The advent of enterprise-wide controls and enormous
potential economies of scale have produced an IT environment in
which fewer systems and people control larger and higher-value
information assets.
As a result, the risk associated with failures in these
aggregated systems and individuals has risen dramatically.
Risk mitigation should be standard practice in any enterprise.
Simply accepting ever higher aggregations of risk is imprudent
without evaluating the options. Strategies must address
availability, integrity, confidentiality and use-control, but along
with the benefits there are associated trade-offs.
Redundancy
When redundancy is applied to a system through duplication for
error recovery or modification detection, it can improve
availability and integrity, but also tends to reduce
confidentiality and use-control.
Just as back-ups are redundant copies of original content used
to mitigate risks of data loss, so redundant datacentres,
firewalls, and so on, can be used to mitigate against loss of
service. Redundancy in the form of cryptographic checksums,
database integrity techniques and the like can reduce the
likelihood of undetected alterations to content, but it does little
to ensure proper functioning unless applied throughout the
system.
Separation of duties
Separation of duties typically improves use-control and
integrity by requiring additional review, but it can also reduce
confidentiality and availability because it provides more
information to more people with extra delays for changes.
For example, a workflow system might require a supervisor to
review each user access request. The reduced availability comes
from the potential for attacks against the mechanism, while the
reduced confidentiality comes from involving yet another system in
the decision process. In most cases, the information is
meta-information, so content confidentiality is not an issue, but
it may still be a risk aggregation point for control-¬related
content.
If the process control mechanism is itself automated, the
provisioning access system improves controls. But as it can be
attacked it becomes a risk aggregation point because it aggregates
the decision process associated with that control decision. As a
result, systems that implement separation of duties must be
protected to ensure the integrity of their own operation. If
provisioning times are important, extra safeguards must be
associated with reducing the availability risk produced by the
control mechanism.
Clear lines of responsibility
A major reason for failures in protection against complex
challenges, such as data aggregation, is that the responsibilities
associated with protection are inadequately spelled out and carried
out. As risk aggregates, so responsibility for controlling it needs
to be escalated to an appropriate organisational level. Because
this is at odds with many business models relating to control of
components based on ownership or business unit, the
responsibilities for services provided by one business unit to
another must be clearly laid out.
The same internal corporate issues about lines of responsibility
also occur between enterprises. For that reason, properties
associated with external dependencies must be assured to a level
appropriate to the risks involved with their use. A service level
agreement typically requires a level of service, but the
consequences for providers failing to meet it are rarely aligned
with the consequences of that failure.
If a supplier is unwilling to provide adequate risk transfer, an
enterprise has to explicitly accept the risk itself, transfer it,
avoid it by finding an alternative solution, or mitigate it in some
other way.
Greater accountability
This is an excellent risk mitigation mechanism. But if the
process of accountability becomes real-time and response is
automated, the control mechanism’s ability to automate response
implies a potential for exploitation and it becomes a risk
aggregation point. If accountability has adequate rewards and
punishments associated with it, it can be effective in improving
integrity and use-control, but it is less effective from a
confidentiality standpoint, because technology cannot associate the
source of leaks with the leaks. The digital rights management
technologies that use watermarking to associate releases with those
granted access to the content is an example of a success here.
Reassessment
Risk reassessment should be carried out more often as the
magnitude of the risk increases, and those with the most serious
consequences should be reviewed most often. Systems above some
thresholds should be reassessed with a specific frequency
associated with the risks.
Intrusion detection
In systems that have significant aggregated risks, additional
alarms can help detect attempts to tamper with them. Such alarms
can mitigate high losses that require substantial time to
produce.
Better personnel processes
When personnel must be trusted, a strong set of procedural
controls need to be in place to ensure that trust is merited. Past
behaviour is a reasonable predictor of future behaviour, but there
are also sets of identifiable fault lines in people’s lives and
common indicators of situations in which reliability wanes.
Improved personnel processes and staff rotation are useful methods
of risk reduction.
Longstanding, well-paid employees with a vested interest in
business success are the best candidates for positions where a high
degree of trust is required, but other metrics should be sought to
provide additional assurance.
Overall, where control over high-risk platforms can be
identified, there is a wide range of protective measures. The goal
is to harden systems so that they are worthy of the increased trust
associated with the aggregated risks they are being asked to
shoulder as a result of consolidation.
Fred Cohen is principal analyst at Burton Group