The National Commission on Restructuring the Internal Revenue Service
March 13, 1997
Joseph Mahaffee Edward Rothenheber
Booz·Allen & Hamilton Inc. Booz·Allen & Hamilton Inc.
8283 Greensboro Drive 8283 Greensboro Drive
McLean, VA 22102 McLean, VA 22102
Special thanks to:
Armando Gomez and Chuck Lacijan for providing Booz·Allen & Hamilton Inc. the opportunity to brief The National Commission on Restructuring the Internal Revenue Service
Melissa Hathaway for establishing contact with the information security staff at Booz·Allen & Hamilton Inc. and facilitating the opportunity for the authors to present their views on information security technology and trends
Deborah Banning, Rich Dean, Joanne Evans, Dale Hapeman, Stuart Moore, Mike Otten, and Tom Russell for their technical contributions
INFORMATION SECURITY TECHNOLOGY AND TRENDS
More than ever, the national security departments and agencies, are being challenged to provide affordable, interoperable, and evolutionary network security solutions in a timely manner. Over the last few years, they have recognized the dramatic benefits offered by the highly interconnected information systems as illustrated by our nation's dependence on them in all facets of society. However, they also recognize that these systems have the effect of exposing our national information systems to the borderless threat of Information Warfare (IW). So while changes in the political climate have reduced some mission threats, new threats are emerging within the networked world.
Over the past year, it has become a weekly or even daily routine to hear about successful attempts of hackers to break into networks from around the world with the intent of eavesdropping, modifying, spoofing, or disrupting the information systems and/or the information that they process and store. Of course, for any Department of Defense (DoD), Federal, or commercial security system, the ultimate objective is to prevent unauthorized disclosure or undetected modification of user information and system resources while ensuring the availability of the system to authorized users. Typically, the national security departments and agencies use six security services, as shown below, to achieve this objective:
* Confidentiality - Ensures the privacy of the information and prevents an unauthorized third party from reading the data.
* Integrity - Ensures that the system configuration, application software, and associated data have not be modified or destroyed.
* Authentication - Ensures that the person or system with whom you are exchanging information, is in fact the person or system they claimed to be.
* Non-repudiation - Provides positive confirmation that an action took place.
* Access control - Limits access to the system and its data to those who are authorized.
* Availability - Ensures the system or information is available when needed.
Any of these services may be implemented by physical, administrative, procedural or electronic mechanisms. Often, a combination is employed. From a practical perspective, many of the security services can be implemented with cryptographic products. In fact, the same cryptographic product can be used to encrypt the data, authenticate the user, maintain data integrity with digital signatures, and support system availability. Trusted security products can also support many of the security services, except for confidentiality. However, trusted security products are more expensive and trusted technology is relatively immature. Given cryptographic products are more readily available and inexpensive than trusted products, they appear to offer a more reasonable set of solutions for the IRS and other Federal communities.
The assurance provided by any of the security services previously mentioned can be ascertained by determining the strength and correctness of the mechanism that provides the service. For physical, administrative, and procedural mechanisms, the assurance level is determined by reviewing the processes that are implemented. For electronic mechanisms, empirical or exhaustive techniques are generally used. In recent weeks, the news media reported that a high school student required only three hours to successfully "break" a 40-bit code cryptographic algorithm. For cryptographic devices, the assurance level or strength is largely dependent on the length of the codes used in the algorithm. In national security applications, where classified information is processed, or in Federal and Commercial applications where privacy is a major concern, higher assurances levels are required, which necessitates the use of longer codes.
The successful application of security services and mechanisms requires security management support for the overall operational environment. Specifically, security management includes the distribution, collection, and analysis of management information (e.g., cryptographic keys, audit data, registration data) for the security services and mechanisms. One of the primary issues noted with the implementation of security management functions concerns the distribution of security management responsibilities across multiple security administrators. For example, one person may be responsible for monitoring the firewall and a second may be responsible for administering the web site. Case studies have shown that hackers often attempt to penetrate multiple points in a network. Unfortunately, news of a potential attack at one point is not always communicated to the other system administrators whose systems may also be under attack. This example highlights the need for the IRS and all defense, civil, and commercial organizations to implement a coordinated security management approach.
