- Email: [email protected]
Information systems security and the multinational enterprise (2)
Information Systems Security and the Multinational Enterprise (2) Clive B/a tch ford
here is a marked shift from trading of physical goods to one of trading added value services. This will range from increased revenue from selling industrial patents to the exploitation of custodial, customer information. This trend has been forced on some countries by the uncompetitiveness of their manufacturing base, others have made it a fundamental thread of their economic strategy. Some projections show that some 50% of all international trade by value (especially amongst the advanced communities of nations/enterprises) will be in this category by the end of the decade. The vast majority of people will be directly linked, either from home or via their private or public enterprise.
•l
The importance of the “Information Revolution” has not been lost on the European politicians! The “Delors” White paper on “Growth, Competitiveness & Employment: The Challenges and Way Forward into the 21st
Computer Audit Update l March 0 1996, Elsevier Science Ltd.
1996
Century”, clearly defined the need for a European Information Infrastructure. A key recommemkation was that the Council of Ministers and the Commission should change their procedures to reflect the existence of the “Information Society”. Subsequent actions included: l
l
l
The Creation of a High level Group (Chaired by Vice-President Bangemann, this has now produced a report in his name); Analysis of the Legal/Regulatory Framework (The creation of a “level playing field”); Ensure the availability of technology as the building blocks of the necessary infrastructure. This was already underway as reflected in much policy and standards formulation and the funding of many tasks in III & IV Framework R & D Programmes, in particular within Telecommunications (e.g., ACTS) and Telematiques (e.g., ENS etc.).
T
Comprehensive reports on the Information Society have been prepared by Commission staff for European Council meeting in Corfu (June 1994) Essen (December 1994) and at the G7 Summit attended by Al Gore in February 1995. Much of the success of the Information Society is predicted on functionally rich yet low cost telecommunication services. European based Multinationals, especially have been at a disadvantage because of the fragmented nature of telecommunications in Europe! The European Union has proposed fundamental changes to the telecommunications services infrastructures. This should accelerate the process by making services more cost-effective. There should be an ever increasing use of services from corresponding integration of processes. Studies have indicated increases in GNP of many countries by more than 6% just by liberalizing the basic telecommunication services, and removing the heavy hand of the state!
A Telecommunications policy is being followed that will progressively result in liberalization of markets and service harmonization, between the Member States of the European Union. Two directives were adopted in June 1990 for example, covering: l
Establishment of the internal market for telecommunications services through the implementation of the Open Network Provision ONP. (Council Directive - 90/387/ EEC).
l
Competition in the markets for Telecommunication Services (Commission Directive - 90/388/EEC).
Such directives are likely to lead to the optimum development of new services, by avoiding non-discriminatory conditions and by guaranteeing equality of access by all enterprises and individuals throughout the European Union. Many services will be created around the International Trading Community. In particular, there has been ready acceptance of Electronic “Commerce”, built upon the Electronic Data Interchange (EDI) EDIFACT standards. There is increased awareness that there must be legal and organizational changes necessary to support international exploitation of such services. Some of these issues were addressed at the European level in the services programmes of TEDIS and CADDIA, started in 1988 to support rationalization of the policies, standards and procedures in complex commercial interactions. The demand for end user access from multiple locations and using various type of products (mobile phones, automatic teller machines, computer terminals etc.), and the associated competing, added-value services, generate complex administrative as well as technical issues. Service quality is as important as the price in selecting the most suitable service and access mode. Security is an important element of quality, covering the availability, integrity and confidentiality of both the service and associated message, whether human or machine generated. All potential players need to accept the various solutions, not just National Administrations or commercial Enterprises. The service will increasingly be measured by what it does (the functionality) and how well it does it against various external problems (the assurance). The balance between functionality and assurance will gen-
Computer
Audit Update l March 1996 0 1996, Elsevier Science Ltd.
.
fu
erate a range of price/performance options. The users will select the solution that meets the overall “fitness for purpose” in their own context. Their needs will have to be supported by the overall robustness of the Electronic Infrastructure, this will be reflected down to the smallest operational component. Some services will change the very way in which society operates. There will be trade-off for example between travelling to meetings and telecommunications service, as teleworking, video conferencing and multimedia become more prevalent. Services must be truly international if the Multinational Enterprise is not to be faced by an increased fragmentation of the market. Moves by more and more Telecommunication Companies (PTTs) to become ‘privatized’ and remove themselves from State control, is a recognition of the common nature of the worldwide market and the business opportunities that will be generated. The nature of the worldwide market and this consistency of business purpose is not yet reflected in the commonality of the Information Systems Security controls.
