Wednesday Dec 03, 2008
Hot off the press, check out the new Sun BluePrints article titled Designing an Adaptive Security Architecture by Joel Weise.
Abstract
Security threats can reduce the functionality, performance,
availability, and integrity of IT systems. These systemic qualities are
critical — so much so that they are typically instantiated formally
into Service Level Agreements (SLAs). In IT environments, the desire is
to reduce potential security threats at least to the degree by which
SLAs can be satisfied. This article discusses the principles and
characteristics of a new architectural approach — adaptive security —
which is based in part on the concepts and principles of complex
adaptive systems.
Contents
- Designing an Adaptive Security Architecture
- Complex Adaptive Systems in Security Design
- Objectives of Adaptive Security
- An Architectural Approach Using Adaptive Security
- Design Approach to an Adaptive Security Model
- Summary
- About the Author
- References
- Ordering Sun Documents
- Accessing Sun Documentation Online
Friday Sep 05, 2008
Abstract
Building upon the last posting, this article describes the security architectural principles than are used to guide the design, development, implementation and operation of an adaptively secure environment. Not all principles will necessarily be used in every architecture. These should be used as guiding principles and not considered mandates. Their use is dependent upon the business and technical requirements that the architecture must satisfy.
Background
Adaptive security has been designed to leverage architectural and operational principles from a variety of disciplines in order to more easily and effectively integrate security and integrity into IT infrastructures. The below principles provide a mapping of the different properties of biological and ecological systems that we consider applicable to information systems. De Castro et al. have likewise identified these as beneficial characteristics that would be useful in IT systems[1]. Note how these examples map to basic service levels that we are already familiar with as well as typical architectural characteristics that we already use. Essentially, we see the goal of utilizing these principles as a means to develop systems that can reduce their exposure to threats, the magnitude of threats and the ability to counter them in a timely fashion.
The purpose of using the architectural principles is to develop security architectures for IT infrastructures that will exhibit adaptive security characteristics. Using these principles allow one to ensure that the IT infrastructure reduces threats and their impact to functionality, reliability, performance, availability, security and integrity. In addition, using these principles supports survivability. Survivability is one of the basic tenets of adaptive security and is defined as the ability of a system to fulfill its mission in a timely manner in the presence of attacks, failures or accidents.
A simple example of using these principles would be building a security architecture with a defense in depth strategy which would certainly include among other principles, diversity and resilience. The principles drive the design of a defense in depth strategy and could be implemented using various techniques. Diversity could be implemented by using different control mechanisms to provide different system capabilities such as clustering, redundant hardware or even different products such as multiple types of firewall appliances from multiple vendors. This way, if one mechanism was susceptible to a particular threat, but other mechanisms were not, the survivability of the system would be maintained. Likewise, resilience could be supported by virtualization techniques using Immutable Service Containers to compartmentalize risks and separate different system services. [Examples of the practical use of these principles using Immutable Service Containers will be discussed in a future article in this series.] In this way, if a threat existed that affected a service in one container the overall IT infrastructure could continue to process by isolating the affected container so that the threat was localized and did not impact other elements of the infrastructure.
Adaptive Security Architectural Principles
- Pattern recognition - In the biological world cells recognize various proteins via pattern matching on their surface. Likewise, it is desired that IT systems be capable of matching patterns of both normal and abnormal behavior of code, command and response dialogs, different protocols etc.
- Uniqueness - Biological organisms possess their own unique immune system that varies from individual to individual and this uniqueness is then associated with different strengths and weaknesses of those individuals. Such uniqueness expressed in IT systems ensures that a monoculture does not exist that could be susceptible to a common computer virus and likewise allows an ecosystem of different and unique organisms and IT systems the robustness necessary to survive different threats.
- Self identity - The notion of self and non-self allows an organism to comprehend what is native and what is not, and trigger an elimination process of those non-self things that are considered a threat. In the IT world, this concepts would be replicated so that that which does not belong according to a specified security policy would likewise be isolated and eliminated. Part of manifesting self and non-self includes supporting intra/inter-systems communication and the sharing of information on threats, countermeasures, security policies and trust relationships between different systems and IT infrastructures.
- Diversity - In the biological world diversity refers to the different types of elements (proteins, cells, etc.) that together embody a wide range of defenses against different threats, including innate and adaptive immunity. In IT systems diversity would manifest itself by architecting different controls mechanisms such as compartmentalization via operating system virtualization or TPM based hardware trust anchors.
