The security of distributed systems — An overview

The security of distributed systems — An overview

Information Security Technical Report, Vol. 1, No. 2 (1996) 1O-l 6 The Security of Distributed Systems An Overview Mike Horrell, Zergo Limited This ...

738KB Sizes 2 Downloads 87 Views

Information Security Technical Report, Vol. 1, No. 2 (1996) 1O-l 6

The Security of Distributed Systems An Overview Mike Horrell, Zergo Limited

This article describes how changes in organizational structures, a trend towards devolved responsibility and the distribution of information technology to the User, have resulted in a new range ofsecurity requirements.

Introduction The introduction of distributed systems have changed both the way in which companies work and the way information is processed. This change in working practice has been accompanied by a significant change in the security risks that organizations are subject to. New threats to security require new measures to be taken to protect corporate information.

The changed operational environment The nature of organisations, and the way they function, has undergone substantial change in recent years. Organisations have become much flatter with greater responsibility devolving to the individual departments, work groups and individuals. At the same time there has been a move from large centralised operations to a more geographically diverse working environment. These changes have been accompanied by the need for businesses to interact with larger numbers of outside bodies, it is now common to have links to subsidiaries, customers and even to competitors.

environment. Many organizations started their computerisation with mainframes that were introduced to provide a centralised batch processing facility. These systems represented a straightforward security problem as all the equipment involved could be located in one place which was segregated from the other functions of the company. As this central computing environment evolved users were granted direct access to it through local terminals which, while providing users with a degree of interaction with the corporate data did not eliminate the central control that had previously existed. As computerisation proceeded departmental mini-computers were introduced. These represented the first crack in the overall security environment as they were located and administered outside the central computing facility. The trend to distribute computer systems throughout the organization has continued and today we have a highly diverse computing environment. Intelligent devices (workstations) provide the user interface (and local data storage) and a variety of servers provide resources like electronic mail, databases and information storage. At the same time the computing environment has been changing so have the networks. Where once there were fairly simple ‘point to point’ networks using proprietary network protocols there are now open and flexible networks using common (and well-known) protocols which permit the interconnection of devices from a variety of manufacturers.

In parallel with the changes to the organizational structure there have been substantial changes to the technical

10

0167-4048/96/$15.00

0 1996, ElsevierScience Ltd

The Security of Distributed

What is driving the change? There are a number of driving forces behind the move to a distributed computing environment: There has been a desire to move the data closer to the user and to allow workgroups to be in control of their own processing environment. Work patterns and roles of members of staff have changed and increased flexibility has been sought. Computers become more powerful year by year and as a result tasks which at one time could only be performed on central mainframes can be moved on to distributed servers (or even workstations). The computer equipment, in particular the users workstations, are increasingly seen as low cost “commodity” items. Applications are increasingly purchased rather than developed in-house. Where applications are developed internally this now tends to be done by the end user department level using tools like Visual Basic rather than by a central team using traditional languages.

The consequences for security This change to a more open distributed computing environment has had a number ofeffects on the security of sys terns, software and data.

Physical security One of the most obvious results of this changed operational environment is the loss of physical security. Corporate data (and associated software) is no longer held in a ‘fortress’ at the centre. Rather it is distributed throughout the

Information Security Technical Report, Vol. 1,No. 2

Systems, An Overview

organization on a variety of client and server systems. These systems are placed so they are vulnerable to a variety of threats, for example servers may be installed in open plan office areas where they are accessible to anyone passing through. In addition there is rarely any form of fire protection other than that provided by the building services which may themselves form a threat to the servers (water sprinklers and electronics do not mix). The client systems (workstations) are even more vulnerable since even desktop systems are relatively small and easy to transport and the increasing use of notebook computers means that size is no barrier to theft. Perhaps the biggest problem is the increasing tendency to transport corporate data outside the security boundary of the organization. The case of the computer holding Gulf War data and the increased targeting of computers belonging to senior staff shows that this risk is real. Finally the data that the servers hold is often poorly protected by regular back-ups and, even where this is done, the back-up tapes are often stored alongside the computers or in similar insecure locations. Procedural security From a procedural point of view the introduction of distributed computing seems to have been accompanied by a form of corporate amnesia where many of the lessons of the past are forgotten. It was not by accident that computer centres were staffed by dedicated teams of trained people none of whom had the ability to completely control the computer system. However, when we look at the distributed environment it is common to see people who have been given the task of administering and supporting the departments computing resources “in addition to their regular duties”. It is increasingly rare for such people to be adequately trained or to have

11

The Security of Distributed Systems, An Overview

sufficient time to do the job well. Even more dangerously there is now one person who has complete control over a server; creating users; managing data files; doing back-ups; changing system configurations.

