If it isn’t simple, it isn’t secure. Almost a security truism, yet we still build layer more and more complexity into our applications and servers and wonder why they have security problems.
Instead of adding application security tools to try to figure out if a system is secure, why not simplify the application and platform until it is self-apparent that it is secure?
In part 1 of this series, I introduced the notion of building the Internet of Security Things (or Internet of Secure Things) based on the notion of building secure systems from simple components connected by dedicated, secure network segments (greynets).
Password protection problems again
This past week, the flood of security breaches has continued with a breach at Scottrade and yet another password exploit on the Outlook mailserver. The first proposed “security thing,” called an “Oracle,” that I posed last week could have protected those passwords by isolating the access control portion of the mail application.
If you’ve watched television this past couple of weeks, it has been hard to avoid the ads for fantasy football wagering. A particularly interesting security problem is emerging in the hot daily fantasy sports businesses FanDuel and DraftKings .
The problem is similar to stock brokerages or hedge funds “trading ahead” in the recent high frequency trading incidents. Insiders at the wagering firms can see player picks before anyone else and they are using this information to make bets at the other sites.
Escrows and blind systems
Why does this happen? There is no reason for anyone at the sports wagering company to have access to this information prior to its public disclosure for everyone to resolve all of the wagers. One option would be to have the system work in a peer-to-peer fashion, but a simpler escrow or blind system where no one has access to the system’s internal state is also effective.
And this can work in other, more familiar applications.
The Sony Pictures Entertainment email breach in November 2014 disclosed personal information on employees and tons of email. It appears the hackers used an IT administrator’s account to break into the companies networks and applications.
It is a “convenience” that IT staff has acccess to the contents of databases and email servers, but there is really no reason for them to do so. Edward Snowden’s disclosures were also do to a traditional, but vulnerable IT architecture where IT staff are trusted.
This is not necessary.
And, as these incidents have shown, certainly not desirable.
According to a report by Intel, 43 percent of data breaches are carried out by insiders either intentionally or not. I’m sure that many more breaches are due to hackers masquerading as legitimate users.
Phishing and spear-phishing turn outsiders into privileged insiders.
But do insiders really need all the access they have?
In many cases, users need to operate on data, but not “see” the data’s contents.
Mail administrators shouldn’t really need to be able to read my mail to administer my account on a server.
Businesses may need to have use of my personal information, but it could be protected by an “escrow” entity who holds it in trust and has a vested interest in the protection of my data.
This isn’t some new-fangled fantasy. Direct marketing mail lists are owned and controlled by one company with access leased to companies who can use and query the list list without direct access to it.
Avoiding the security services trap
One of the common architecture approaches for security is to create separate “security services.” These dedicated pieces of security functionality, such as access control and encryption, have, in some cases, had the effect, of making security weaker by making it easier to strip off. An attacker wins if they can get through or around the security service.
A “secure things” architecture integrates security functionality into many of the architecture’s components. These components provide building block business functionality in a secure fashion that is appropriate to themselves. Much as with traditional good architecture, these components are “loosely coupled and high coherent”.
Still more secure things to come
An escrow or blind system along with oracles are powerful tools for composing secure business systems from basic components. They are just a start with more to come in the next part of this series. I’d love to hear your thoughts on implementing security through simplicity.