This is a set, comprising of Enterprise Level Security and Enterprise Level Security 2.
Enterprise Level Security: Securing Information Systems in an Uncertain World provides a modern alternative to the fortress approach to security. The new approach is more distributed and has no need for passwords or accounts. Global attacks become much more difficult, and losses are localized, should they occur. The security approach is derived from a set of tenets that form the basic security model requirements. Many of the changes in authorization within the enterprise model happen automatically. Identities and claims for access occur during each step of the computing process.
Many of the techniques in this book have been piloted. These techniques have been proven to be resilient, secure, extensible, and scalable. The operational model of a distributed computer environment defense is currently being implemented on a broad scale for a particular enterprise.
The first section of the book comprises seven chapters that cover basics and philosophy, including discussions on identity, attributes, access and privilege, cryptography, the cloud, and the network. These chapters contain an evolved set of principles and philosophies that were not apparent at the beginning of the project.
The second section, consisting of chapters eight through twenty-two, contains technical information and details obtained by making painful mistakes and reworking processes until a workable formulation was derived. Topics covered in this section include claims-based authentication, credentials for access claims, claims creation, invoking an application, cascading authorization, federation, and content access control. This section also covers delegation, the enterprise attribute ecosystem, database access, building enterprise software, vulnerability analyses, the enterprise support desk, and network defense.
Enterprise Level Security 2: Advanced Topics in an Uncertain World follows on from the authors’ first book on Enterprise Level Security (ELS), which covered the basic concepts of ELS and the discoveries made during the first eight years of its development. This book follows on from this to give a discussion of advanced topics and solutions, derived from 16 years of research, pilots, and operational trials in putting an enterprise system together. The chapters cover specific advanced topics derived from painful mistakes and numerous revisions of processes. This book covers many of the topics omitted from the first book including multi-factor authentication, cloud key management, enterprise change management, entity veracity, homomorphic computing, device management, mobile ad hoc, big data, mediation, and several other topics. The ELS model of enterprise security is endorsed by the Secretary of the Air Force for Air Force computing systems and is a candidate for DoD systems under the Joint Information Environment Program. The book is intended for enterprise IT architecture developers, application developers, and IT security professionals. This is a unique approach to end-to-end security and fills a niche in the market. Dr. Kevin E. Foltz, Institute for Defense Analyses, has over a decade of experience working to improve security in information systems. He has presented and published research on different aspects of enterprise security, security modeling, and high assurance systems. He also has degrees in Mathematics, Computer Science, Electrical Engineering, and Strategic Security Studies. Dr. William R. Simpson, Institute for Defense Analyses, has over two decades of experience working to improve systems security. He has degrees in Aeronautical Engineering and Business Administration, as well as undergoing military and government training. He spent many years as an expert in aeronautics before delving into the field of electronic and system testing, and he has spent the last 20 years on IT-related themes (mostly security, including processes, damage assessments of cyber intrusions, IT security standards, IT security evaluation, and IT architecture).
Table of Contents
Enterprise Level Security (1)