Network and communications security The introduction of distributed computing environments has involved the integration of equipment from a wide variety of suppliers. For this integration to be achieved, commonly agreed, and widely understood, mechanisms must be used - for example the Ethernet network protocol. One consequence of this is the loss of the incidental security that was obtained through the use of complex proprietary protocols (otherwise known as security through obscurity). In the distributed world it must be assumed that a potential attacker is in full possession of all the relevant the information about technical communications systems.

The result can be administrators who are overloaded and will often be skipping those aspects of the task which are seen by them as less critical. Typical security risks which arise from this include: Active accounts on the servers which belong to users who have left the department (or even the company). Data files on the servers which have no active owners but which may contain copies of corporate data. Users created with excessive application privileges because and easier to do that way, this new or temporary staff being ranging access rights.

system and it is quicker can include given wide

Back-ups being put off until they are less busy, the result is that they are never done. System upgrades, which may include critical security fixes, being left undone because they are too busy.

This problem is compounded when distributed systems are communicated with over public networks such as the Internet. The situation then exists where information, possibly business critical, is being sent using widely known protocols though an environment where it is easily intercepted (or copied) by an attacker.

It is more difficult to gain an overall view of the rights that any one user has over the entire operational environment as the information is fragmented onto numerous computer systems.

Administrator overload

User frustration

A consequence of this increase in the number of systems and applications has been to increase the workload of the (often part-time) administrators. Where a number of different types of system or application are involved this problem is compounded by the variations in the administrative interface they offer. This workload can be further increased by the administrators having to deal with a high level of requests from users wanting their accounts to be reset because they have forgotten their password.

The main effect on users of the new working environment, where distributed computing has replaced the old centralised world, is a huge increase in the number of systems and applications that a user has to access in carrying out their day to day work. Invariably each of these systems and applications will require the user to perform some form of login to identify themselves before being granted access. As a result users are having to manage and use many user ids and passwords. The overall effect is

12

InformationSecurity Technical Report, Vol. 1, No. 2

The Security of Distributed Systems, An Overview

predictable, users will forget some or all of their passwords and then be unable to do any work until they have been granted access by the server administrators. The end result is that users rapidly become frustrated and start trying a variety of ways to by-pass the security mechanisms which they see as stopping them doing their job. Typical of the measures users adopt are:

It can prove impossible to ensure that all these back-ups are performed at the correct points in time, and the appropriate media protection measures applied. However, the difficulty of ensuring back-ups are taken is nothing compared with the problems that can arise when information must be recovered from the back-up media. Among the problems which can arise are: Changes of technology meaning that the back-up media is not compatible with current computer system hardware.

Setting all the passwords to one easily remembered word such as their name, car registration number, pet’s name etc..

Media damage rendering it impossible to recover information.

When a password has to be changed they change it back to the original value so that they are using the same password for long periods.

Back-up device variations making it impossible to read information from media written on a different system.

Write the user ids and passwords down, often without any attempt being made to try to disguise them or to secure them in any way.

In addition it can be difficult for users to use the correct process for requesting access to systems and data as the rules are not being enforced by a single specialist group. Instead it may be necessary to contact a number of different administrators each of whom has responsibility for a piece of the overall computing environment. Information protection and back-up In the distributed environment pieces of the corporate information are located on the various computer systems (clients and servers) which are spread throughout the organization. The protection of this information against loss is a complicated task since back-ups must be taken at all the various locations and the media used stored in a secure, protected location.

information Security Technical Report, Vol. 1, No. 2

Difficulties in identifying the precise location of the information to be restored because of poor record keeping. The required information never having been placed on a system which is backed up (for example data held solely on a notebook computer). Difficulties with auditing The creation of the distributed computing environment has meant the loss of the ability to audit the actions of a user by querying a single computer system. As the user will now be making use of a number of systems, often geographically remote from each other, in order to do their work it will be necessary to query each of these systems to build up the picture of the user’s actions. The difficulties which ensue include: ??

Different types of computer systems record different types of information in audit logs which have different internal formats.

13

The Security of Distributed

Systems, An Overview

The audit logs must be transferred from the remote systems to a point where they may be analysed, this will involve them moving over open networks where they will be vulnerable to interception, alteration or destruction. The different systems will have their own internal clocks, used to time stamp the audit logs, which willvary from each other in their timekeeping. As a result it may be difficult to firmly attribute actions on a system to a particular user (for example the time stamp of an event on system A is earlier that the users login time on server B because the clocks are not synchronised). The situation is considerably worse where an intruder, or a legitimate user exceeding their authorised rights, is concerned. In order to track their actions it may be necessary to query every computer system in the distributed computing environment.

