adaptive security infrastructures (such as the TrustSec Initiative from Cisco). There are many other examples of the shift to adaptive security infrastructure throughout information security infrastructure: and Access Management Authentication is incorporating more real-time context at the point of the authentication decision, such as requiring stronger authentication when the context of the transaction indicates unusual behavior. Interestingly, in another example of the consumerization of enterprise IT, many of these techniques were pioneered many years ago to support consumer payment transactions (for example, store-based credit card payments or Web-based payments) where financial services institutions and other payment acceptors have little or no control over end-user devices, OSs or networks, and were forced to incorporate more context into adaptive security policy decisions to reduce fraud. Likewise, authorization decisions are also becoming more contextual with the shift to externalized authorization and entitlement management solutions that are better able to consume

5 Figure 3. Adding Environmental Context to Security Decisions 5 Can this entity take this action Examples: Open Read Write Communicate with Execute Copy Print Paste Attach to Insert inside of Mount Migrate Start Stop Archive Recover on this entity? Source: Gartner (May 2010) In this context? Environmental context examples: Location Time of day context information when policies are not statically predefined and hard-coded into applications. Organizations have also struggled with the static limitations of traditional role-based access control mechanisms, which are too static for adaptive computing environments. The move to externalize authorization enforcement and the shift to attribute-based access control, authorization-based access control (ZBAC) and claims-based access architectures highlight this shift to incorporate context information in access management decisions. Data Protection To adequately protect sensitive information throughout its life cycle and across the entire enterprise IT ecosystem, most security policy enforcement points are becoming content aware. Content-aware data loss prevention (DLP) tools enable the dynamic application of policy based on the classification of content determined at the time of an operation for example, providing security gateways the ability to identify when sensitive content is being sent via and applying the appropriate security policy (for example, allow, block, log and encrypt) based on the context, such as the information being sent and the identity and role of the person the information is being sent to. access control (NAC) Whether used on guest networks, virtual private network (VPN) access or for all network access, NAC solutions are using real-time contextual information before allowing workstations to connect to the enterprise network. For example, based on a health assessment of the device to see if it is patched, doesn t appear to be compromised and has a current version of antivirus installed and running, or based on whether the device is known and placing unknown devices onto a guest network. Intrusion prevention systems (IPSs) Rather than apply all IPS rules to all traffic flows, next-generation IPS systems are able to use real-time contextual knowledge of what version of an OS or application a workload is running and what vulnerabilities are present in the systems they are protecting (for example, Real-time Awareness (RNA)/Real-time User Awareness (RUA) integration with Sourcefire). This context improves the speed and accuracy of IPS decisions, allowing more-efficient use of processing resources, as well as reducing the chance of false positives. Endpoint protection platforms (EPPs) Faced with the increasing ineffectiveness of signature-based approaches, EPP vendors are supplementing traditional whitelisting and blacklisting models with community-based reputation services that provide real-time reputation look-up information when determining whether a given piece of executable code is trustable enough or not.

6 6 Table 1. Examples of Context Information That Might Be Relevant to a Security Decision Context Layer Environmental Community Content Example Categories at This Layer Local environment Macroenvironment Friends Family Social networks Customer facing Revenue producing Files Databases Executable content Input Organization User Group Service Transaction APIs Uniform resource identifier (URI)/URL es Threads System calls drivers Virtualization platform type Virtual machine or physical IP Address Packets Connection types Port/protocol Examples of Contextual Information at This Layer Location Prior location Proximity Time of day, month, year Time elapsed since last action Temperature Ambient lighting Relationships Patterns of uptake Presence Links Tagging Importance of the process Impact on revenue if down SLA requirements Current users of the process Sensitivity of content Trust of the content Reputation of executable code Reputation of the Known vulnerabilities Input from the collective Reputation of the user Strength of authentication Current role Team membership Clearance level Transaction amount limit Credit rating Reputation of the application Reputation of the URL Sensitivity of the transaction Amount of the transaction Historical patterns of behavior Patch level Known vulnerabilities SLA requirements Historical patterns of behavior Health of the OS Patch level Known vulnerabilities Root of trust measurements Reputation of the IP address reputation Health of the device Managed/unmanaged Enterprise owned? Storage encrypted? Strength of encryption? Accelerometer data Traffic encrypted? Strength of encryption? Historical patterns of behavior Known vulnerabilities Source: Gartner (May 2010)

7 Secure Web gateways (SWGs) Like the EPP, simple Web proxy filtering and blocking based solely on URL information is increasingly insufficient. SWGs are evolving well beyond static URL filtering to incorporate context information such as the reputation of the URL, the location and reputation of the source IP address and other information at the point of the security policy enforcement decision. These products are also becoming content aware to help monitor for data loss on outbound connections. While a few of the information security vendors have adopted the term adaptive security infrastructure, most are using the terms application awareness, identity awareness and content awareness as adaptive and context-aware security capabilities are added. Instead of being separate requirements, we believe these are all examples of an underlying architectural shift to contextaware and adaptive security infrastructure. Each independently describes the need to incorporate higher levels of context into security decisions to improve those decisions. 6.0 Looking Ahead: Context Lays the Foundation for the Shift to Adaptive Risk-Based Security Context is a foundational element for adaptive security infrastructure, but alone it is not sufficient. In a world where the entire IT stack has been decoupled, and our systems and information have been dispersed around the world on systems we don t own and don t control, attempting to predetermine all possible usage scenarios and enforce them using static, predefined security policies will simply not scale, nor provide the flexibility demanded by businesses. In dynamic business and IT environments, we cannot anticipate all needs to access systems and content. Static security infrastructure is becoming an inhibitor to dynamic business needs. Context-aware security mechanisms provide a layer of abstraction and automation of security policies that can adapt to the context of the request and the time the security decision is made. Users will have access to things they would have otherwise been restricted from using static policies where the need for them to access the information wasn t presupposed. Even becoming context aware, we cannot place a security policy enforcement point at every demarcation point between something we own and control, and something we don t. Information security budgets cannot continue to grow at a faster rate than overall IT budgets. The realities of budget and resource constraints will force us to start using differential and intelligent security protection where the risk/reward ratio is optimized. We cannot protect everything equally, nor is everything we need to protect of equal value. As information security evolves to become adaptive and context aware, our approach to risk management must change as well. Rather than deploying all security controls possible, we must shift to intelligent and adaptive placement of controls based on the context of the action being requested the importance of the process being protected, the content being handled, the trustability of the entities involved and our tolerance for risk This is often referred to as the shift to trust-based or risk-based security, and context awareness will be a key enabler. Finally, although there are examples of application, identity, and content awareness being used to context-enrich security infrastructure, process awareness is the next frontier. Here, knowledge of the context of the business process supported by the requested action will be a factor in context-aware, risk-based decision making for example, how important the process is to the revenue generation capabilities of the business or the number of people that would be affected if the process became unavailable. -awareness and context will require tighter integration with operational infrastructures, which also has the same need to support SLAs for these processes and the same fundamental requirement to provide resilient systems and information as information security does. 7

8 8 Acronym Key and Glossary Terms Context Context action Context analysis Context aware Context broker Context data Context-enriched service Context provider the circumstances within which something exists or happens, and that can help explain or understand it an action triggered in response to a change in context rules that are applied by a context broker in response to the arrival of context data, and that either deduce new context data or trigger context actions an adjective used to describe applications or services that use context a software component that collects and stores context data, deduces context, and triggers context actions raw or processed information that contributes to determining the context of a person or object a service that exploits or is enriched by context an organization that operates a context broker to provide contextual services