New Security Infrastructure. Martin Ferris. U.S. Treasury

Transcription

1 New Security Infrastructure Martin Ferris U.S. Treasury Abstract Given the need fr interrganizatinal electrnic mail systems, a security infrastructure will be needed t administrate such systems. Using the U.S. gvernment as a mde~ this paper examines plicies that establish the status qu infrastructure fr security and advcates plicy fr a new infrastructure. Intrductin What natinal plicy fr the purpse f securing Electrnic mail ( ) systems prcessing Natinal Security infrmatin best satisfies the bjectives f the Natinal Infrmatin Infrastructure (NII)? Althugh security plicy implementatin acrss the gvernment unflds thrugh a slwer, incremental prcess, the natinal plicy fr securing Executive Branch infrmatin systems cmes frm the White use (e.g. Executive Orders, Natinal Security Decisins, Office f Management and Budget Circulars). The plicy develpment mechanism fr systems that prcess natinal security infrmatin is the plitical by-prduct f the Natinal Security Telecmmunicatin and Infrmatin Systems Security Cmmittee (NSTISSC) which in NSD 42 is chartered by the Natinal Security Cuncil t develp, crdinate and prmulgate such plicy. The NSTISSC is supprted by subcmmittees and wrking grups cnsisting f Executive Branch departments. The Office f Management and Budget (OMB) prmulgates general systems security plicy fr the nn-natinal security Executive Branch departments. In bth cases, plicy is ultimately implemented n an agency-byagency basis. This analysis advcates a plicy that creates a new infrastructure fr prcessing interagency systems while using nn-natinal Security standards t prtect privacy within natinal security envirnments. The analysis als identifies differences between the security perspective and the cst and peratins perspectives. Next steps are suggested t imprve the successful acceptance and implementatin f the plicy. Backgrund The White use has created an Infrmatin Infrastructure Task Frce (IITF) t help frmulate plicies needed t accelerate the federal gvernment's implementatin f the NIL The IITF has agreed n the need fr federal emplyees t access a gvernment wide system and has cmmissined an Task Frce t recmmend gvernment-wide plicy directin. Electrnic mail is ne f the critical technlgies in the realizatin f the NIL Gvernment-wide is an underlying element f the Admlni~tratin's visin fr the NII and is an enabling technlgy t achieve many gals expressed in the administratin's Natinal Perfrmance Review (NPR) initiatives. The NPR views gvernment-wide as essential t implement President Clintn's cmmitment t " fundamentally altering and imprving the way the Federal gvernment buys gd and services, and thus ensuring that electrnic cmmerce is implemented fr apprpriate Federal purchases as quickly as pssible." There is a cncern that the IITF Task Frce's security plicy recmmendatins will be weak; serving nly as the lwer bundary fr 2