Steps to securing the distributed environment

??

One set of operational procedures;

??

One team of administration staff.

This does not mean that there will be a recreation of the central computing facility and its associated dedicated staff. Rather it means that there will be a uniform approach to the management of the security of the distributed systems throughout the entire organization and that the various administration staff responsible for the servers and applications will form a virtual security group. Among these organizational measures, that will need to be implemented in support of this goal, are the following: ??

??

In order to gain control of the distributed computing environment it will be necessary to re-establish some form of centralised security administration which can be applied throughout. There are two stages to its establishment, the organizational aspects (people and procedures) and the appropriate technical measures that will need to be applied to support the chosen security goals. Organizational

measures

Many organizations are setting themselves the goal of having: ??

One set of security data;

??

One point of management;

14

??

The acceptance by the organization that the security and administration of the various servers and applications is not a task to be performed as an afterthought. Rather it must be understood that it is an important activity that must have adequate resources allocated to it. The establishment of an organizational structure which arranges an adequate level of separation of duties and does not leave one person with total authority over any server or application. A common approach is to separate the task into three parts; the user makes a request for access that is approved by his line management as being necessary to his job function; the request is reviewed and access authorised (and its nature defined) by the group owning the server or application; the request is finally actioned by a completely separate team who are responsible for the day to day running of the applications and servers. The users must be made aware of their responsibilities as regards security, they need to understand why it is there and that

Information Security Technical Report, Vol. 1, No. 2

The Security of Distributed Systems, An Overview

attempts to circumvent it are a breach of the rules of the organization. While this will involve some form of ongoing security awareness programme the challenge can be to find ways to deliver this programme to staff at a number of different locations. Technical measures

services could include auditing and information back-up. One view of this division of the measures is shown in the diagram below. While the user authentication and access rights measures are substantially separate there is some communications between them, for example: ??

There are a number of technical measures which organizations may implement to support this process of controlling the distributed environment. These can be split into several groups, one associated with the user authentication process, another associated with the access rights management and a third consisting of ‘infrastructure’ like encryption services that may be used for all communications. Other infrastructure type

??

A user for whom access rights are being allocated must also be registered to allow the user to login. When the user logs in the identity must be passed to the access control mechanism on the appropriate server so that the information it holds may be accessed by the user.

Access Rights Management

Single Sign-On

Administration Tools Control of Actual Access

A View of the Technical Elements of a Solution

Information Security Technical Report, Vol. 1, No. 2

15

The Security of Distributed Systems, An Overview

The technical measures security may include:

The introduction of Single Sign-On (SSO) to eliminate the need for users to have to manage large numbers of user ids and passwords. This will provide users with an improved and more efficient working environment through the use of a single user id and password to access all the corporate resources they are authorised to access; The introduction of Access Rights Management tools which will eliminate the need to manage each of the distributed individually. Instead systems administrators, who may be physically dispersed throughout the organization, work with a central database of access rights which are downloaded to the distributed systems. An audit system which can extract and consolidate information from a number of sources (servers, SSO management systems, access rights administration tools, network devices etc.) to build-up a comprehensive picture of a user’s actions. The introduction of centrally managed back-up, perhaps on the form of a tape cartridge system, which eliminates the need to physically visit individual systems. Instead the administrators can configure the back-up strategy centrally and the process will be performed automatically as scheduled. The use of encryption (together with associated key management) to protect sensitive data while it is being transferred over the networks linking the various elements of the distributed computing environment. This protection is particularly important when security administration

16

data, such as a set of access rights instructions, are being transferred over shared or public networks.

used to establish

Protecting the security data The important factor that these measures have in common is the need to hold security data, for example authentication and authorisation information, in a database that may be managed by physically dispersed staff through a single administrative interface. This security data is critical to the successful operation of the corporate IT assets and as a result must be protected against: ??

Destruction (accidental or deliberate);

??

Unauthorised alteration;

??

Unauthorised inspection and copying.

For this to be achieved the information must be held in a managed and controlled environment. In addition the point of storage of the security data must have the capability of processing large volumes of security data, be able to support a substantial number of accesses from the distributed administrators and be located on the network such that it is able to communicate with the distributed systems.

Conclusions Currently there is no one ‘standard way of securing a distributed computing environment. Instead we are faced with a ‘toolkit’ of components each of which offer some security functionality. It remains necessary to define the requirements for security, select the appropriate items to satisfy these requirements and then integrate them into a solution.

Information

Security Technical

Report, Vol. 1, No. 2