Information services - the problem of trust The Multinational Enterprise will increasingly rely on a range of value added services (usually communications based) to enhance the level of trust in international relationships. These Trusted Third Parties (‘ITPs) will need to intercommunicate internationally in the context of a political, legal, commercial and technical framework. The ‘ITPs will offer value-added service with regard to availability, integrity, confidentiality and overall operational assurance. They are likely to be set up at a national level against a local legislative/regulatory model. Some internationally accepted form of “mutual recognition” of trust would
Computer Audit Update l March 1996 0 1996, Elsevier Science Ltd.
be a starting point for eventual world wide operational harmonization. The TTP services can be classified into: l
l
l
l
Primary Services - those essential to allow communicating parties to be engaged in and introduced to specific transactions. Secondary Services - the context in which transactions complete or fail (e.g., arbitration, audit, etc.). Supportive Cryptography - the encipherment techniques and processes. Controlling Services - the international/national regulatory processes.
The range of potential services is still under review, but it is likely to contain the following: Naming/Addressing, the function of assigning enterprises and individuals unique names and addresses. This would recognize the probability of several different distinguished names. (Enterprise Member, private citizen, etc.). Certitication, the function to validate the name and address (against specific credentials). Management Services and Credentials; the establish, administer available records with addresses and certified
for Names function to and make the names, credentials.
Signature Services (Key Management) - the function that generates, distributes, establishes and administers encryption keys for authenticity (both public and private). Confidentiality Services (Key Management) - the function that generates, distributes, establishes and administers encryption key for message confidentiality in communication and storage processes. Legal Services - the functions that
c
are performed by the legal profession in recognizing regulatory differences (e.g., non-repudiation in remote commercial transaction). l
l
Date and Time Stamping - the function that would guarantee the exact date and time on request (e.g., supporting non-repudiation, minimizing asynchronous communication fraud opportunities, etc.). Negotiable Transactions - functions that ensure unforgeable nonpersonalized document (tokens) this could support electronic Financial Trades, Letters of Credit, Bills of Lading, etc.
In addition, there could be many other TTPs covering the management of transaction accountability, secure communication and storage, etc. The advent of practical low cost multimedia services will extend the administration possibilities. The debate on the crypt0 tools and techniques to support user authentication and message integrity is important but it can obscure the broader commercial context.
The international environment must be understood before final selection of a single (or limited) number of control mechanisms. There is much work to be done in establishing the overall international framework for such services. Current examples are built upon small closed groups of financial or administrative enterprises with common objectives and similar concepts of assurance and trust.
Global, public services will require: National Laws - harmonization and/or mutual recognition of the salient issues. It is essential that some legislation be updated to allow TTPs to operate in an international environment. Rules and Regulations for the accreditation, operation and audit of TTPS. Standards for Communications, in particular the graded levels of operational security services. Legal/regulatory and procedural framework for the use of the communication services. There is much existing work in these areas at the International level that should be recognized by the Multinational Enterprise. (ref. The OECD Guidelines for the Security of Information Systems). The European Union, through its strategic planning on Security of Information Systems and the various supporting Infosec-Security Investigations, has recognized the difficulties of achieving an International consensus on the range of potential information services. The level of trust that should be demanded, or can be expected by the multinational enterprise and its associated users, must be high on the agenda of the various national administrations!
Information products - the assurance conundrum! Commercial pressure has created a demand for the effective division of labour at a worldwide level. There are complex component to product and IT product to service relationships, with significant movement of parts between nations. A product apparently ‘badged’ in one country, may reflect components and the associated pro-
Computer
Audit Update l March 1996 c 1996, Elsevier Science Ltd. II
cesses sourced from many international locations. The more universal the system solution, the more complex these relationships. The functional integration of the solution has posed a recognized problem for many years. Configuration management and control is a major part of the acceptance procedure for any corporate procurement department. Quality control has posed a particular problem as new suppliers have come on stream from the emerging countries of the Far East and the old ‘Soviet Block’. Information Security is one quality attribute of a solution that is of increasing concern to the end user. Information Systems consist of both hardware and software. Both of which have specitic security issues. The hardware may be supported by specific features or mechanisms that may be considered controlled products in many countries. (Trusted Functionality, Encipherment, Electronic Radiation Proofing/Tempested etc.). At an administrative level this may dictate individual product by product licensing for use outside national boundaries. The logistics of such licensing arrangements can become very complex, compounded by practical inconsistencies between countries in the application of controls. This is particularly relevant on the use of cryptography for confidentiality controls even within the European context. Vendor/ Services suppliers have either removed functional capability or disregarded national controls when faced with apparently endless debate with national authorities. Either way, may result in less use of secure systems solutions. There have been many cases where the vendor or ‘added value’ service supplier has been unable to exploit a single common product internationally because of the restrictions on trusted functionality or cryptography.
Computer Audit Update l March 1996 0 1996, Elsevier Science Ltd.
