How does a government agency make its IT networks as open and accessible as possible, and, at the same time, weld them shut to security threats?
That’s a conundrum Smart Systems for Health Agency (SSHA) confronted…and resolved.
SSHA is an Ontario government agency with a mandate to create a province-wide IT infrastructure for electronic communication among the province’s health service providers.
Building an IT network that combines exceptional security with exceptional availability was not just a “nice to have” feature for SSHA. It was fundamental to the success of the agency’s IT infrastructure project – a venture that benefits thousands of health care providers across the province who access products and services over the SSHA network.
Policies, services and technologies implemented by SSHA ensure that authorized users can easily access personally identifiable health information – and do so securely. There does not have to be a trade off between network security and network availability, according to Mike Monteith, Chief Architect, Director Architecture. As SSHA has demonstrated, that’s one area where you can have your cake and eat it too. (see box) But not all initiatives that attempt to optimize network access while maintaining acceptable security levels have the same happy outcomes.
Today, as threats to networks become increasingly ingenious and destructive, balancing protection and performance – and getting them both at the right price – is no easy task for public sector organizations.
Government security spending soars, but…
Indications are that government agencies at every level – federal, provincial and territorial – are taking IT security very seriously.
The massive increase in federal IT security spending is ample proof. New federal funding of IT security projects was announced in April as part of the government’s National Security Policy. The money will go to a wide range of initiatives, including:
• $85 million for securing critical government information systems;
• $99.78 million to the RCMP Real Time Identification Project – and improving the national fingerprint system;
• $10.31 million to implement a passport security strategy, including biometric technology on the Canadian passport, in line with international standards;
• $5 million to convene a high-level national task force with public and private representation to develop a cyber-security strategy.
It has been six months since the funding was announced, and it’s perhaps too early to speculate on any potential impact. But, judging by trends in the private sector, it’s clear that investing more money on more security technologies – by itself – will not do the trick.
“Organizations spending the most on security are not necessarily the most secure,” said John Pescatore, vice-president of Internet Security at Gartner. He noted that when the Blaster worm struck “several of the really badly hit businesses had made significant investments on security.” The fact that there is no obvious co-relation between security spending and threat levels also emerges in a survey by Forrester Research Inc. of Cambridge, Mass. Nearly half of the 50 top security personnel at large global companies interviewed felt their security budgeting was flawed; 40 per cent conceded they spend their security dollars on the wrong risks.
Forrester’s suggestion: focus resources on preventing high-probability, potentially damaging events, and let insurance take care of low-probability risks.
But there is little consensus – even among experts – about which technologies are most effective in pre-empting “high probability risks.”
Gartner, for instance, is advising clients not to expend limited IT resources on network intrusion detection systems (IDS), but to opt for application-level firewalls instead. “We now have firewalls that can block the very same attacks that IDS systems merely alarm on,” said Pescatore.
Some experts from the vendor community agree “Here’s the downside with IDS – it tells you when something is wrong, but can’t do anything about it,” said John Roese, chief technology officer of Enterasys Networks Inc. in Andover, Mass. “Such technologies provide the eyes and ears – but not the hands, arms, or legs. And without that capability they aren’t really high value.”
On the other hand, security service providers such as Ottawa-based Magma Communications Ltd. (now a Primus Canada company) say they have used IDS products effectively in high-profile government projects. “When the Government of Canada asked us to shield the official Web site of the 2002 G8 Summit from external intrusion and provide timely, reliable and secure access, we relied on the Cisco IDS-4210 Sensor to do the job,” said A.J. Byers, Magma’s chief operating officer. He said this network security appliance is “extremely intuitive” and allows you to “tighten security on the fly.” The easy integration of the Cisco IDS-4210 Sensor into disparate environments, and its support of multiple interface options – including copper and fiber – have made it one of the more popular IDS solutions out there.
Embedded security Analysts like Gartner predict that, over the next few years, many enterprises will adopt “containment technologies” as a key element of security strategy. “The network will shield itself against many vulnerabilities,” said Pescatore. “It will do this by shutting off certain segments to stem a viral attack, for instance.”
Pescatore said several excellent containment solutions are already on the market through vendors such as Cisco, Enterasys and Microsoft. This concept of the network actively participating in the security paradigm is something Enterasys has been actively advocating. “In the past,” said Roese, “network infrastructure was considered a neutral player with respect to security. Networks were about connectivity and security was the job of a bunch of purposeful devices like firewalls and IDS systems. Now we’re witnessing the emergence of a new model where the network itself is an active player in the security architecture.” According to the Enterasys CTO, two factors are accelerating the adoption of this model.
The first is the morphing of the user community – a challenge faced by private sector companies as well as government bodies. “People you don’t fully control – suppliers, partners, customers – are coming inside your infrastructure,” said Roese. “And you cannot do business today unless you allow them in.”
