Chris Crall
Hewlett-Packard Company
19111 Pruneridge Avenue
Cupertino, CA 95014
Phone: (408) 447-4292
Fax: (408_ 447-0801
Although the use of the Internet promises greater efficiencies and new markets, the security risks for a corporation can be daunting. Firewalls, VPNs, trusted web servers, public key infrastructures and other security technologies are being deployed to mitigate these risks. However, the key is to manage these security components in a manner that is safe and secure, but also meets the business needs of the company.
As an enterprise extends its network into this Extranet space, security management becomes a critical issue. User accounts, access control and trust policies are all difficult enough to manage when the enterprise only has to deal with their own employees. This task can become almost impossible when suppliers, customers, and business partners are added to the picture. This paper explores how security policy is managed in a Virtual Corporation. We discuss questions such as:
What types of policies are important in a Virtual Corporation?
How does a corporation set security policy?
How is the security policy distributed throughout the network?
How is the security policy enforced?
The Internet is forcing companies to change how they do business.In some cases, entirely new businesses have been created.In other cases, companies have changed how they conduct business. Businesses can now reduce their investment in brick and mortar resources while reaching more customers and remaining open for business 24 hours a day. At the same time the barriers to entry for their competitors have been dramatically lowered. This creates a very fast-paced, competitive environment.
To remain competitive, companies depend on the Internet to interact with customers, suppliers, distributors and other business partners. Data access is one aspect, but true cost savings come from the integration of business processes through the Internet. For example, inventory application integration can provide more efficient control and processing of parts for a manufacturing operation. This reduces inventory costs and reduces unnecessary parts outages.Order processing via the Internet allows the company to reach new customers and reduce the costs of processing orders. These types of activities all combine to make the company more profitable by decreasing costs and increasing revenue.
Even greater levels of integration take place when teams are formed across company boundaries.The move to outsourcing continues to gain momentum as more companies focus on their core competencies and work with partners that can provide services in areas outside the area of expertise of the company. R&D, Marketing, Advertising, PR, HR, Manufacturing, just about everything can be and is outsourced.In some cases these virtual team relationships can last for years. In other cases teams can be formed, perform the desired function and disappear in a matter of weeks or even a few days.
These scenarios form a crucial part of what HP refers to as the Virtual Corporation.These are companies with flexible boundaries and the ability to quickly adapt to changing business requirements.However, there is no free lunch. In a Virtual Corporation business partners and customers now have access to crucial resources in your company’s network.This access may be through a web server which front ends ERP applications. Partners may also come through a VPN when more direct access is required to computing resources inside the company’s firewalls.This access raises the question of the amount of risk or exposure that a company must accept and manage as more outsiders access resource inside the company network.
What types of issues and risks exist in this scenario?
1. Protection from unauthorized users. This issue exists for every company with any kind of access to the Internet. Firewalls are the first line of defense to repel intruders trying to gain unauthorized access to the company network.
2. Authentication of authorized users. How are traveling employees, telecommuters, customers and business partners authenticated to the enterprise? This can be through the tried and true user name and password.More secure alternatives include tokens, one-time passwords, public key certificates and smart cards.
3. Access to resources. Once users are authenticated, access to the computing resources of the company must be controlled.Mechanisms must be in place to restrict access to only those resources this user should be allowed to see.These access control mechanisms are built into operating systems, network resources, web servers and applications.
Before we dive into policy we first need a definition from which to work.According to the American Heritage Dictionary, policy is defined as: “a plan or course of action, as of a government, political party, or business, designed to influence and determine decisions, actions and other matters”.So a policy is a plan which determines decisions and actions.In the case of security policy, this information determines what decisions and actions should be taken with regard to authentication of users and systems, access and use of resources, use of encryption and audit levels.
All of the security systems within the company are controlled by policy.This policy may or may not be explicit, understandable, consistent or even sensible. For example, the web server with the cafeteria menu might be tightly controlled while the accounts receivable system has no access control. This policy makes no logical sense, it may be wrong, but these systems have a policy and it was established by someone. Whether it was made consciously or unconsciously, having no security controls on the accounts receivable system is the current policy.
Security policies in a Virtual Corporation are an extension of existing security policy.Companies already have policies to deal with such things as user authentication, resource access and audit information.