There is much confusion in the commercial world on the perceived application of controls. There is an apparent lack of clarity on the way such controls are publicly stated, and the degree to which they vary over time. Controls have been applied on a case by case basis. This obfuscation may be deliberate! It can be caused by the fundamental role of cryptography in maintaining National Security in the advanced nations. The security of intercompany electronic transactions has become a significant policy issue impacting the achievement of business objectives in many enterprises, not just those in international finance! Failure to agree common control mechanisms using robust encryption techniques must inhibit business opportunities especially within the spatially distributed transnational corporation. Internet as a relatively low cost communication medium has been rejected by many companies because of the well publicized scams on user IDS and payment methods. Security vied with cost as the main concern on a recently completed CompuServe member survey of online financial needs. Security could become paramount when selecting between the competing search engines of the Internet/ World Wide Web. Both Netscape (with Navigator) and Microsoft (with Explorer), for example, have adopted public key encryption of RSA to protect ID/Authentication data in credit card transmissions. The authorized key length of 40 bits, (the export version of the 128 bit, internal USA standard), is unlikely to be adequate to meet future international demands of the global enterprise, not least of all within Visa and Mastercard? The first service with real protection over messages will generate substantial revenue to the software suppliers! Export restrictions must be relaxed to facilitate future international trade. There is some indication that the current earlier COCOM regulations
underpinning the cryptographic con trols will be simplified, at least with some 20 + selected and trusted nation states. A Multinational enterprise recognized by such a club member could get clear policy direction in the future. This defacto policy subordination however may continue to alienate the truly transnational company! The assurance of procured software is of increased concern as hardware products become more reliable. Competitive cost cutting pressures, especially amongst major financial institutions, is resulting in the replacement of existing ‘core’ in-house developed software with externally prepared alternatives. ‘Shrink wrapped’ commodity software is increasingly the backbone of many sensitive processes (e.g., Electronic Mail to encapsulate payment transactions). Customer pressure must be paramount in establishing the correct balance to be applied by the service supplier in any evaluation process for products and components. The USA, Canada and the European Union have spent some two years attempting to harmonize Criteria on the Evaluation of (IT) Security Products. This International liaison built upon the various guidelines of both national and community wide evaluation and certification (ITSEWTSEM). The result of the EU funded effort - ‘The Common Criteria’ was published for review in late 1994. In the UK the DTI hosted the launch in London. There were representatives from the interested authorities, IT and Telecomms community and a few potential users of secure IT products. The draft Common Criteria is a substantial document (over 800 pages). The audience reception to the material was mixed, reflecting the difficulty in interpreting the range of possible control options. The ‘Systems Integrators’ present, welcomed the attempt to have a common international standard on Security properties, in particular the need for a selection of ‘Protection
Profiles’. These must, however, be simply structured and equated to specific threats before commitment by the end users. Such Protection Proffies (PP) could be built around a number of existing parallel ‘standards’ actions including: A User endorsed Framework on Information Systems Security possibly that from the EU supported Business Advisory Group (IBAG material version 2.0/9.93). A practical list of Operational Standards and procedures - possibly the DTI supported Codes of (Good IT Security) Practise (DISC PD0003 and subsequent efforts?). Earlier studies funded from the CECDGXIII Infosec tasks that defined (security) Functional Classes. The precursor to the PP but without predetined levels of Assurance. Threat Analysis prepared by many academic sources (usually with limited distribution!). The DTI have hired consultants in the UK to ensure that user perspectives are adequately addressed and presented. The larger Multinational user would need to be part of this analysis of the application of the Common Criteria. This would help ensure that international IT procurement is fully recognized! In summary, issues to be addressed, by the Information system Security Certification of Evaluation process, will range from commercial through to political concerns, including: Hardware and software products must be secure - but how to guarantee quality when the concept of national products and hence potential ‘control’ of a product may no longer be relevant. Shrink wrapped software must be fit for purpose as a ‘commodity’ but how to ensure intellectual property rights (IPR) when the source code must be available for security eva-
Computer
Audit Update l March 1996 0 1996, Elsevier Science Ltd.
luation (increasingly against some ‘independent’ national service?). International Product and Process assurance procedures must be in place covering the development operation and measurement of products. They should balance national and commercial security aspirations, without being prescriptive and discriminatory - a diftIcult task!
Open systems the security debate The Multinational Enterprise has recognized the practical benefits of Open Systems. Products and Services procured locally can be effectively integrated into a strategic solution. There must, however, be a clear relationship between the demands for openness and systems and the quest for improved security. These requirements must be defined in business objectives and control and must be incorporated into a comprehensive ‘Framework’. This should provide the environment in which the needs can be expressed in terms understood by the technician. Such frameworks are being developed as part of the International Standardization effort. They cover the user requirements, IT Telecommunication and Broadcast Services, the distributed IT systems and interworking components. The administrative and technical architecture will include qualities of expected service including scaleability, performance, usability, and security. These qualities are necessary to underpin user confidence in the correct implementation and operation of the solution. There are a number of major architectural studies that include information security as a prerequisite. (ISO-Open Distributed Processing/ODP, IEE POSIX 1003.0 Open System Environment/OSE, OSF/ Distributed Computing Environment/ DCE, etc.). In addition, all the major IT
Computer Audit Update l March 0 1996, Elsevier Science Ltd.