The second driver, he said, is the catastrophic nature of today’s security threats. “At an Interop conference event, where I was a speaker, someone in the audience wanted to know what keeps me up at night. My answer was: ‘When the network itself becomes an obvious vulnerability.’ Today hackers can and have caused far more harm to organizations by destroying connectivity itself than by simply knocking out one Web portal or shutting down one e-mail server.” Roese noted that there is “an inverse relation between the sophistication of today’s hacking tools and the IQ required to use them. So today, relatively unsophisticated people are able to generate relatively damaging attacks on network infrastructure.” Point solutions cannot adequately respond to such pervasive threats, Roese said. “When the network itself is a security element you are talking, potentially, about thousands, or hundreds of thousands of individual points or connections. It’s too complex to deploy a new security layer each time you change your connectivity.”
The solution, he said, is an embedded function, at the infrastructure level, for managing user identity and authentication. “That way, when you buy a switch or a router, security is an inherent function of the device itself rather than a bolt on or an overlay.” He pointed to the LAN authentication and authorization capabilities of the current breed of Enterasys networking products. “We’ve put a lot of silicon effort into adding a role-based authorization technology in our switches. And all our devices also come with 802.1x Web authentication capabilities.” Roese said Enterasys has also focused on adding “precision” to intelligence provided by security products (IDS systems, virus scanners, firewalls). “These products tell us something bad is happening. Now, with our technology, they can also identify offending systems and change their behaviour on the network.”
Joaquim P. Menezes ([email protected]) is assistant editor of CIO Government Review.
SIDE BAR: SMART SYSTEMS: SMART SECURITY
A security system’s reliability is best established when efforts are made to breach it. Smart Systems for Health Agency (SSHA) realized this – which is why it decided to simulate such attempts itself. Only by doing so could SSHA be absolutely certain that its security policies and systems were truly foolproof – and the Agency would be satisfied with nothing less.
So SSHA launched an “ethical hacking” project under the supervision of its security and privacy team. In this no-holds-barred initiative, the infrastructure was rigorously tested – end-to-end – for vulnerabilities.
“Full and unfettered access to everything was given to people with knowledge of how to break into systems,” said Mike Monteith, Chief Architect, Director Architecture, SSHA. “They did everything from traditional external penetration testing to vulnerability scanning, all the way to exploiting the application code for scripting issues.”
The process took months, but it enabled SSHA to close its network to security threats, while at the same time making it as open and accessible as possible to authorized users. SSHA’s two data centres are based at opposite ends of the Greater Toronto Area. A slew of security technologies protect the infrastructure at both centres. Cisco and Check Point’s Firewall solutions secure the perimeter, while Internet Security Systems’ Intrusion Detection systems monitor the network for known and unknown attacks. Tripwire software offers host-based intrusion detection and can pinpoint unauthorized change, while RSA technology is used for two-factor authentication. A vendor consortium led by systems integrator Qunara Inc. built the Public Key Infrastructure (PKI) component, harnessing technologies from Entrust and Oblix for PKI, identity-management and registration. Digital certificates are used to positively identify SSHA subscribers, while strong encryption tools ensure information privacy.
AAA grade security
These technologies are the mainstay of the authentication, authorization and accounting (AAA) services provided by SSHA to establish subscriber credentials (authentication), access privileges to resources (authorization), and mechanisms for logging and auditing subsequent user interactions (accounting). The AAA service harnesses multiple technologies representing a range of assurance levels – all the way from basic (user ID and password) to high (multi-factor authentication). Intrusion detection technologies check for anomalous network activities – such as denial of service attacks, vulnerability exploitation attempts, and traffic patterns that typify known intrusion techniques. Automated vulnerability scanning tools search for known vulnerable points within the infrastructure, and correlation tools match these with intrusion events in real time. The SSHA infrastructure uses intrusion detection sensors at various levels. For instance, each logical zone within the SSHA infrastructure has an associated virtual LAN (VLAN) monitored by a dedicated network sensor. Server sensors – deployed on critical infrastructure and application servers – screen incoming traffic on these devices. A server sensor runs on a single device, is tuned to that device’s specific function, and integrates with the server’s operating system. Application sensors are deployed on vital application system components – such as Web-based application servers and database servers. They specifically check for anomalous activity within an application, service or protocol. Security technologies enable the SSHA infrastructure to detect and prevent intrusions, along with denial of service attacks, and attempts to exploit platform vulnerabilities. According to Monteith, SSHA infrastructure has been designed not just to spot intrusions but also to prevent them (if possible), as well as automatically and appropriately respond to them. He cited the IDS Network Sensor (IDS-NET), built to detect a wide variety of penetration, denial of service and vulnerability exploitation attempts. When such activity is perceived, IDS-NET – that is integrated with Firewall and LAN infrastructures – can automatically thwart the attempted security breach by blocking the source IP address or disabling a LAN switch port. A similar multi-pronged approach to intrusion (prevention, detection, automated response) is adopted by Server (Platform) IDS. Platform hardening techniques – based on best practices from sources such as the U.S. National Security Agency – prevent or mitigate known vulnerabilities. Server IDS detects anomalous ingress traffic to the server, where it is logged and optionally alerted upon. Likewise, brute force login attempts trigger automatic account lockouts. The same comprehensive approach characterizes content and virus scanning (CVS). CVS tools scan for viruses, Trojans and malicious content in a variety of systems and repositories– including file systems, electronic mail, message stores, and Internet content. SSHA’s two production facilities that house this infrastructure are themselves extraordinarily well protected with controlled doors, electronic surveillance and on-site security personnel.