2 acceptable security. While a weak security plicy recmmendatin wuld ffer a quicker implementatin f electrnic cmmerce with less technical and administrative bstacles while, frm the perspective f thers, it will place at risk privacy and ther security-related cncerns that culd later require expensive security crrectins. Status qu infrastructure An infrastructure currently exists fr Federal Agencies t secure their sensitive infrmatin (Natinal Security r nn Natinal Security) cmmensurate with risks t the infrmatin. The infrastructure cnsists f bth administrative and technical parts. Administratively, it is left t a federal agency's discretin as t the level f security that they deem apprpriate. Each agency will cmply with natinal plicies fr managing risks (i.e. OMB Circular A-13, privacy laws, federal recrds management laws and plicies and NSTISSC issuances) thrugh the issuance f internal plicy directives and standard perating prcedures. As each agency assesses the risks t its wn peratins (e.g. cmprmise f classified infrmatin, financial fraud, unauthrized access t privacy infrmatin), the agencies decide whether security is necessary and, if s, hw much is apprpriate fr each situatin. The technical prtin f the infrastructure is realized thrugh the availability and implementatin f the technical standards (i.e. Federal Infrmatin Prcessing Standards, NSTISSC standards) fr the prtectin f the sensitive infrmatin. Systems security standards can be applied t achieve varying levels f assurance in the management f risks. igh levels f assurance wuld include the applicatin f encryptin fr strng cnfidentiality r authenticity (i.e. digital signatures) prtectin f sensitive infrmatin. igh levels f assurance typically require mre special technlgy that results in higher csts (i.e. technlgy csts and administrative csts). Bth high and lw assurances are required by the gvernment as varius agencies decide their risks and make security decisins. Analysis The technical and administrative infrastructure previusly stated is the Status Qu fr the US gvernment. As lng as infrmatin security issues are cnsidered internal agency issues, the status qu infrastructure is adequate. wever, the NII will challenge the gvernment's Status Ou infrastructure fr effectively managing risks t data privacy and integrity because the Status Ou des nt address interagency infrmatin systems and services (e.g. interagency systems). Within a gvernment-wide envirnment, the decisin whether security services are necessary and, if s, hw much and what kind is required, will nt always be at the discretin f an individual agency. Wh will chse which security standards t use? Wh will assure that the technlgy will be interperable? Wh will decide which recrds are fficial gvernment recrds? Wh will decide what level f security assurance is adequate fr the privacy prtectin requirements f different agencies? Wh will receive the interagency funding fr implementatin? Gvernment-wide demands that the gvernment, including the natinal security cmmunity, ask whether the existing infrastructure satisfactrily accmmdates interagency systems r whether plicy actin is required t either assist the existing infrastructure t change r require a new infrastructure? If a new infrastructure is decided as necessary, which US gvernment agency shuld be assigned respnsibilities t create and manage the new infrastructure? Under the Natinal Security Directive (NSD)42, the Directr Natinal Security Agency (NSA) serves as the Natinal Manager fr cmmunity infrmatin systems security issues. The Secretary f Defense is the Executive Agent fr implementing Natinal Security Directive 42. Currently, NSA and the Department f Defense (DOD) have undertaken technlgy initiatives (i.e. Defense Message System) that culd serve as the technical infrastructure fr the Natinal Security cmmunities and a practive mdel fr securing gvernment-wide . Since the NSTISSC has a charter t establish security plicy fr Natinal Security cmmunity and since Natinal Security envirnments prcess nn Natinal Security infrmatin als, an NSTISSC directin wuld assist the IITF by mre fully framing the brader security plicy recmmendatins. 21

3 The NSTISSC culd: 1. Issue security plicy t reslve the infrastructure issue fr thse systems that prcess Natinal Security infrmatin nly;, r 2. In additin t the abve, acknwledge that sme f the Natinal Security cmmunity's security requirements such as privacy and electrnic signature can be met by using nn-natinal Security (i.e. FIPS) standards. Analysis technique The abve prvides a basis fr chsing plicy alternatives fr cnsideratin by the SISS's Secure Wrking Grup. The alternatives shuld satisfy the bjective f an infrastructure that prvides the Natinal Security cmmunity with the necessary security services fr the full range f security and privacy needs; while supprting the quickest realizatin f the Nil at the lwest cst and with the least peratinal impact. The Criterin Analysis technique is chsen t identify the best security plicy alternative while cnsidering three ften cnflicting perspectives (i.e. peratins, security and OMB). The three perspectives are intended t assist in btaining a cnsensus in frmulating a secure plicy fr the Secure Wrking Grup. Plicy alternatives The fllwing are fur alternative plicy actins t be cnsidered. Their descriptins and ratinales, the criteria by which the plicy alternatives are evaluated, and their assessment scres are included. The assessment results are included as appendices. The assessment results are the prjectin f this paper's authr. ALTERNATIVE 1 - Status Qu: The current infrastructure des nt need t change. Advantages: The peratins and OMB perspectives wuld value this alternative. The OMB and peratins perspective may cnsider interagency prblems as matters that agencies can handle internally withut central gvernment interference. Disadvantages: The security perspective wuld see thi~ alternative as limiting the advancement f Emall since it des nt directly reslve interagency prblems. Frm a security perspective, this is nt practive in assuring availability f widest range f security services. ALTERNATIVE 2 - Status Ou plus Evaluatins: The infrastructure shuld remain the same but imprve the agency security decisin prcess by requiring agencies t evaluate their applicatin f security fr perfrmance and results vertime t determine intended results are achieved. Advantages: The OMB perspective wuld prefer thi.~ alternative since the it wuld facilitate a mre careful determinatin f the need fr additinal security assurances. Als, since the Gvernment Perfrmance and Results Act applies t the Natinal Security peratins, this alternative gives OMB a pilt pprtunity fr Natinal Security cmmunity implementatin. This alternative als wuld be favred by OMB and peratins because security decisins wuld be mre cautius abut implementatin f security and, cnsequently, budget expenditures fr security wuld be mre cnservative. Disadvantages: Althugh the evaluatins wuld be useful, the security perspective wuld be similar t Alternative 1 in that Alternative 2 is nt practive in assuring availability f the widest range f security services. ALTERNATIVE 3 - Infrastructure with Classified Only Fcus: The Natinal Manager is assigned respnsibility fr establishing a security infrastructure by The infrastructure wuld apply t electrnic message systems prcessing classified infrmatin nly. Advantages: This alternative establishes a new infrastructure mdel fr the gvernment as far as classified infrmatin is prcessed acrss agencies. Frm an 22