User authentication can be accomplished through user name and password information to systems and applications. Password strength policies, password lifetime and password history policies may be set.
Tokens and smart cards may also be used, particularly for high value applications and remote access.
Access to resources may be very open or very tightly controlled. This policy often depends on the sensitivity of the resource and the philosophy of the company. Some companies control resources more tightly while others place the responsibility on the employees to use resources wisely and ethically. Neither approach is necessarily better nor worse than the other, they are just different.
Audit level policies vary depending on the value of the transactions and the sensitivity of the resource. In some industries, government regulations may influence the audit policy.
As more and more business partners beginning accessing the Intranet, the need for additional security policies arises. As with internal users, the first issue is authentication.How do we reliably identify these external users?The company could mange the identities of the external users and create the appropriate entries in the authentication system for the resource. This may mean creating an entry in a Unix or NT system, an application specific repository or LDAP directory. On the other hand, the management of these external users could be delegated to the business partner. For example, an LDAP directory could be used where an administrator at the business partner has the rights to create, delete, and modify user information in a specific part of the directory tree.
Another approach is to establish a trust relationship for authentication information between companies.Although this can be done with a variety of security technologies, the most obvious approach is to trust identities established with the use of public key pairs and X.509 certificates. Cross certification of Certification Authorities is one approach to this.This can be established as either a one way or two way trust relationship.
Once the identity of the user from the business partner is established, access control policies become the next concern. What part of the network should the business partner be allowed to access. Which systems can they log onto, which applications can they run and what data can they see. Separation and containment policies may be necessary to control which business partners can access which data. Businesses today often find themselves competing with a company in one market and working collaboratively in another. In addition, it is not uncommon to be partnering with two companies who compete with each other.Controlling which pieces of data these business partners can access is crucial to maintaining good business relationships with all of the partners.
Deployment of new applications and technology for the business partner may change existing policies. One example is on the firewall. New applications or services may require that new types of traffic be allowed through the firewall.Every new kind of traffic is another hole in the firewall and should be carefully considered. A VPN between the partners may be required to help tighten these new holes.The VPN may allow only traffic from specific users or companies to traverse the firewall.Proxy servers may also be used to control these interactions.
Audit policies may also change as external partners access company resources.The amount of audit data and the resources to analyze the data may go up dramatically. Intrusion detection tools and baseline profiles may also become a more important part of the security policy in this new world.
Encryption policy may change as a result of working more closely with business partners. Since more data is now flowing in and out of the company, the level of encryption may need to change.Should data be encrypted on disk? Should data be encrypted on the link between companies? If so, what level of encryption should be used? New partners in countries where you haven’t before done business may bring on a whole new set of encryption policies mandated by government regulations.
Although understanding what new policies need to be put in place can be a foreboding task, actually setting the policies and distributing the policies to the appropriate security components is an even larger task.One of the characteristics of a Virtual Corporation the frequency of change of interactions with partners. Partner companies or teams within those companies may come and go quickly. The policy mechanisms need to support changes just as quickly.
What is the ideal policy-setting tool? At first blush, a single integrated console from which all security policy can be managed would seem to be the ideal. Imagine being able to see and control all security policy and settings from one console. However, this is neither realistic nor especially desirable. Let’s examine who the players might be in setting security policy and what a console like this would control.
Who currently controls security policy?
· Corporate IT – firewalls, routers, mail gateways, HTTP proxies, etc.
· Business unit admin/IT – ERP applications, Databases, etc.
· Managers – user and role information.
· Individual Users – files, calendars, etc.
Who manages user information?
· Managers – role information.
· Human resources – role, location and identity information
· Business partners – delegated management of their own employees
· The individual
What kind of resources must be controlled?
· Network – firewalls, routers, switches, WANs, LANs
· Systems – mainframes, servers, desktops, portables, appliances
· Applications – ERP, Supply chain, HR, mail, HTTP, office automation, groupware, …
· Files – databases, documents, presentations, mail messages, papers, data sheets, reports, etc. (millions of individual files in a medium to large size corporation)
The number of individual users involved in policy administration is enormous.A single tool would need to be both simple enough for technically naïve users and flexible enough for the most technically savvy, power user in IT. The resources this single tool would have to manage vary widely in capability, granularity and automation. Imagine trying to create one set of controls that could be used to drive a car, pilot a Boeing 747, sail a boat and ride a motorcycle.Do you put the turn signal next to the clutch, over the ailerons or by the main sheet? Do you use a tiller, handle bars or a steering wheel?Similar issues need to be resolved for setting security policy.
