New Directions in Security

Adaptive Security Architecture Principles

Friday Sep 05, 2008

Abstract

Building upon the last posting, this article describes the security architectural principles than are used to guide the design, development, implementation and operation of an adaptively secure environment. Not all principles will necessarily be used in every architecture. These should be used as guiding principles and not considered mandates. Their use is dependent upon the business and technical requirements that the architecture must satisfy.

Background

Adaptive security has been designed to leverage architectural and operational principles from a variety of disciplines in order to more easily and effectively integrate security and integrity into IT infrastructures. The below principles provide a mapping of the different properties of biological and ecological systems that we consider applicable to information systems. De Castro et al. have likewise identified these as beneficial characteristics that would be useful in IT systems[1]. Note how these examples map to basic service levels that we are already familiar with as well as typical architectural characteristics that we already use. Essentially, we see the goal of utilizing these principles as a means to develop systems that can reduce their exposure to threats, the magnitude of threats and the ability to counter them in a timely fashion.

The purpose of using the architectural principles is to develop security architectures for IT infrastructures that will exhibit adaptive security characteristics. Using these principles allow one to ensure that the IT infrastructure reduces threats and their impact to functionality, reliability, performance, availability, security and integrity. In addition, using these principles supports survivability. Survivability is one of the basic tenets of adaptive security and is defined as the ability of a system to fulfill its mission in a timely manner in the presence of attacks, failures or accidents.

A simple example of using these principles would be building a security architecture with a defense in depth strategy which would certainly include among other principles, diversity and resilience. The principles drive the design of a defense in depth strategy and could be implemented using various techniques. Diversity could be implemented by using different control mechanisms to provide different system capabilities such as clustering, redundant hardware or even different products such as multiple types of firewall appliances from multiple vendors. This way, if one mechanism was susceptible to a particular threat, but other mechanisms were not, the survivability of the system would be maintained. Likewise, resilience could be supported by virtualization techniques using Immutable Service Containers to compartmentalize risks and separate different system services. [Examples of the practical use of these principles using Immutable Service Containers will be discussed in a future article in this series.] In this way, if a threat existed that affected a service in one container the overall IT infrastructure could continue to process by isolating the affected container so that the threat was localized and did not impact other elements of the infrastructure.

Adaptive Security Architectural Principles

Pattern recognition - In the biological world cells recognize various proteins via pattern matching on their surface. Likewise, it is desired that IT systems be capable of matching patterns of both normal and abnormal behavior of code, command and response dialogs, different protocols etc.
Uniqueness - Biological organisms possess their own unique immune system that varies from individual to individual and this uniqueness is then associated with different strengths and weaknesses of those individuals. Such uniqueness expressed in IT systems ensures that a monoculture does not exist that could be susceptible to a common computer virus and likewise allows an ecosystem of different and unique organisms and IT systems the robustness necessary to survive different threats.
Self identity - The notion of self and non-self allows an organism to comprehend what is native and what is not, and trigger an elimination process of those non-self things that are considered a threat. In the IT world, this concepts would be replicated so that that which does not belong according to a specified security policy would likewise be isolated and eliminated. Part of manifesting self and non-self includes supporting intra/inter-systems communication and the sharing of information on threats, countermeasures, security policies and trust relationships between different systems and IT infrastructures.
Diversity - In the biological world diversity refers to the different types of elements (proteins, cells, etc.) that together embody a wide range of defenses against different threats, including innate and adaptive immunity. In IT systems diversity would manifest itself by architecting different controls mechanisms such as compartmentalization via operating system virtualization or TPM based hardware trust anchors.
Disposability - Disposability is the notion that no single cell or molecule in an organism is essential for the functioning of the entire immune system. Disposability in an IT infrastructure is represented by the concept of a sacrificial system. This contributes to the overall robustness of an IT infrastructure.
Autonomy - Autonomy in biological systems means that there is no single element controlling the immune system. The different elements of the immunity system can function autonomously to counter threats. It is likewise desired that such an ability for IT systems exists so that different security and integrity control mechanisms can function in an autonomous fashion to address threats.
Multilayered - Biological entities support molecular, cellular and other elements that act cooperatively to provide a comprehensive threat response capability. This is the identical notion of defense in depth that a well designed security architecture maintains.
No secure layer - Any and all cells in an organism are at risk of being attacked at any point in time. This is simply the reality of things and has an exact parallel in the IT world and as such is the underlying assumption within any security policy. This is instantiated via a 'deny all' security policy whereby access is only granted on a need to know basis.
Anomaly detection - In biological immune systems the notion of non-self enables that immune system to recognize and respond to those things that are not part of its known self. Likewise, an IT system should support the capability to automatically recognize and respond to things that are not considered normal behavior or are known explicitly as threats. The intention of using the below described design approach is to further this characteristic such that one can anticipate threats before they can be manifested.
Dynamically changing coverage - Biological immune systems have limitations on the number and type of cells and molecules that can detect and respond to pathogens. As such, they maintain a dynamically changing set of these cells and molecules in the hope that the correct mix exists to respond to whatever threats arise. In an IT infrastructure one likewise cannot maintain an unlimited number of threat signatures and threat response mechanisms. Thus one must develop a means to intelligently predict and anticipate what threat response mechanisms should be deployed and utilized at any point in time.
Distributivity - The different elements of biological immune systems are widely distributed throughout an organism and not under the control of any central mechanisms. In IT terms this distributivity reduces the attack surface.
Noise tolerance - Biological immune systems do not require an absolute match to recognize pathogens. In the IT world one should likewise desire to have the ability to recognize threats without an absolute match of a viruses or similar threats signature.
Resilience - Although various conditions can reduce the effectiveness of a biological immune system it maintains a level of resilience that allows it to continue recognizing and countering pathogens. An IT system must similarly have such resilience so that it continues to function in spite of a reduced capacity.
Fault tolerance - Biological immune systems are composed of redundant elements that function in a complementary fashion. In addition, different elements can be modified to respond to pathogens that they normally would not respond to. In an IT infrastructure one should likewise desire fault tolerance such that different threat response mechanisms can be retooled or their behavior modified to respond to threats they normally would not respond to.
Robustness - In the biological world robustness is really the aggregate benefit of diversity and distributivity. In the IT world, it obviously makes sense that IT systems also exhibit robustness.
Immune learning and memory - In the biological world the immune system is by definition adaptive in nature. This adaptiveness allows for faster and more effective responses to pathogens and improves over time as the immune system learns and retains memory of pathogens. It is this adaptiveness that is desired to be mimicked in and in particular, the ability to learnand remember threats over time.
Predator-prey pattern of response - Biological immune systems respond to pathogens via a mediated response mechanism. This allows them to scale up a response as the number of pathogens increases. Such a mediated response mechanism is likewise necessary in our IT environment so that the appropriate level of threat response controls can be brought to bear. The triggering and feedback mechanisms described below are used to provide such mediation.
Self organization - A biological system does not predetermine how it will respond to a challenge, but remembers how it responds to and determines the most effective response necessary, then keeps the elements that provided that response, while other elements may be shed. In the design approach noted here, all threat response controls must be capable of adapting their behavior in a similar fashion so that they utilize the most effective countermeasures.
Integration with other systems - Biological organisms are made of many systems that can be used independently or in concert in a larger ecosystem. It is the intention here that IT systems exhibit the same behavior using a defense in depth strategy.