TRENDS AND TECHNOLOGIES
From the perspective of the national security departments and agencies, it is obvious that the "groundrules" have changed dramatically over the past decade with respect to defining and fielding security solutions. These changes are being driven by several major paradigm shifts in the public and private networking world, and within the DoD and Intelligence communities as shown below:
· Rapid evolution of information technology and systems
· Explosive growth of the Internet
· Evolution from "stovepipe" to open, integrated, multimedia systems
· Increasing public and commercial awareness and concern over network and information security
· Increasing availability and compatibility of commercial network products and solutions
· Transformation from requirements driven to market driven solutions
· Evolution from risk avoidance (absolute security) to risk management (adequate or appropriate security)
· Migration from standalone "Black Boxes" to integrated system security solutions
· Transformation from product development to customer service orientation
· Migration from stand-alone systems connected by point-to-point links to networked systems
· New emphasis on security for "sensitive but unclassified (SBU)" applications, in addition to classified applications
· Unprecedented downsizing, staff turnover, and budget reduction
Two obvious challenges that the national security departments and agencies are facing as a result of these paradigm shifts are: 1) keeping pace with rapidly evolving technology and a rapidly emerging network security market in which future directions are sometimes unclear, and 2) continuing to improve system security processes and procedures that reflect more of a commercial orientation.
In general, the national security departments and agencies are responding to these changes by placing more emphasis on:
· Establishing new policies, procedures, and criteria that will adequately address the changing threat environment and yield consistent and reliable security solutions
· Developing security architectures and generic security solutions that may be tailored to meet specific applications
· Defining security standards and protocols that can be integrated into commercial standards and protocols
· Fielding currently available security products and tools that will help them "close the front doors" to their networks and optimize system performance
· Evaluating and using commercial off-the-shelf (COTS) products and systems
In the following paragraphs, we will discuss the efforts being pursued and how they may be applied to the IRS applications.
DEFINING POLICIES, PROCEDURES AND CRITERIA:
In the post-cold war environment, defense budgets have continued to decline. As such, the notion of perfect security is being replaced with that of affordable security and user assumed risk. This change, more than any other, is driving the security analysts to develop and apply improved security analysis procedures, tools, and methodologies that can effectively deal with the complexity of modern information systems and provide balanced, cost-effective security solutions.
One of the biggest challenges for the defense, civil, and commercial communities is to develop and implement policies and business processes that are in many ways equivalent or better than existing processes. In general, security technology is available or will be available in the very near future. The real challenge is to integrate those technologies in the context of the business processes. To do this, most effectively, the IRS will have to examine their current policies and processes from an information perspective, define a set of security policies and requirements based on the information content, develop a security strategy that takes into account their existing system architecture and their desired system capabilities, and define a migration plan given the current and future availability of security technology. Achieving a common view on security as it relates to the IRS business processes will be paramount, particularly when considering taxpayer trust and acceptance.
Information engineering will be the key for successful integration of security services into any information system. In this process, it is most important for the "owners" of the information to establish the system requirements, including general requirements for security. The security analyst can then work with the system designers and administrators to define the appropriate security solutions, based on information content and business practices.
DEVELOPING SECURITY ARCHITECTURES:
A system security architecture is a means for describing the structure and organization of the security aspects of an information technology system or application. It provides a conceptual means to grasp how a large, complex system will be made secure without unduly constraining the actual implementation. By defining the security services and functions that must be provided and the relationship between these security services and functions, the system security architecture provides a foundation for designing and building systems within common structures, using consistent standards. This approach promotes interoperability, commonality of security solutions, and a thorough understanding of how system security is being provided. The DoD has successfully applied this approach in the development of their security architectures (e.g., Defense Message System and the Defense Information System Network).