1996
Vendors and service suppliers are competing to produce secure networking solutions (e.g., Microsoft NT etc.). There must be consistency between the approaches for the results of the studies to be applicable in the various frameworks. A solution must be concerned with the provision of Security functionality as well as assurance that the implementation meets the necessary Security objectives. It is essential that these architectural threads are recognized at all levels in the International Open Standards process. Emphasis is increasingly being placed on the ‘packaging’ of standards to create functional solutions. The work on the various regional profiles with NIST/OlW, EWOS and AOWs is particularly relevant. The Assurance will go down to the basic engineering of the components and the associated process tool kits. Security functionality, with its Architectural emphasis on the level at which distributed components can communicate and interact, is increasingly recognized as the starting point in the definition of a user responsive system. This pervasive nature of the attributes of security from the smallest component and process to the fundamental trust in a business operation will bound the scope of any ‘Open Systems Framework’. Complex frameworks, will achieve little, however, if the underlying basic building blocks of services, protocols and mechanisms have not taken into account key security features. International Open Standards including the OSI/CCITT deliverabIes must be implementable against specific, practical and economically acceptable user security policies. Many enterprises have adopted Codes of Practice, translatable into operational Baseline controls. These may be considered in legal or business management terms as ‘standards of due care’ applicable to a
Standards-base
Security-profiling
Harmonization Ratification Uses-many
!!!!
KEY IS0 - International Standards Organization CCITT - Telecommunications Standards Authority ECMA - European Computer Manufacturers Association NIST (OIW) - National Institute of Standards & Technology (Open Systems Workshops)...USA EWOS - European Workshop on Open Systems...EU + + + AOWS - Asiatic/Pacific Workshops ISOllEC - JTCl Co-ordinating Committee on relevant standards for ISOICCITT GOSIP - Government Standards on Open Systems Implementation (EPHOS-El_, USA, UK etc) MAP - Manufacturer Open System Standards TOP - Office Systems Open Standards Security...various USA, Canada and EU committees including S.O.G.I.S. in CEC.
Figure 3: The International
standards process
specific sector/industry. The mapping of this business perspective to the Open Systems offerings is still in its infancy. There is no lack of security components, whether trusted IT Operating System, encryption chips or digital integrity seals. The problem remains selecting the correct solution for the business need, yet reflecting the balance between National concerns, the
Enterprise and the Individual’s perspectives. The Framework must consider the wider user needs as defined in organization and administrative controls. It is much more than just tactical exploitation of technology! The International Standards Community (e.g., ISO, CCITT) will have a major role in facilitating the development of standards and processes that will create this effective balance (see Figure 3).
Computer Audit Update l March 1996 Q 1996, Elsevier Science Ltd.
Conclusion The Multinational Enterprise faces a basic conundrum. It is best operating in a ‘borderless’ world! It is most effective in meeting the objectives of its shareholders and managers when it is unfettered by national legislation and regulation. The National authorities have the responsibility for maintaining and enhancing the well being of the citizen. Information Security is a fundamental part of human society whether on personal privacy, freedom of information or ensuring viability of the service infrastructure (increasingly dependent upon high integrity IT Telecommunication or Broadcast services). Information systems security is an international problem requiring an international solution yet the building blocks are still fundamentally national. There is a need for an international framework to encapsulate all the diverse building blocks. Even at the European level pan-national institutions have a limited role. Technical emphasis on the type of encryption is just debating the type of brick, not what is to be built. The joint EU and North American work on Common Criteria is a step in the right direction. It will consider the fundamental processes necessary to achieve eventual harmonization of standards as the basis of international ‘mutual recognition’ on security products. But there is still much to be done! This paper has been written primarily as a European perspective of an International problem. This view is generally valid however in that it reflects the thinking of the European member states - countries that have jealously guarded their national security and independence, many times under arms, over 2000 years of history! The European Union is currently defming the conditions for the Internal Market. This provides for the ‘four freedoms’ within the Community, free movement of goods, capital, services
Computer Audit Update l March 0 1996, Elsevier Science Ltd.
1996
and people. The ‘5th Freedom’ the movement of information is apparently much more problematical. This must have a political and social perspective in addition to the more narrow commercial interpretation. Much of the current post-Maastricht debate amongst and within the various member states is ensuring an acceptable balance. Inconsistent or incomplete definition of information systems security controls could limited the various political as well as commercial options. European co-operation in sensitive areas of trusted IT functionality, encipherment and secure communication services are just part of a plethora of ongoing discussions. Not all of which are guaranteed to reach a conclusion acceptable to the Multinational Enterprise! These activities, however, must not compromise the rights and obligations of the individual citizens. Privacy and protection of private information is fundamental in any creation of the ‘five freedoms’. Universal identification and authentication may facilitate the movement of people but it may also result in the unacceptable intrusion into personal privacy. The European Union through its various agencies, both at the Commission and Member State levels, is exploring the problems. The InfosecInformation Systems Security actions are reflecting these concerns. They have a relevance beyond the confines of a few politically, culturally and socially aligned countries of Western and Europe. The Multinational Enterprise will need to play an active role to ensure a correct commercial counterweight to the limited national views of the many and various individual Nation States! Clive Blatchford is an executive consultant at Panacea Holdings Ltd, UK He has been closely involved in the subject of information systems security since the early 1970s and has recently been active in developing end-user applications for the smaller enterprise.
here is a marked shift from trading of physical goods to one of trading added value services. This will range from increased revenue from selling industrial patents to the exploitation of custodial, customer information. This trend has been forced on some countries by the uncompetitiveness of their manufacturing base, others have made it a fundamental thread of their economic strategy. Some projections show that some 50% of all international trade by value (especially amongst the advanced communities of nations/enterprises) will be in this category by the end of the decade. The vast majority of people will be directly linked, either from home or via their private or public enterprise.