Current technology does not allow us to integrate all possible security policy into one tool, so we need to find the appropriate user community, aggregation points and levels of abstraction. This will allow us to create an appropriate set of tools to simplify the administration security policy instead of a single, all-powerful tool.
The first aggregation point is around users. Although people may have different roles and capabilities, they have common characteristics. They have names, addresses, phone numbers, groups and roles. Although many different systems have their own representation of user information, most of the information is similar.It is not difficult to aggregate the information about a user’s NT, Oracle, SAP and Unix account and store it all in one repository.In addition, the use of a common repository for applications and systems alike simplifies the administrative and policy setting burdens. Relational databases work very well for this purpose, as does an LDAP directory.
Tools such as HP OpenView’s new AccessManager product allow an administrator to add a user to a central repository and have that information propagated to multiple systems. In addition, delegated administration is available for some LDAP directories that allow business partners to manage their own users.
The second obvious aggregation point is at the company boundary.VPNs and firewalls both provide access to the company network and are typically managed by the same or similar groups at corporate IT.By providing a tool to manage this external access, we can simplify the task of setting policy for access by external partners. Examining components with similar policy information that are managed by similar groups can identify other aggregation points.
Through the use of abstraction we can also provide some level of policy management across a range of security enforcement components.In the example above we found it difficult to place all of the specific controls for an airplane, boat, motorcycle and car in one tool.However, if we don’t use all of the specific controls, but instead abstract to a high level we can provide some common controls. For example, a command to turn 10 degrees to the right could be implemented with all of those modes of transportation. Similarly, a command to set the audit level to “High” could work on firewalls, applications and systems. This type of response might be used when a possible intrusion is detected in the Intranet. In an extreme case, a policy of “No Internet Connections” might cause the routers, firewalls and DNS systems to stop all interactions between the Intranet and the Internet.
The components necessary to implement this abstraction tool include a management system and agents to translate the high level commands into resource specific actions.For example, a firewall agent would translate the “No Internet Connections” into a specific rule on the firewall that would stop all inbound and outbound traffic at the boundary.
There are several industry trends that will help to consolidate security policy administration and distribution. The use of LDAP directories, industry standards and industry consortia are beginning to allow vendors to roll out products in this space.
LDAP directories have gained wide acceptance as the repository for user and policy information. By providing a standardized protocol to access a repository of information, LDAP directories increasingly allow vendors to justify moving policy data out of their own proprietary data stores into a common shared store.
The OpenGroup is working on a standard authorization API.Administration of policy is made simpler and more consistent by centralizing access control decisions in a standard component. Multiple applications can then use the same policy by making calls to the authorization component.This API is expected to be available in the fall of 1999.
Some control over encryption and encryption policy is provided by the Common Data Security Architecture (CDSA). CDSA provides standard APIs and a framework for Crypto Service Providers (CSPs) and encryption policy. As ISVs begin to take advantage of CDSA, applications will be able to use a common facility for encryption policy and certificate trust policy.
Industry standards and consortia groups have been active in other areas of policy as well.Most of this work has focused on networking policy. Quality of service and other networking issues are addressed by the IETF’s Common Open Policy Service (COPS) and the DMTF’s Directory Enabled Networks (DEN) work.Although the DEN specification includes some security specific information, it is not the focus of the specification nor are the security objects complete in defining application security.
The Internet has made creating dynamic relationships between companies possible. Businesses that have capitalized on this technology have created a climate that is forcing many others to jump into the dynamic space of Virtual Corporations. With this new environment comes a greater appreciation for the complexity of managing IT security issues. While policy based management tools help to abstract the control of security mechanisms; we have not yet reached the state of having a single model for how to control underlying security tools. Fortunately the industry is making progress in developing policy based management models in general and we can expect this to be extended to broader security management components in the future.