December 12, 2006

Configuration: the forgotten side of security

Author: Bruce Byfield

When the average computer user thinks about security, they usually think about reactive measures like anti-virus programs or security patches -- responses to a specific threat. Such measures play a role in securing a workstation or a network, but they are often less than half the story. A more efficient approach is to configure a system securely from the start. Yet the realities of the software market and IT management, as well as efforts to increase user convenience, often mean that security by configuration is neglected, despite the straightforwardness of most of the steps needed to obtain it.

Configuration-centered security is sometimes called security architecture or proactive security. Under any name, the approach means making the design and installation of a computer system part of your security. Dan Razzell, president of Starfish Systems, a Canadian consulting firm, explains, "When you build a system, you build it for a purpose. If you can accurately articulate the purpose of the system, then the system displays all the functions you want and none of the functions you don't want -- because it's the functions you don't want that are an egregious source of security exposure. Basically, if you don't carry any baggage that you don't need, you can solve a lot of your security issues right there. So, really, configuration really drives security."

Jerry Saltzer, professor emeritus at the Massachusetts Institute of Technology, and a computing pioneer who has influenced hundreds of students, would agree. "The right time to apply best practices is during system design," Saltzer says. "That way, installation, configuration, and daily use will automatically tend to be more secure. The installation staff is then in a good position to apply basic security principles such as least privilege and basic human engineering principles such as least astonishment when configuring the system."

Among the other basic security principles that may be involved include containment of failure and defense in depth says Toby Weir-Jones, director of product management at Counterpane, the company founded by security guru Bruce Schneier.

The five basic goals of system configuration

In concrete terms says Keith Watson, a research engineer at the Center of Education and Research in Information Assurance and Security (CERIAS) at Perdue University, these principles translate into five basic goals when designing and configuring a system:

  • Build for a specific purpose and only include the bare minimum needed to accomplish the task.
  • Protect the availability and integrity of data at rest.
  • Protect the confidentiality and integrity of data in motion.
  • Disable all unnecessary resources.
  • Limit and record access to necessary resources.

By following the guiding principles during system design and configuration, administrators can not only increase security but also devote more time to users' needs. In addition, Razzell points out, attention to security architecture can often prevent the cost and effort of rebuilding a system after it is compromised.

Moreover, according to Watson, "putting effort into building secure, resilient systems in the beginning reduces the amount of reactive security needed later." Considering that reactive security typically lags behind threats because it responds more than anticipates, and the difficulty of balancing patches for different pieces of software, any reduction in the time spent on it would be welcome by most system administrators.

Why reactive security is more common

Saltzer is blunt when asked why reactive security gets more attention than security architecture. "Vendors have left users with little choice," he says. "The delivered systems have been full of holes that users can't do anything about." Instead, all users can do is wait until the discovery of a vulnerability drives the vendor to produce a patch.

In Watson's experience, the reasons are also corporate. "Very often," he notes, "Security is considered an IT-only issue where, in actuality, it is an issue that requires executive buy-in and support. There is also very little awareness among non-technical users, who are often overwhelmed with the technology due to lack of training. Since IT organizations do not approach [security] from a long-term view, they are only able to combat the current fires."

Convincing companies to take a longer view can be difficult, Weir-Jones goes on to say, because of the difficulty of "quantifying the intangibles such as customer trust, security staff burn out, [and] insider threats that can be improved by configuration-based security."

To these reasons, Razzell adds the nature of the IT market itself. In passing, he suggests that, in the case of reactive tools such as anti-virus programs, an unregulated market, and the lack of consumer advocacy, or of "responsible salesmanship," encourages users not to think about long-term solutions to security problems.

However, Razzell places most of the blame on the widespread view of computers as an appliance with all the convenience and disposability of a toaster or a washing machine. "I'm not sure how we got this idea that we could just take this appliance home, and that it would have everything installed and that would be the end of it," he says.

"That only works if you're prepared to throw away the appliance every three years as if it's a Bic pen or a lighter. But [computers] are like a car or a chalet. It's a long term investment, like an office. And you wouldn't want to throw away your office every three years."

Security vs convenience: a necessary tradeoff?

Probably the largest reason for overlooking security architecture is the widespread perception that security must be balanced against user convenience. Almost inevitably, when these two demands seem to conflict, user convenience is given priority. "There are very few organizations that I've encountered that put security as their first priority," Weir-Jones observes.

Refusing to put security first amounts to a preference for answering short-term demands over long ones. It is a choice that is especially tempting in a commercial company, in which user convenience seems to translate directly into customer satisfaction. However, it can also be present in free software projects, where the push to make the desktop more user-friendly -- which often means more like Windows -- has slowly eroded the default security in many GNU/Linux distributions.

Yet this division is not seen as inevitable by experts. Saltzer points out that OS X is not only considered more secure than Windows, but also more user-friendly. Similarly, Watson states that "usability and security are not mutually exclusive. It is possible to build secure systems where users are unaware of the security under the hood."

As examples, he cites a Trusted Solaris system he once used that runs Windows under an emulator, providing administrators with a secure environment and users with a familiar interface, and the cryptography system in Skype, which is transparent to users. Satisfying both security and user convenience may be difficult, but, as such examples show, the perceived dichotomy is by no means impossible to resolve.

Improving attitudes about security

Some security experts see security exclusively as the domain of experts. The question, according to Saltzer, is not how to encourage greater security awareness. "The real question," Saltzer says, "Is how to keep users from doing stupid things. When the question is posed that way, it becomes evident that designing systems to have intrinsic security is more likely to be successful than trying to encourage installers and users to be more careful."

Other security experts are more optimistic about the possibilities of education. Razzell suggests that running the Center for Internet Security benchmark is a concrete step towards both hardening a system and increasing user awareness of security issues. He would also like to see computers offered with varying degrees of security as a feature, or perhaps more users installing new systems themselves so that are more aware of how they operate.

On a company level, Weir-Jones advises, a clear security policy that is actually enforced is necessary for awareness. This policy, he suggests, should begin with the principle, "build only what you need." It should continue with a corporate culture in which frequent testing is part of administrators' work flow; so that the policy is not simply theoretical.

Security policies should also include "a clear line of escalation," so that those with expertise have the authority to fix problems immediately, rather than waiting for approval from their managers and organizations should lack "a culture of blame," so that administrators are not reluctant to report problems for fear of being censured or losing their jobs. A good place to begin, he suggests, is by consulting ISO standards 17799, which defines a set of security controls and 27001, which is a standard specification of an information security management system.

Whatever their specific suggestions for improvements, all the experts agree that the computer industry and its users have no shortage of ways in which they can increase aware of configuration-based security and implement it more usefully. "It's entirely possible to build and operate computer systems securely," Razzell says. "There's a huge gap between the best practices that industry uses and what people settle for as consumers. And it exists for no other reason except complacency."

Bruce Byfield is a computer journalist who writes regularly for NewsForge, Linux.com, and IT Manager's Journal.

Category:

  • Security
Click Here!