- Disposability - Disposability is the notion that no single cell or molecule in an organism is essential for the functioning of the entire immune system. Disposability in an IT infrastructure is represented by the concept of a sacrificial system. This contributes to the overall robustness of an IT infrastructure.
- Autonomy - Autonomy in biological systems means that there is no single element controlling the immune system. The different elements of the immunity system can function autonomously to counter threats. It is likewise desired that such an ability for IT systems exists so that different security and integrity control mechanisms can function in an autonomous fashion to address threats.
- Multilayered - Biological entities support molecular, cellular and other elements that act cooperatively to provide a comprehensive threat response capability. This is the identical notion of defense in depth that a well designed security architecture maintains.
- No secure layer - Any and all cells in an organism are at risk of being attacked at any point in time. This is simply the reality of things and has an exact parallel in the IT world and as such is the underlying assumption within any security policy. This is instantiated via a 'deny all' security policy whereby access is only granted on a need to know basis.
- Anomaly detection - In biological immune systems the notion of non-self enables that immune system to recognize and respond to those things that are not part of its known self. Likewise, an IT system should support the capability to automatically recognize and respond to things that are not considered normal behavior or are known explicitly as threats. The intention of using the below described design approach is to further this characteristic such that one can anticipate threats before they can be manifested.
- Dynamically changing coverage - Biological immune systems have limitations on the number and type of cells and molecules that can detect and respond to pathogens. As such, they maintain a dynamically changing set of these cells and molecules in the hope that the correct mix exists to respond to whatever threats arise. In an IT infrastructure one likewise cannot maintain an unlimited number of threat signatures and threat response mechanisms. Thus one must develop a means to intelligently predict and anticipate what threat response mechanisms should be deployed and utilized at any point in time.
- Distributivity - The different elements of biological immune systems are widely distributed throughout an organism and not under the control of any central mechanisms. In IT terms this distributivity reduces the attack surface.
- Noise tolerance - Biological immune systems do not require an absolute match to recognize pathogens. In the IT world one should likewise desire to have the ability to recognize threats without an absolute match of a viruses or similar threats signature.
- Resilience - Although various conditions can reduce the effectiveness of a biological immune system it maintains a level of resilience that allows it to continue recognizing and countering pathogens. An IT system must similarly have such resilience so that it continues to function in spite of a reduced capacity.
- Fault tolerance - Biological immune systems are composed of redundant elements that function in a complementary fashion. In addition, different elements can be modified to respond to pathogens that they normally would not respond to. In an IT infrastructure one should likewise desire fault tolerance such that different threat response mechanisms can be retooled or their behavior modified to respond to threats they normally would not respond to.
- Robustness - In the biological world robustness is really the aggregate benefit of diversity and distributivity. In the IT world, it obviously makes sense that IT systems also exhibit robustness.
- Immune learning and memory - In the biological world the immune system is by definition adaptive in nature. This adaptiveness allows for faster and more effective responses to pathogens and improves over time as the immune system learns and retains memory of pathogens. It is this adaptiveness that is desired to be mimicked in and in particular, the ability to learnand remember threats over time.
- Predator-prey pattern of response - Biological immune systems respond to pathogens via a mediated response mechanism. This allows them to scale up a response as the number of pathogens increases. Such a mediated response mechanism is likewise necessary in our IT environment so that the appropriate level of threat response controls can be brought to bear. The triggering and feedback mechanisms described below are used to provide such mediation.
- Self organization - A biological system does not predetermine how it will respond to a challenge, but remembers how it responds to and determines the most effective response necessary, then keeps the elements that provided that response, while other elements may be shed. In the design approach noted here, all threat response controls must be capable of adapting their behavior in a similar fashion so that they utilize the most effective countermeasures.
- Integration with other systems - Biological organisms are made of many systems that can be used independently or in concert in a larger ecosystem. It is the intention here that IT systems exhibit the same behavior using a defense in depth strategy.
References
[1] Artificial Immune Systems: A New Computational Intelligence Approach, L. De Castro 2002.
Wednesday Aug 06, 2008
Abstract
This article discusses a new perspective of security architecture that is capable of not only reducing threats but anticipating threats before they are manifested. The proposed approach is called adaptive security. Adaptive security will be discussed using biological and ecosystems metaphors as these provide interesting parallels to the issues, threats and countermeasures applicable to IT systems. And considering their longevity, survivability and adaptability, both biological and ecological systems are good examples of successful systems. We propose that data processing systems be designed with adaptive security elements to exhibit more biological and ecological oriented responses in recognizing and addressing threats.