•l
The importance of the “Information Revolution” has not been lost on the European politicians! The “Delors” White paper on “Growth, Competitiveness & Employment: The Challenges and Way Forward into the 21st
Computer Audit Update l March 0 1996, Elsevier Science Ltd.
1996
Century”, clearly defined the need for a European Information Infrastructure. A key recommemkation was that the Council of Ministers and the Commission should change their procedures to reflect the existence of the “Information Society”. Subsequent actions included: l
l
l
The Creation of a High level Group (Chaired by Vice-President Bangemann, this has now produced a report in his name); Analysis of the Legal/Regulatory Framework (The creation of a “level playing field”); Ensure the availability of technology as the building blocks of the necessary infrastructure. This was already underway as reflected in much policy and standards formulation and the funding of many tasks in III & IV Framework R & D Programmes, in particular within Telecommunications (e.g., ACTS) and Telematiques (e.g., ENS etc.).
T
Comprehensive reports on the Information Society have been prepared by Commission staff for European Council meeting in Corfu (June 1994) Essen (December 1994) and at the G7 Summit attended by Al Gore in February 1995. Much of the success of the Information Society is predicted on functionally rich yet low cost telecommunication services. European based Multinationals, especially have been at a disadvantage because of the fragmented nature of telecommunications in Europe! The European Union has proposed fundamental changes to the telecommunications services infrastructures. This should accelerate the process by making services more cost-effective. There should be an ever increasing use of services from corresponding integration of processes. Studies have indicated increases in GNP of many countries by more than 6% just by liberalizing the basic telecommunication services, and removing the heavy hand of the state!
A Telecommunications policy is being followed that will progressively result in liberalization of markets and service harmonization, between the Member States of the European Union. Two directives were adopted in June 1990 for example, covering: l
Establishment of the internal market for telecommunications services through the implementation of the Open Network Provision ONP. (Council Directive - 90/387/ EEC).
l
Competition in the markets for Telecommunication Services (Commission Directive - 90/388/EEC).
Such directives are likely to lead to the optimum development of new services, by avoiding non-discriminatory conditions and by guaranteeing equality of access by all enterprises and individuals throughout the European Union. Many services will be created around the International Trading Community. In particular, there has been ready acceptance of Electronic “Commerce”, built upon the Electronic Data Interchange (EDI) EDIFACT standards. There is increased awareness that there must be legal and organizational changes necessary to support international exploitation of such services. Some of these issues were addressed at the European level in the services programmes of TEDIS and CADDIA, started in 1988 to support rationalization of the policies, standards and procedures in complex commercial interactions. The demand for end user access from multiple locations and using various type of products (mobile phones, automatic teller machines, computer terminals etc.), and the associated competing, added-value services, generate complex administrative as well as technical issues. Service quality is as important as the price in selecting the most suitable service and access mode. Security is an important element of quality, covering the availability, integrity and confidentiality of both the service and associated message, whether human or machine generated. All potential players need to accept the various solutions, not just National Administrations or commercial Enterprises. The service will increasingly be measured by what it does (the functionality) and how well it does it against various external problems (the assurance). The balance between functionality and assurance will gen-
Computer
Audit Update l March 1996 0 1996, Elsevier Science Ltd.
.
fu
erate a range of price/performance options. The users will select the solution that meets the overall “fitness for purpose” in their own context. Their needs will have to be supported by the overall robustness of the Electronic Infrastructure, this will be reflected down to the smallest operational component. Some services will change the very way in which society operates. There will be trade-off for example between travelling to meetings and telecommunications service, as teleworking, video conferencing and multimedia become more prevalent. Services must be truly international if the Multinational Enterprise is not to be faced by an increased fragmentation of the market. Moves by more and more Telecommunication Companies (PTTs) to become ‘privatized’ and remove themselves from State control, is a recognition of the common nature of the worldwide market and the business opportunities that will be generated. The nature of the worldwide market and this consistency of business purpose is not yet reflected in the commonality of the Information Systems Security controls.
Information services - the problem of trust The Multinational Enterprise will increasingly rely on a range of value added services (usually communications based) to enhance the level of trust in international relationships. These Trusted Third Parties (‘ITPs) will need to intercommunicate internationally in the context of a political, legal, commercial and technical framework. The ‘ITPs will offer value-added service with regard to availability, integrity, confidentiality and overall operational assurance. They are likely to be set up at a national level against a local legislative/regulatory model. Some internationally accepted form of “mutual recognition” of trust would
Computer Audit Update l March 1996 0 1996, Elsevier Science Ltd.
be a starting point for eventual world wide operational harmonization. The TTP services can be classified into: l
l
l
l
Primary Services - those essential to allow communicating parties to be engaged in and introduced to specific transactions. Secondary Services - the context in which transactions complete or fail (e.g., arbitration, audit, etc.). Supportive Cryptography - the encipherment techniques and processes. Controlling Services - the international/national regulatory processes.