As the IRS systems and networks continue to evolve, it will be important that a comprehensive information technology and security strategy be developed from which a system security architecture could be defined. Additionally, it will be increasingly important to model the system architecture in an effort to predict performance issues associated with integrating security services into the network and scaling the network size to meet user (i.e., the taxpayer) demands. Developing and modeling the security architecture will allow the IRS to focus on the information content and consistently implement security solutions throughout the networks and systems. The IRS should leverage the results of current security architectures (e.g., Target Security Architecture for the Defense Information Infrastructure [DII]) developed for the DoD, as appropriate. Doing so will promote compatibility between the Defense Information Infrastructure and the National Information Infrastructure.
DEFINING SECURITY STANDARDS AND PROTOCOLS:
The national security organizations have made a conscious decision to limit the development of custom products and systems, in favor of using commercial off-the-shelf (COTS) hardware and software. To ensure the COTS products incorporate appropriate security services that meet their needs, the Government is placing a significant amount of energy into the definition and development of security standards and protocols. Specifically, the DoD is working directly with the national and international standards bodies, such as the Internet Engineering Task Force (IETF) to influence future standards and protocols, with respect to key management and other security services. Additionally, they are working with several product vendors and service providers, such as RSA, Netscape, and Microsoft to name but a few, to collaborate on the development of security protocols that will be implemented in their respective offerings. By doing so, they have taken the burden off the Government to supply their customers with specific security products. Instead, they have created a market that will promote interoperability and competition for security products and services that may be employed in IRS and other Federal applications.
FIELDING PRODUCTS AND TOOLS:
Many security products have been developed to provide security services and to meet threats to information systems and data. These products range from those narrowly designed to provide a specific service, such as encryptors, to more general products, such as firewalls, which can be configured to provide a variety of services. The products themselves can be loosely grouped into the following classes:
· Firewall: A firewall is used to protect a network from another untrusted network (e.g., Internet). Its main purpose is to control access to or from a protected network. Firewalls shield a network from protocols and application services that can be abused from hosts outside the shielded network. Firewalls can generally be configured to meet a userís specific requirements. For example, many firewalls maintain access control lists to identify users who are allowed to enter or exit through the firewall. The range of capabilities of firewalls varies by product and user needs, so care must be taken to select a firewall that meets the operational requirements. Organizations throughout the Department of Defense (DoD) are deploying firewalls to protect their enclaves from attacks launched from the Internet and even from their connections to the Defense Information System Network (DISN). For IRS applications, where users and third parties login and access the IRS Web site, it may be appropriate to consider implementing multiple firewalls or a single firewall with multiple ports that will permit the establishment of public and private (IRS) information domains. Most organizations implement a single firewall, which provides some inherent protection. However, if a hacker is able to penetrate the firewall, the hacker in this scenario would have access to the private information.
· Secure Application Packages: Many software developers are including security features directly into their applications (e.g., e-mail, web browsers, database). For example, every computer user is familiar with being prompted to enter a password. These application packages make good use of the network environment by distributing information repositories and allowing multiple users to access and share information. These very capabilities raise specific security concerns with respect to maintaining the confidentiality and integrity of information as it moves through the network and ensuring only authorized users have access to the information. Additionally, with recent developments in the web environment, users are downloading and executing software onto their machines without any assurance in the source or integrity of the software. This capability while facilitating the transfer of information creates additional security concerns (e.g., viruses, trojan horses). The security being integrated into these application packages presumably addresses these concerns, but the degree of protection varies from product to product. As subsequently discussed in the section concerning "Evaluating COTS Products", it would be beneficial to have an independent agent, similar to Underwriters Laboratory, evaluate and disseminate information regarding the security actually provided by a given product in a specific environment.
