The advent of enterprise-wide controls and enormous potential economies of scale have produced an IT environment in which fewer systems and people control larger and higher-value information assets.
As a result, the risk associated with failures in these aggregated systems and individuals has risen dramatically.
Risk mitigation should be standard practice in any enterprise. Simply accepting ever higher aggregations of risk is imprudent without evaluating the options. Strategies must address availability, integrity, confidentiality and use-control, but along with the benefits there are associated trade-offs.
When redundancy is applied to a system through duplication for error recovery or modification detection, it can improve availability and integrity, but also tends to reduce confidentiality and use-control.
Just as back-ups are redundant copies of original content used to mitigate risks of data loss, so redundant datacentres, firewalls, and so on, can be used to mitigate against loss of service. Redundancy in the form of cryptographic checksums, database integrity techniques and the like can reduce the likelihood of undetected alterations to content, but it does little to ensure proper functioning unless applied throughout the system.
Separation of duties
Separation of duties typically improves use-control and integrity by requiring additional review, but it can also reduce confidentiality and availability because it provides more information to more people with extra delays for changes.
For example, a workflow system might require a supervisor to review each user access request. The reduced availability comes from the potential for attacks against the mechanism, while the reduced confidentiality comes from involving yet another system in the decision process. In most cases, the information is meta-information, so content confidentiality is not an issue, but it may still be a risk aggregation point for control-¬related content.
If the process control mechanism is itself automated, the provisioning access system improves controls. But as it can be attacked it becomes a risk aggregation point because it aggregates the decision process associated with that control decision. As a result, systems that implement separation of duties must be protected to ensure the integrity of their own operation. If provisioning times are important, extra safeguards must be associated with reducing the availability risk produced by the control mechanism.
Clear lines of responsibility
A major reason for failures in protection against complex challenges, such as data aggregation, is that the responsibilities associated with protection are inadequately spelled out and carried out. As risk aggregates, so responsibility for controlling it needs to be escalated to an appropriate organisational level. Because this is at odds with many business models relating to control of components based on ownership or business unit, the responsibilities for services provided by one business unit to another must be clearly laid out.
The same internal corporate issues about lines of responsibility also occur between enterprises. For that reason, properties associated with external dependencies must be assured to a level appropriate to the risks involved with their use. A service level agreement typically requires a level of service, but the consequences for providers failing to meet it are rarely aligned with the consequences of that failure.
If a supplier is unwilling to provide adequate risk transfer, an enterprise has to explicitly accept the risk itself, transfer it, avoid it by finding an alternative solution, or mitigate it in some other way.
This is an excellent risk mitigation mechanism. But if the process of accountability becomes real-time and response is automated, the control mechanism’s ability to automate response implies a potential for exploitation and it becomes a risk aggregation point. If accountability has adequate rewards and punishments associated with it, it can be effective in improving integrity and use-control, but it is less effective from a confidentiality standpoint, because technology cannot associate the source of leaks with the leaks. The digital rights management technologies that use watermarking to associate releases with those granted access to the content is an example of a success here.
Risk reassessment should be carried out more often as the magnitude of the risk increases, and those with the most serious consequences should be reviewed most often. Systems above some thresholds should be reassessed with a specific frequency associated with the risks.
In systems that have significant aggregated risks, additional alarms can help detect attempts to tamper with them. Such alarms can mitigate high losses that require substantial time to produce.
Better personnel processes
When personnel must be trusted, a strong set of procedural controls need to be in place to ensure that trust is merited. Past behaviour is a reasonable predictor of future behaviour, but there are also sets of identifiable fault lines in people’s lives and common indicators of situations in which reliability wanes. Improved personnel processes and staff rotation are useful methods of risk reduction.
Longstanding, well-paid employees with a vested interest in business success are the best candidates for positions where a high degree of trust is required, but other metrics should be sought to provide additional assurance.
Overall, where control over high-risk platforms can be identified, there is a wide range of protective measures. The goal is to harden systems so that they are worthy of the increased trust associated with the aggregated risks they are being asked to shoulder as a result of consolidation.
Fred Cohen is principal analyst at Burton Group
This was first published in May 2006