The range of potential services is still under review, but it is likely to contain the following: Naming/Addressing, the function of assigning enterprises and individuals unique names and addresses. This would recognize the probability of several different distinguished names. (Enterprise Member, private citizen, etc.). Certitication, the function to validate the name and address (against specific credentials). Management Services and Credentials; the establish, administer available records with addresses and certified
for Names function to and make the names, credentials.
Signature Services (Key Management) - the function that generates, distributes, establishes and administers encryption keys for authenticity (both public and private). Confidentiality Services (Key Management) - the function that generates, distributes, establishes and administers encryption key for message confidentiality in communication and storage processes. Legal Services - the functions that
c
are performed by the legal profession in recognizing regulatory differences (e.g., non-repudiation in remote commercial transaction). l
l
Date and Time Stamping - the function that would guarantee the exact date and time on request (e.g., supporting non-repudiation, minimizing asynchronous communication fraud opportunities, etc.). Negotiable Transactions - functions that ensure unforgeable nonpersonalized document (tokens) this could support electronic Financial Trades, Letters of Credit, Bills of Lading, etc.
In addition, there could be many other TTPs covering the management of transaction accountability, secure communication and storage, etc. The advent of practical low cost multimedia services will extend the administration possibilities. The debate on the crypt0 tools and techniques to support user authentication and message integrity is important but it can obscure the broader commercial context.
The international environment must be understood before final selection of a single (or limited) number of control mechanisms. There is much work to be done in establishing the overall international framework for such services. Current examples are built upon small closed groups of financial or administrative enterprises with common objectives and similar concepts of assurance and trust.
Global, public services will require: National Laws - harmonization and/or mutual recognition of the salient issues. It is essential that some legislation be updated to allow TTPs to operate in an international environment. Rules and Regulations for the accreditation, operation and audit of TTPS. Standards for Communications, in particular the graded levels of operational security services. Legal/regulatory and procedural framework for the use of the communication services. There is much existing work in these areas at the International level that should be recognized by the Multinational Enterprise. (ref. The OECD Guidelines for the Security of Information Systems). The European Union, through its strategic planning on Security of Information Systems and the various supporting Infosec-Security Investigations, has recognized the difficulties of achieving an International consensus on the range of potential information services. The level of trust that should be demanded, or can be expected by the multinational enterprise and its associated users, must be high on the agenda of the various national administrations!
Information products - the assurance conundrum! Commercial pressure has created a demand for the effective division of labour at a worldwide level. There are complex component to product and IT product to service relationships, with significant movement of parts between nations. A product apparently ‘badged’ in one country, may reflect components and the associated pro-
Computer
Audit Update l March 1996 c 1996, Elsevier Science Ltd. II
cesses sourced from many international locations. The more universal the system solution, the more complex these relationships. The functional integration of the solution has posed a recognized problem for many years. Configuration management and control is a major part of the acceptance procedure for any corporate procurement department. Quality control has posed a particular problem as new suppliers have come on stream from the emerging countries of the Far East and the old ‘Soviet Block’. Information Security is one quality attribute of a solution that is of increasing concern to the end user. Information Systems consist of both hardware and software. Both of which have specitic security issues. The hardware may be supported by specific features or mechanisms that may be considered controlled products in many countries. (Trusted Functionality, Encipherment, Electronic Radiation Proofing/Tempested etc.). At an administrative level this may dictate individual product by product licensing for use outside national boundaries. The logistics of such licensing arrangements can become very complex, compounded by practical inconsistencies between countries in the application of controls. This is particularly relevant on the use of cryptography for confidentiality controls even within the European context. Vendor/ Services suppliers have either removed functional capability or disregarded national controls when faced with apparently endless debate with national authorities. Either way, may result in less use of secure systems solutions. There have been many cases where the vendor or ‘added value’ service supplier has been unable to exploit a single common product internationally because of the restrictions on trusted functionality or cryptography.
Computer Audit Update l March 1996 0 1996, Elsevier Science Ltd.