4 peratins and security perspective, this wuld prvide the mst flexible and wuld be mst respnsive t the widest range f classified security requirements. The fear f excessive cst and lss f cntrl by peratins may result in the lack f full supprt fr this alternative. Furthermre, this ptin will create faster implementatin f electrnic cmmerce fr Natinal Security envirnments (e.g. industrial security). Frm an OMB and peratins perspective, cstsavings shuld be attractive t OMB and peratins if the Natinal Security cmmunity can use DOD "s,,nk csts" in the infrastructure. Disadvantages: The time required fr the classified versins f security technlgy is lnger and the applicatin f Natinal Security standards t privacy and nn-repudiatin may be mre cmplicated than using nn-natinal Security standards. The use f Natinal Security standards wuld generate higher cst because f limited user ppulatin. ALTERNATIVE 4 - Infrastructure Fr Classified and Inclusive f nn-natinal Security standards: This ptin mdifies Alternative 3 by requiring NSA t use nn-natinal Security standards t achieve privacy bjectives. Advantages: This ptin establishes a cmprehensive new infrastructure mdel fr the gvernment t secure systems with the mst flexibility and respnsiveness t the widest range f classified and nn-natinal Security requirements. This ptin will facilitate the fastest implementatin f electrnic cmmerce, where high security assurances have been determined t be a requirement. Assumptins Agencies will cntinue t determine their wn privacy and ther applicatin security requirements. All necessary security technlgy is either currently available r available within tw years. Cryptgraphic service technlgy includes: all necessary cryptgraphic techniques fr cnfidentiality, integrity and, when cmbined with administrative prcedures, nn-repudiatin, and prtcls fr the negtiatin f the minimum security services. Fr Alternative 3, It is assumed that the Natinal Manager will accept assigned respnsibilities t prvide cryptgraphic service technlgy that can accmmdate Natinal Security standards nly. Fr Alternative 4, It is assumed that the DOD will accept assigned respnsibilities t prvide interagency classified system and serve as prvider f last resrt fr the Natinal Security cmmunity. Als, it is assumed that the Natinal Manager culd als be assigned respnsibilities t prvide cryptgraphic service technlgy that uses nn- Natinal Security standards fr the prtectin f privacy infrmatin. Criteria The fllwing is the criteria by which the Alternatives will be assessed alng with weights and ratinale fr each criterin: 1. Implement Electrnic cmmerce as quickly as pssible - Electrnic cmmerce is a majr plitical pririty f the Administratin and is given weight f 1. OMB types will want electrnic cmmerce implemented with less cntrls while security types will assume that a successful implementatin f electrnic cmmerce will be risk, withut the full range f security assurances made easily available. 2. Minimize peratinal pain - Technlgy is suppsed t make life easier. Security and evaluatins are extra wrk and tremendus resurces. This is imprtant fr pficy acceptance and quick implementatin. OMB wants electrnic cmmerce t be implemented quicy. This is given a weight f 9. 23