· Public Key Infrastructure: The public key infrastructure (PKI) supports public key cryptography. Public key cryptography is a special class of encryption algorithms that rely on the exchange of private and public keys between two users on a network. The private and public keys are used to generate the secret code that in turn is used to encrypt the data exchanges between the two network users. These algorithms provide inherent benefits associated with minimizing the logistical burden of having to physically distribute keys to all potential users prior to them being used. With the exception of a few secure voice applications, most of the encryption algorithms used in national security applications today do not make use of public key cryptography, simply because the technology was not available when the systems were developed. However, public key cryptography is clearly the preferred choice for future security applications, particularly given newer versions of public key algorithms will support higher transmission speeds, provide greater protection, and be more efficient.
· Certificate Authority: The certificate authority supports public key cryptography. The certificate authority is responsible for registering end users, defining their security privileges, and providing them with certificates that are used to support cryptographic functions. In many ways an analogy can be drawn between the PKI and acquiring a driverís license. Specifically, a driverís license is the certificate a user presents to authenticate his right to operate a car and a PKI certificate is a mechanism that can be used to authenticate a user to access and "operate" a remote computer. Carrying the analogy one step further, the Motor Vehicle Administration is responsible for verifying a driverís information, determining his/her rights to operate different vehicles (e.g., cars, motorcycles, or tractor trailers), and issuing the license. The certificate authority performs a similar operation for the userís PKI certificate.
In general, the technology associated with the certificate authority is available today, but the specific policies and procedures are still being defined and implemented by industry. Potential organizations being considered as the certificate authorities include the U.S. Postal Service and banking institutions. Assuming the IRS moves forward with a plan to implement a public key infrastructure, decisions will have to be made as to whether the IRS should use the Federal-wide certificate authority or one unique to the IRS.
· Secure Tokens: The most common means of identificating and authenticating a source is to use passwords. However, significant vulnerabilities have been identified with the use of passwords. Secure tokens have been developed to combat this vulnerability and to provide a more secure means of identifying and authenticating users. The most common form of a token is a card that contains information specific to a user. For example, the card can contain the userís private key, which in public key cryptography allows the user to authenticate themselves or establish a cryptographically protected communication connection across the network. The private sector and the national security communities have developed secure token systems. These systems are expected to be used more frequently for commercial and Government applications. However, the IRS will have to decide if a common token may be used for multiple applications (e.g., filing tax returns, trading stock) or if an IRS unique token would be required.
· Network Intrusion Devices: Network intrusion devices monitor the operation of the userís networks. For example, a network intrusion device will look at the unsuccessful login attempts. These attempts could signify that a hacker is trying to penetrate the network. Additionally, these devices can monitor the flow of information and compare it to normal operations to detect unusual activities. State-of-the-art intrusion detection devices use smart technology to analyze information exchanges in real-time and cut-off the communications link when unusual activity is detected.
EVALUATING COTS PRODUCTS:
With the Government emphasizing the use of COTS products to satisfy the majority of their future needs, it is extremely important to have an understanding of all the products that are on the market and determine if the products perform as advertised. Unfortunately, most users of information technology products are unable to keep up with the multitude of security products hitting the market each day. Furthermore, the users generally do not understand the technical details with respect to how the products are configured and operated. They can only rely on information they read in brochures and journals, which often advertise the individual product capabilities, as opposed to examining the product in a system context. Evaluating security products from a system perspective is very difficult, particularly when considering the way systems and networks are customized to meet business objectives. The national security community has established programs and initiatives to monitor the availability of COTS products, evaluate their capabilities, and make smart decisions relative to their potential system applications. A similar effort to evaluate COTS products for a broader community (i.e., Federal and commercial) would be beneficial.
Once again, the basic set of security products and technologies are available or will be available in the very near future to support most known information applications. The real challenges lie in the areas of defining the policies and the business processes to take advantage of the security products and services. As appropriate, the business processes will have to change to accommodate the technologies or in some cases it may be necessary to develop a whole new set of processes. However, as with any system that attempts to automate existing business processes, the real success will be determined by the degree of trust and comfort established with the end users (i.e., taxpayers).