There is much confusion in the commercial world on the perceived application of controls. There is an apparent lack of clarity on the way such controls are publicly stated, and the degree to which they vary over time. Controls have been applied on a case by case basis. This obfuscation may be deliberate! It can be caused by the fundamental role of cryptography in maintaining National Security in the advanced nations. The security of intercompany electronic transactions has become a significant policy issue impacting the achievement of business objectives in many enterprises, not just those in international finance! Failure to agree common control mechanisms using robust encryption techniques must inhibit business opportunities especially within the spatially distributed transnational corporation. Internet as a relatively low cost communication medium has been rejected by many companies because of the well publicized scams on user IDS and payment methods. Security vied with cost as the main concern on a recently completed CompuServe member survey of online financial needs. Security could become paramount when selecting between the competing search engines of the Internet/ World Wide Web. Both Netscape (with Navigator) and Microsoft (with Explorer), for example, have adopted public key encryption of RSA to protect ID/Authentication data in credit card transmissions. The authorized key length of 40 bits, (the export version of the 128 bit, internal USA standard), is unlikely to be adequate to meet future international demands of the global enterprise, not least of all within Visa and Mastercard? The first service with real protection over messages will generate substantial revenue to the software suppliers! Export restrictions must be relaxed to facilitate future international trade. There is some indication that the current earlier COCOM regulations
underpinning the cryptographic con trols will be simplified, at least with some 20 + selected and trusted nation states. A Multinational enterprise recognized by such a club member could get clear policy direction in the future. This defacto policy subordination however may continue to alienate the truly transnational company! The assurance of procured software is of increased concern as hardware products become more reliable. Competitive cost cutting pressures, especially amongst major financial institutions, is resulting in the replacement of existing ‘core’ in-house developed software with externally prepared alternatives. ‘Shrink wrapped’ commodity software is increasingly the backbone of many sensitive processes (e.g., Electronic Mail to encapsulate payment transactions). Customer pressure must be paramount in establishing the correct balance to be applied by the service supplier in any evaluation process for products and components. The USA, Canada and the European Union have spent some two years attempting to harmonize Criteria on the Evaluation of (IT) Security Products. This International liaison built upon the various guidelines of both national and community wide evaluation and certification (ITSEWTSEM). The result of the EU funded effort - ‘The Common Criteria’ was published for review in late 1994. In the UK the DTI hosted the launch in London. There were representatives from the interested authorities, IT and Telecomms community and a few potential users of secure IT products. The draft Common Criteria is a substantial document (over 800 pages). The audience reception to the material was mixed, reflecting the difficulty in interpreting the range of possible control options. The ‘Systems Integrators’ present, welcomed the attempt to have a common international standard on Security properties, in particular the need for a selection of ‘Protection
Profiles’. These must, however, be simply structured and equated to specific threats before commitment by the end users. Such Protection Proffies (PP) could be built around a number of existing parallel ‘standards’ actions including: A User endorsed Framework on Information Systems Security possibly that from the EU supported Business Advisory Group (IBAG material version 2.0/9.93). A practical list of Operational Standards and procedures - possibly the DTI supported Codes of (Good IT Security) Practise (DISC PD0003 and subsequent efforts?). Earlier studies funded from the CECDGXIII Infosec tasks that defined (security) Functional Classes. The precursor to the PP but without predetined levels of Assurance. Threat Analysis prepared by many academic sources (usually with limited distribution!). The DTI have hired consultants in the UK to ensure that user perspectives are adequately addressed and presented. The larger Multinational user would need to be part of this analysis of the application of the Common Criteria. This would help ensure that international IT procurement is fully recognized! In summary, issues to be addressed, by the Information system Security Certification of Evaluation process, will range from commercial through to political concerns, including: Hardware and software products must be secure - but how to guarantee quality when the concept of national products and hence potential ‘control’ of a product may no longer be relevant. Shrink wrapped software must be fit for purpose as a ‘commodity’ but how to ensure intellectual property rights (IPR) when the source code must be available for security eva-
Computer
Audit Update l March 1996 0 1996, Elsevier Science Ltd.
luation (increasingly against some ‘independent’ national service?). International Product and Process assurance procedures must be in place covering the development operation and measurement of products. They should balance national and commercial security aspirations, without being prescriptive and discriminatory - a diftIcult task!
Open systems the security debate The Multinational Enterprise has recognized the practical benefits of Open Systems. Products and Services procured locally can be effectively integrated into a strategic solution. There must, however, be a clear relationship between the demands for openness and systems and the quest for improved security. These requirements must be defined in business objectives and control and must be incorporated into a comprehensive ‘Framework’. This should provide the environment in which the needs can be expressed in terms understood by the technician. Such frameworks are being developed as part of the International Standardization effort. They cover the user requirements, IT Telecommunication and Broadcast Services, the distributed IT systems and interworking components. The administrative and technical architecture will include qualities of expected service including scaleability, performance, usability, and security. These qualities are necessary to underpin user confidence in the correct implementation and operation of the solution. There are a number of major architectural studies that include information security as a prerequisite. (ISO-Open Distributed Processing/ODP, IEE POSIX 1003.0 Open System Environment/OSE, OSF/ Distributed Computing Environment/ DCE, etc.). In addition, all the major IT
Computer Audit Update l March 0 1996, Elsevier Science Ltd.