5 3. Ease f implementatin near term - Ease f implementatin will be quickly perceived by peratinal implementrs and is critical t acceptance f any plicy alternative by peratinal types. A weight f 8 is given fr security and peratins perspectives while a weight f 9 is given fr the OMB perspective. 4. Ease f implementatin lng term - Same as abve but fr the lng term a greater pprtunity t achieve acceptance f the plicy is pssible. A weight f 6 is given. 5. Flexibility fr additinal security - This is highly imprtant frm a security perspective. This is given a weight f 1. This is nt as imprtant t OMB r peratins perspectives where a weight f 8 is given. 6. Respnsive t widest privacy needs - This a majr administratin issue and is given a weight f Least cstly - This is imprtant t OMB but nt as imprtant t security r peratins. It is given a weight f 7 frm a security perspective while it is given a weight f 1 fr peratins and OMB perspectives. 8. Respnsive t agency budget - This is very imprtant frm a OMB perspective but nt as imprtant t security. This is given a weight f 7 fr security and peratins perspectives but frm an OMB perspective a weight f 9 is given. 9. Maximizes agency decisins - Since agency wnership f security issues is imprtant t the success f security as well as agency acceptance f a plicy, a weight f 7 is given. The OMB perspective wuld agree because this prvides best risk management decisins and assciated budget decisins. Operatins wuld value agency decisin wnership the mst f the three perspectives, where a weight f 1 is given. expected t receive strng supprt frm the OMB perspective. With thl.q understanding, the next steps wuld be t present the analysis t the Chair f the SISS with the fllwing recmmendatins; Validate reasnableness f Analysis (i.e. weights, alternatives) with the Secure Wrking Grups; Validate technical and plitical realities f all assumptins; Test the acceptability (e.g. SISS members, NSA, NIST, OMB) f having the Natinal Security cmmunity accepting nn-natinal Security standards fr privacy matters; Create a draft plicy based n Alternative 4 fr the Secure Emall Wrking Grup's review and cmment; Include the evaluatin requirement/ f Alternative 2 in the draft plicy since this has received strng supprt frm OMB and Operatinal perspectives; and Share the analysis with the IITF Task Frce fr cmment. Finally, assuming that Alternative 4 is accepted as the plicy fr securing Natinal Security Emall systems, the Natinal Manager needs t cnsider the pritizatin f the security services that wuld be ffered t best serve the users at the lwest cst. Cnclusins Frm a security perspective the analysis indicates that Alternative 4 wuld be the preferred plicy directin. Als, the analysis indicates Alternative 4 wuld be expected t receive strng supprt frm an peratins perspective. Alternative 4 is nt 24

6 D.1 O I/5 CO ~I ~D O i ~ el~ ~ I-I u~,4,-i,-i ~j ~ DA to to O ~ '~' r~ t OJ ~ ~O,,,-I i,-4 u~ e4 k4 ;U. ~J.I,-~.I 4 ~) r' 4 O E~ O ~ ~b ~ ~ -,4 ~I,'-4 -~ *,4 4J -,4 U ~ ~1 M O 4 4 -,.4 ~ -,~ O~ r..) Mi ~) ~) i,-.i ~),-4 13., ~ ~ -,'4,El -.4 -,4 -,4 ~i m O m NI -,'4 ~ ~,-4 25

7 I e~,~' ~D ~D ~D O O O ~, O I ~.!",. t ~. m t~ O O O ~--I, i-i i-4 I I ~. ~D ~,D I~ I ~ O O~ ~ e'l O 1-1 E~ U3 I ~ CO O~ O t'q t'q t~ O CO; i OO ',~ O O O ~O O '~ O~ CO e'~,~' O,-4 O ~ O'~ tc) ~ ~1 e,.4 O~ I-4 Z,-i u) O..I.a -,,4 'O G) G) m U 4-1 E~,~ ~.= =..~ I-I ~1 i O O r.l1 I~ ~i.,.4 -~ -,..4 -,-.I '13 O 1'4 ~1 ",-I "O -,"4 U G) O O G) O t~ q-~ q-i -,,-I IJ "~I El O O,~.,.4 r~ ~ r~ r~ > m :> ~ ~ D.~ -,-I KI a'j X Q) ~ ~l 26

8 L U'll I (n ~ go I O tn GO ~ ~ ~ U~ ~ ~ L~ U~ L~ ~D ~D CO ~ ~ O O ~i O O O O O O ~I O O O O O O O O~ O ~D r~ g,,=1 't ~ O~ t-i O"t = O't r~ t-i ~ 't ~ t-i ~-I O~ r ~,-I.Q -~I U~ 'O ~ ~l ~-I -,-t -,-I -~I =: ~ n:l "O >, O.lU > O', -~ ~-I '.~=.,-I -~ 4~ ~ ~ -~ X. m n' - ~ 2?