1. Field of the Invention
The present invention relates to techniques for designing a secure solution within an information technology system. More particularly, the present invention includes an improved system and method for designing security into the solution as it is being created rather than adding it on to a completed design. The present invention includes use of a set of baseline security requirements to assist in designing a secure solution.
2. Background Art
The description of the present invention which follows is based on a presupposition that the reader has a basic knowledge of information technology (sometimes referred to as data processing) systems and the processes of designing and developing solutions within an information technology function. Some of these processes are described in the SI Patent, the Management Process Patent and the WWPMM Patent referenced above.
Such a solution design process inherently involves consideration of security. Any application is subject to undesirable alteration as a result of a number of factors—deliberate hacking or attempts by those with no good motives to change the solution or make it inaccessible or ineffective for its intended purpose, attempts by well-meaning but unauthorized people to improve on the operation of the programs and accidental access by those who have no intention of making changes but nevertheless may be able to make changes in the program.
Designing applications or solutions for security is somewhat difficult because there is a lack of baseline requirements. Thus, it becomes difficult to develop information technology solutions which effectively and consistently apply security principles when there is a lack of agreement on security requirements for such a system.
There is also a lack of industry-accepted security design methods. This again contributes to solutions which do not effectively and consistently apply security requirements.
Applications have become quite complex, sometimes using a plurality of different component architectures and using diverse systems for integrating such applications together. These complexities make security more difficult.
The authors of Trust in Cyberspace explain the security challenge faced by today's designers of applications in terms of deriving a trusted networked information system (NIS) from the integration of untrustworthy components.
A second aspect of security design problems is apparent from newspapers, periodicals and texts. Those who seek to corrupt or to interfere with the correct and reliable operation of networked information systems have a structured approach to achieving their objective whereas the architects who seek to design trustworthy solutions rely largely on individualized approaches.
The effectiveness of security measures in computing solutions can be handicapped by component limitations, by miscommunicated or misinterpreted requirements or by narrowly focused application of security technology.
Eberhardt Rechtin in Systems Architecting has described the complexity of balancing tradeoffs between access, privacy and security in information technology solutions. That is, a system should be protected from allowing unauthorized access to information while allowing easy access for authorized access and information should be maintained in private against unauthorized access while allowing easy access to that information for authorized purposes. Rechtin suggests an approach for developing an architecture, differentiating between the system (what is built), the model (a system to be built), a system architecture (structure of the system), the overall architecture (an inclusive set of the system architecture, its function, the environment in which is will exist) and the process used to build and operate it. Rechtin further outlines steps for creating a system model as aggregating closely related functions; partitioning or reducing the model into its parts; and fitting or integration of components and subsystems together into a functioning system.
It should be realized that, in today's environment of networked information systems, security functions are, at best, only partially centralized. As components of an information system or solution are distributed, then security also must be distributed.
Effective security design is sometimes impeded by the fact that in many solutions security mechanisms are imbedded in technologies and distributed among different functions and components within operating systems, network components, application programs, database and transaction subsystems and other components. Thus, security may be an element of all these components, but it is a responsibility of none.
While the formalization of security evaluation criteria into an international standard known as Common Criteria has reduced one of the barriers to a common approach to developing extensible information technology security architectures, Common Criteria does not provide techniques to arrive at comprehensive security designs in a consistent manner. These Common Criteria have been documented in a series of documents which provide detailed security evaluation criteria and have been submitted to the International Standards Organization and been given the designation ISO 15408. These Common Criteria provide a framework for the specification of secure products in terms of standard protection profiles and independently selected the evaluation assurance level from a defined set of seven increasing levels of assurance. These Common Criteria introduce a set of terminology including Target of Evaluation or TOE, the component under design; TOE Security Policies or TSP and TOE Security Functions or TSF, which is that portion of the TOE which is responsible for security.
The Common Criteria includes 11 Functional Classes (e.g., Security Audit, Communication, Cryptographic Support, . . . ), 66 Class Families with each class including a number of component criteria. Since these Common Criteria are a basis for understanding security functions, the Common Criteria and ISO 15408 are hereby specifically incorporated herein by reference.
While the Common Criteria provide a “best practice” for specifying security functions and are used by some designers of solutions and security related components, the allocation of Common Criteria functional requirement among the components of a solution is not intuitive or simple to implement. The classes and families in the Common Criteria represent an aggregation of requirement but this is more reflective of abstract security themes rather than being reflective of security in the context of an information technology solution.
Past security solutions have been largely limited to addressing specific vulnerabilities via countermeasures within point solutions such as applying network and systems management processes, hardening operating systems and publicly available servers, applying and monitoring intrusion detection systems and configuring and operating digital certificate servers. In addition, firewalls have been installed and configured to prevent inappropriate access to systems. But, each of these security solutions addressed only specific ways in which a system may be vulnerable and, while desirable, does not assess or solve the problem of system wide security in a systematic approach.
There have been several attempts to organize a security design process without regard to subsystems or components. These are in Sections 10.1-10.2 of ISO/IEC PDTR 15446 entitled “Information Security Techniques Guide for the Production of Protection Profiles and Security Target which is found at http://csrc.nist.gov/cc/t4/wg3/27n2449.pdf and a tool funded by the US government and made publicly available called CCTOOL which may be found at http://naip.nist.gov/tools/cctool.html. These attempts generally fall short of the desired level of consistent security, independent of the components and subsystems.
The lack of a common set of criteria to test and evaluate security requirements (despite the existence of the Common Criteria) was also highlighted in a recent article in Computerworld magazine entitled “Common Ground Sought on IT Security Requirements”, which article has been posted on the Internet and is presently available at the following address: http://www.computerworld.com/cwi/story/0,1199,NAV47_STO58497,00.html. This Computerworld article reports a meeting of government security experts and private sector IT vendors held recently. While the attendees agreed that a common set of criteria is needed to help test and evaluate the security of commercial IT products, there was no agreement how to accomplish that object, much less an approach to testing a system which might indicate diverse products from different vendors. This meeting was called the first Government-Industry Security Forum and was sponsored by the National Information Assurance Partnership (NIAP).
Thus, the prior art systems for providing security in information technology solutions have undesirable disadvantages and limitations which impact the effectiveness of the assessments and limit the scope of recommendations for improvements.