1996
Vendors and service suppliers are competing to produce secure networking solutions (e.g., Microsoft NT etc.). There must be consistency between the approaches for the results of the studies to be applicable in the various frameworks. A solution must be concerned with the provision of Security functionality as well as assurance that the implementation meets the necessary Security objectives. It is essential that these architectural threads are recognized at all levels in the International Open Standards process. Emphasis is increasingly being placed on the ‘packaging’ of standards to create functional solutions. The work on the various regional profiles with NIST/OlW, EWOS and AOWs is particularly relevant. The Assurance will go down to the basic engineering of the components and the associated process tool kits. Security functionality, with its Architectural emphasis on the level at which distributed components can communicate and interact, is increasingly recognized as the starting point in the definition of a user responsive system. This pervasive nature of the attributes of security from the smallest component and process to the fundamental trust in a business operation will bound the scope of any ‘Open Systems Framework’. Complex frameworks, will achieve little, however, if the underlying basic building blocks of services, protocols and mechanisms have not taken into account key security features. International Open Standards including the OSI/CCITT deliverabIes must be implementable against specific, practical and economically acceptable user security policies. Many enterprises have adopted Codes of Practice, translatable into operational Baseline controls. These may be considered in legal or business management terms as ‘standards of due care’ applicable to a
Standards-base
Security-profiling
Harmonization Ratification Uses-many
!!!!
KEY IS0 - International Standards Organization CCITT - Telecommunications Standards Authority ECMA - European Computer Manufacturers Association NIST (OIW) - National Institute of Standards & Technology (Open Systems Workshops)...USA EWOS - European Workshop on Open Systems...EU + + + AOWS - Asiatic/Pacific Workshops ISOllEC - JTCl Co-ordinating Committee on relevant standards for ISOICCITT GOSIP - Government Standards on Open Systems Implementation (EPHOS-El_, USA, UK etc) MAP - Manufacturer Open System Standards TOP - Office Systems Open Standards Security...various USA, Canada and EU committees including S.O.G.I.S. in CEC.
Figure 3: The International
standards process
specific sector/industry. The mapping of this business perspective to the Open Systems offerings is still in its infancy. There is no lack of security components, whether trusted IT Operating System, encryption chips or digital integrity seals. The problem remains selecting the correct solution for the business need, yet reflecting the balance between National concerns, the
Enterprise and the Individual’s perspectives. The Framework must consider the wider user needs as defined in organization and administrative controls. It is much more than just tactical exploitation of technology! The International Standards Community (e.g., ISO, CCITT) will have a major role in facilitating the development of standards and processes that will create this effective balance (see Figure 3).
Computer Audit Update l March 1996 Q 1996, Elsevier Science Ltd.
Conclusion The Multinational Enterprise faces a basic conundrum. It is best operating in a ‘borderless’ world! It is most effective in meeting the objectives of its shareholders and managers when it is unfettered by national legislation and regulation. The National authorities have the responsibility for maintaining and enhancing the well being of the citizen. Information Security is a fundamental part of human society whether on personal privacy, freedom of information or ensuring viability of the service infrastructure (increasingly dependent upon high integrity IT Telecommunication or Broadcast services). Information systems security is an international problem requiring an international solution yet the building blocks are still fundamentally national. There is a need for an international framework to encapsulate all the diverse building blocks. Even at the European level pan-national institutions have a limited role. Technical emphasis on the type of encryption is just debating the type of brick, not what is to be built. The joint EU and North American work on Common Criteria is a step in the right direction. It will consider the fundamental processes necessary to achieve eventual harmonization of standards as the basis of international ‘mutual recognition’ on security products. But there is still much to be done! This paper has been written primarily as a European perspective of an International problem. This view is generally valid however in that it reflects the thinking of the European member states - countries that have jealously guarded their national security and independence, many times under arms, over 2000 years of history! The European Union is currently defming the conditions for the Internal Market. This provides for the ‘four freedoms’ within the Community, free movement of goods, capital, services
Computer Audit Update l March 0 1996, Elsevier Science Ltd.
1996
and people. The ‘5th Freedom’ the movement of information is apparently much more problematical. This must have a political and social perspective in addition to the more narrow commercial interpretation. Much of the current post-Maastricht debate amongst and within the various member states is ensuring an acceptable balance. Inconsistent or incomplete definition of information systems security controls could limited the various political as well as commercial options. European co-operation in sensitive areas of trusted IT functionality, encipherment and secure communication services are just part of a plethora of ongoing discussions. Not all of which are guaranteed to reach a conclusion acceptable to the Multinational Enterprise! These activities, however, must not compromise the rights and obligations of the individual citizens. Privacy and protection of private information is fundamental in any creation of the ‘five freedoms’. Universal identification and authentication may facilitate the movement of people but it may also result in the unacceptable intrusion into personal privacy. The European Union through its various agencies, both at the Commission and Member State levels, is exploring the problems. The InfosecInformation Systems Security actions are reflecting these concerns. They have a relevance beyond the confines of a few politically, culturally and socially aligned countries of Western and Europe. The Multinational Enterprise will need to play an active role to ensure a correct commercial counterweight to the limited national views of the many and various individual Nation States! Clive Blatchford is an executive consultant at Panacea Holdings Ltd, UK He has been closely involved in the subject of information systems security since the early 1970s and has recently been active in developing end-user applications for the smaller enterprise.