IntroductionThis document is an attempt to formulate basic reasoning behind security technologies, we should employ. It is not trying to analyse the actual techniques used and tries to stay away from technology comparisons. I apologize for some of the analogies that may sound infantile. The reason for this is two-fold: it may help to explain the concept to a non-technical reader, but also, I found that using simple analogies may sometimes expose holes in our thinking.
Why use security systemsIt is quite obvious that any security system has a cost, not only in terms of cash, but also – more significantly – in terms of workload and inconvenience – sometimes loss of privacy. Putting a padlock on the gate means that we have to unlock it to get in. Some modern technologies can minimise the effort (for instance a fingerprint reader instead of the padlock), but the general principle does not go away. In general there may be two reasons why we don’t want someone to steal stuff from us:
- We would miss it if it is gone
- We don’t want someone else to have it
3.0 Different problems
3.1 SafetyIn the IT world we have a comfort of being able to copy our valuables – with the copy having exactly the same value as the original. This makes the logic simple – a well organised backup and archiving solution can guarantee that we should never lose anything that we would miss.
3.2 PrivacyHere the problem is much more serious. We all keep a lot of data we would never want others to see. We may even keep other people’s data and it is our responsibility to protect those. The solutions are complicated, because data are only of any value if they are accessible – under some conditions – to some persons, for some reason, at some times etc. Fast and convenient authorized access to the data has a heavy bearing on efficiency – hence the widely publicised security breaches – authorized users copying data into unprotected media, laptops, writing passwords on the wall – all of this to allow us to work faster.
3.3 NuisanceThe nuisance cost in IT is enormous. Any security breach has a potential damage and there is simply no way to avoid the work needed to establish what we lost. Part of this, in a well organised system may be easy – like an inventory in a well run office – just checking if all the paper clips are where they should be and we are done. We replace all the missing ones from our backup, no problem. It gets tougher from now on. We need to check if no paper clip has an extra bend in it. We need to check if there is no extra paper clip that wasn’t there before, if we find one – we need to check what it could do to us… we may have to check if it didn’t do something already. Now we come to the really difficult bit – one of the paper clips has a special shape developed over the years. It can open the door of our other office. The paper clip is here – but – did they see it? Did they make a copy? How are we to know? What happens if they did? There is also another paper clip here – it is our revolutionary new super paper clip that we were just about to patent. Is it possible that the intruder took a picture? The real nuisance is that probably none of this happened – but probably is not good enough – we still need to do the work before it is too late. I will not talk about the NUISANCE element any more here – it is present and, while there are many technologies and systems to minimise the work required – the real aim of the good security system is to never let us get to that point.
4 Data SafetyThe solution here is a good backup and archival system. The systems like this exist and the differences are mainly technological. A good system is easy to define – if we know that we can recover our data, the system works. From then on – the differences between the systems will be limited to the cost, required man-power and training, reliability, speed, convenience.
5 Data Privacy – the heart of the problemHere is where the problem – and the solution – lie. The system that allows the right person to access the right data at the right time and in the right manner and prevents all other access will simply get rid of all the other issues. The system needs to be tough and reliable, it should allow plenty of control and manageability, but at the same time it must be easy and fast to use. IT security systems rely on the user’s cooperation (do not write your PIN on your bank card) – if they are too difficult to use, they fail (if your PIN was 48 digits long, you would probably write is somewhere). In the rest of this paper I will concentrate on requirements of a data privacy solution.
6 AuthenticationIn fact – when we get to the bottom of it – the problem is reduced one way or the other to authentication. Once we decided who should have access to the data the problem is how do we tell who is who. Of course, there are still some technical and administrative issues, but they really are easily resolved (such as: how do we actually stop unauthorized access, how do we control authorized access – like a proper revocation system etc.)
6.1 Multi-Factor AuthenticationIt is quite well accepted by now that authentication based on a single ‘factor’ (like a PIN or password) is weak and no proper security system should rely on it alone. It is customary to classify authentication factors into three categories:
- Something that you know (like password)
- Something that you have (like a smart card)
- Something that you are (like a fingerprint)
6.2 Beyond Multi-Factor Authentication
6.2.1 Time dependent accessA time lock on a safe adds to its security considerably. There is no reason why the same technique should not be used for authentication. If we can restrict time of the day when authentication works, we improve security. What is even more interesting, we can decide WHEN the authentication should start working and when it should stop working – it is like a bank card operator who enables your PIN after you confirmed in person that you received both the card and the PIN. The same operator may disable your PIN after you report a stolen card. None of this is applicable to something like a password protected CD though.
6.2.2 Something Somebody Else knows/has/isThe multi-factor authentication gets much stronger if it involves more than one person – there are widely used examples of this: two signatures required on some cheques, safes with dual locks, where two keys from two people are required… Having your authentication confirmed by a third party is a quite popular way of making authentication system more secure.
6.2.3 Penalty systemsWe have to accept that in the multi-factor system some of the factors are weak (on their own) – like a PIN or a password. This exposes the system to a brute force attack (there are only few thousands of possible four digit PIN numbers and one MUST be right – and I would be really surprised if half of the existing PIN numbers were not between 1931 and 1981 or something like this – just 50 combinations. In fact the ability of users to change the PIN number is a convenience and not a security measure) One well accepted way of defending against the brute force attack is a penalty system – ‘three strikes and you’re out’ sort of thing. This is a simple and effective security measure. You enter three wrong PINs and you have to talk to your bank in person. The problem is that this only works if you are interacting with a secure and intelligent system – like an ATM. A penalty system cannot be used for a password protected CD – we simply don’t have any control over where it will be read. While on the subject – many systems apply a slightly gentler, but still quite effective ‘penalty’ – they simply take very long to say NO (while they say YES immediately). This means that the correct authentication is fast, but an automatic system that tries all possible combination will take ages to run – as all failures will take forever. Of course – this system is also no good for something like a password protected CD.
7 Authenticated – Now what?
7.1 AuthorizationWhile authentication is the core of the security system the work does not end here. Once we decided that we know who we are dealing with we now have to determine what we should allow them to do. The authorization is the system that allows us to take these decisions. There are plenty of implementations and there are plenty of terrible examples of what happens if this is missing. A person authenticates themselves to the system and then copies the whole database to a CD, which consequently gets lost.
7.2 Access to dataOnce the authentication and authorization steps are done the user can access data. There are two elements to it:
- ‘Physical’ access – the ability to read the bits
- ‘Logical’ access – the ability to ‘interpret’ it