Introduction
Dan Geer et al summarize the problem we face: "The central enemy of reliability is complexity..... Prevention of insecure operating modes in complex systems is difficult to do well and impossible to do cheaply: The defender has to counter all possible attacks; the attacker only has to find one unblocked means of attack." Putting aside the issue of cost effectiveness, the key element to be addressed using adaptive security is the notion that one should attempt to counter all possible attacks to the extent that a threat response is cost effective. Put another way, we are in the risk management business and not risk avoidance. Thus our goal is really to ensure availability and not avoid every risk. To summarize the common problems that adaptive security may address are:
- As complexity of systems increases their security and integrity decrease.
- A monoculture of systems will allow a pandemic to spread quickly.
- Offensive worms and adversarial attacks are developed faster than the development of defensive responses.
Objective of Adaptive Security
The objective of adaptive security is to enable applications, systems, networks and IT infrastructures the ability to self configure, self detect, self optimize and self heal, in order to protect against corruption of data and processing resources. Exhibiting these characteristics exemplifies, autonomy, trustworthiness and reduces complexity; and the greater the level of control over systems the more trust we can assign to them. Further, through the use of common and consistent security standards, configurations and systems management we can address complexity. This objective of adaptive security is realized by:
- Reducing threat amplification. (reduce the potential of cascading failures)
- Reducing attack surface. (make the target smaller)
- Reducing attack velocity. (slow the attack)
- Ensuring the availability of data and processing resources.
- Ensuring correctness of data and reliability of processing resources.
Biological systems react to threats by adapting or dying. Biological system responses are typically focused at a microscopic level via various capabilities including immunological responses. The immunological capabilities of biological systems are autonomic in nature and have the ability to recognize and remember threats and to mount a rigorous attacks each time the threat is encountered. The ability to adapt to threats (as compared to a fixed and immutable response) is significant in that we are not aware of every type of threat yet we must be prepared for new attack as they present themselves.
Ecological systems on the other hand function at a macroscopic level. Ecological systems are comprised of many different disparate elements including individual biological entities. They react to threats by relying upon the diversity and autonomy of the elements that make up the ecosystem as well as their ability to adapt. This has the affect of spreading the risk presented by a threat to the larger ecosystem and increases its overall survivability. Diversity also enables us to address the threats poised by a monoculture. (A monoculture can be susceptible to an attack where a single threat can quickly affect multiple systems because they would all have the same susceptibility.)
Adaptive Security
Taking the qualities of both biological and ecological systems, namely adaptation, autonomy, diversity and survivability we can emulate these within the context of a Systemic Security framework. Adaptive security is a natural extension to this framework and offers a long-term vision for how IT systems will be designed, implemented and managed in the future. Recognizing the complex nature and relationships of modern IT systems, adaptive security has been designed to leverage architectural and operational best practices from a variety of IT disciplines in order to more easily integrate security and integrity into modern IT infrastructures. The different adaptive security architectural principles will be discussed in a follow-on article but examples of these would include diversity, resilience, fault tolerance and robustness. Note how these examples map to basic service levels that we are already familiar with as well as typical architectural characteristics that we already use.
Conclusion
The study of biologic and ecologic systems enables computer scientists to consider new and different means for designing, developing and managing security controls. This is especially critical as IT systems become increasingly complex. Given the rich threat environment that most organizations now operate in, we must consider new methods and mechanisms to proactively address those threats. Adaptive security is one such approach and has the advantage of not only addressing existing threats but also anticipating new threats and enabling security control mechanisms to modify their behavior before the new threats are able to manifest themselves to a critical level.
References
- Security Architecture and Adaptive Security. J. Weise 2008 (ISSA Journal)
- monoculture on the back of the envelope. D. Geer 2005
- Artificial Immune Systems: A New Computational Intelligence Approach. L. de Castro 2002
Tuesday Aug 05, 2008
Hello and welcome! This is the first posting of the Global System Engineering (GSE) Security Team's Adaptive Security weblog. This blog is intended to capture information related to our work on adaptive and autonomic security architectures including inspiration captured from both biological and ecological sources. Our goal is to provide a single source where you can catch the latest news, postings, suggested reading and other material related to our work. We are working on some really cool ideas this year and we hope you will join in the fun!
Looking forward to hearing from you!
- The GSE Security Team (aka Glenn Brunette, Joel Weise, Rafat Alvi and Bart Blanquart)
|
|
|
|
|
|
|
|