1.1 Problem Description
1.1.1 Success beyond Anticipation
1.1.2 But, It Started Long before at
220.127.116.11 A Brief History of the Development of the WWW
1 1.1.3 Fast-Forward to Today
1.2 What Is Enterprise Level Security?
1.3 Distributed versus Centralized Security
1.3.1 Case Study: Boat Design
1.3.2 Case Study Enterprise Information Technology Environment
1.3.3 Security Aspects
1.4 Crafting a Security Model
1.4.1 e Assumptions
1.4.2 Tenets: Digging beneath the Security Aspects
1.5 Entities and Claims
1.6 Robust Assured Information Sharing
1.6.1 Security Requirements
1.6.2 Security Mechanisms
1.6.3 Goals and Assumptions of IA Architecture
1.6.5 A Framework for Entities in Distributed Systems
1.7 Key Concepts
1.7.1 ELS-Specific Concepts
1.7.2 Mapping between Tenets and Key Concepts
1.7.3 Enterprise-Level Derived Requirements
1.7.4 Mapping between Key Concepts and Derived Requirements
1.8 Two Steps Forward and One Step Back
1.9 e Approximate Time-Based Crafting
SECTION I BASICS AND PHILOSOPHY
2.1 Who Are You?
2.3 Identity and Naming: Case Study
2.4 Implications for Information Security
2.6 Identity Summary
3.1 Facts and Descriptors
3.2 An Attribute Ecosystem
3.3 Data Sanitization
3.3.1 Guarded and Filtered Inputs
3.3.2 Guard Administrator Web Interface
3.3.3 Integrity in Attribute Stores
3.3.4 Secure Data Acquisition
3.3.5 Integrity at the Source
3.4 Temporal Data
3.5 Credential Data
3.6 Distributed Stores
4 Access and Privilege
4.1 Access Control
4.2 Authorization and Access in General
4.3 Access Control List
4.3.1 Group Requirements
4.3.2 Role Requirements
4.3.3 ACRs and ACLs
4.3.4 Discretionary Access Control and Mandatory Access Control
4.4 Complex Access Control Schemas
4.6 Concept of Least Privilege
4.6.1 Least Privilege Case Study
5.2 Cryptographic Keys and Key Management
5.2.1 Asymmetric Key Pairs
18.104.22.168 RSA Key Generation
5.3 Symmetric Keys
5.3.1 TLS Mutual Authentication Key Production
5.3.2 Other Key Production
5.4 Store Keys
5.5 Delete Keys
5.7 Symmetric versus Asymmetric Encryption Algorithms
5.7.1 Asymmetric Encryption
5.7.2 RSA Asymmetric Encryption
5.7.3 Combination of Symmetric and Asymmetric Encryption
5.7.4 Symmetric Encryption
22.214.171.124 Stream Ciphers
126.96.36.199 Block Ciphers
5.7.5 AES/Rijndael Encryption
188.8.131.52 Description of the AES Cipher
5.7.6 Data Encryption Standard
184.108.40.206 Triple DES
220.127.116.11 Description of the Triple DES Cipher
5.8.1 Asymmetric Decryption
5.8.2 Symmetric Decryption
5.9 Hash Function
5.9.1 Hash Function Algorithms
5.9.2 Hashing with Cryptographic Hash Function
18.104.22.168 SHA-3-Defined SHA-512
5.10.1 XML Signature
5.10.2 S/MIME Signature
5.10.3 E-Content Signature
5.11 A Note on Cryptographic Key Lengths
5.11.1 Encryption Key Discovery
5.11.2 e High-Performance Dilemma
5.11.3 Parallel Decomposition of Key Discovery
5.12 Internet Protocol Security
5.13 Other Cryptographic Services
5.14 e Java Cryptography Extension
5.15 Data at Rest
5.16 Data in Motion
6 The Cloud
6.1 e Promise of Cloud Computing
6.2 Benefits of the Cloud
6.3 Drawbacks of Cloud Usage
6.3.1 Differences from Traditional Data Centers
6.3.2 Some Changes in the reat Scenario
6.4 Challenges for the Cloud and High Assurance
6.5 Cloud Accountability, Monitoring, and Forensics
6.5.3 Knowledge Repository
6.5.4 Forensic Tools
6.6 Standard Requirements for Cloud Forensics
7 The Network
7.1 e Network Entities
7.1.1 Most Passive Elements
7.1.2 Issues of the Most Passive Devices
7.1.3 e Convenience Functions
7.1.4 Issues for the Convenience Functions
7.1.5 Content Analyzers
7.1.6 Issues for Content Analyzers
SECTION II TECHNICAL DETAILS
8 Claims-Based Authentication
8.1 Authentication and Identity
8.2 Credentials in the Enterprise
8.3 Authentication in the Enterprise
8.3.1 Certificate Credentials
8.4 Infrastructure Security Component Interactions
8.4.1 Interactions Triggered by a User Request for Service
8.4.2 Interaction Triggered by a Service Request
8.5 Compliance Testing
8.6 Federated Authentication
8.6.1 Naming and Identity
8.6.2 Translation of Claims or Identities
8.6.3 Data Requirements
8.6.4 Other Issues
9 Credentials for Access Claims
9.1 Security Assertion Markup Language
9.2 Access Control Implemented in the Web Service
9.3 Establishing Least Privilege
9.4 Default Values
9.5 Creating an SAML Token
9.6 Scaling of the STS for High Assurance Architectures
9.7 Rules for Maintaining High Assurance during Scale-Up
10 Claims Creation
10.1 Access Control Requirements at the Services
10.1.1 Discretionary Access Control List
10.1.2 Mandatory Access Control
10.1.3 Access Control Logic
10.2 Access Control Requirement
10.3 Enterprise Service Registry
10.4 Claims Engine
10.5 Computed Claims Record
11 Invoking an Application
11.1 Active Entities
11.2 Claims-Based Access Control
11.2.1 Authorization in the Enterprise Context
11.3 Establishing Least Privilege
11.4 Authorizing the User to the Web Application
11.5 Authorizing a Web Service to a Web Service
11.6 Interaction between Security Components
11.6.1 Access from within the Enterprise
11.6.2 Disconnected, Intermittent, or Limited Environments
22.214.171.124 Prioritization of Communications
126.96.36.199 Reduction of the Need for Capacity
188.8.131.52 Asset Requirements
12 Cascading Authorization
12.1 Basic Use Case
12.2 Standard Communication
12.3 Pruning Attributes, Groups, and Roles
12.4 Required Escalation of Privilege
12.5 Data Requirements for the Pruning of Elements
12.6 Saving of the SAML Assertion
12.7 SAML Token Modifications for Further Calls
12.8 An Annotated Notional Example
12.9 Additional Requirements
12.10 Service Use Case Summary
13.2 Elements of Federated Communication
13.2.1 Naming and Identity
13.2.3 PKI—X.509 Certificates
13.2.4 Certificate Services
13.2.5 Bilateral Authentication
13.2.6 Authorization Using SAML Packages
13.2.7 Registration of the STS
13.2.8 Recognizing STS Signatures
13.2.9 Translation of Properties, Roles, and Groups
13.2.10 Other Issues
13.3 Example Federation Agreement
13.4 Access from Outside the Enterprise
13.5 Trusted STS Store
13.6 Trusted STS Governance
14 Content Access Control
14.1 Authoritative and Nonauthoritative Content
14.2 Content Delivery Digital Rights Management
14.3 Mandatory Access Control
14.4 Access Control Content Management System
14.5 Enforcing Access Control
14.6 Labeling of Content and Information Assets
14.7 Conveying Restrictions to the Requester
14.8 Enforcing/Obtaining Acknowledgment of Restrictions
14.10 Content Management Function
14.11 Components of a Stored Information Asset
14.11.1 Information Asset, Section A: ACL, MAC, and Data
14.11.2 Information Asset, Section B: Information Asset as Labeled
14.11.3 Information Asset, Section C: Information Asset Signature(s)
14.11.4 Information Asset, Section D: MDE Metacard
14.12 Additional Elements for Stored Information Assets
14.12.1 Key Words
14.12.2 Storage Location(s) of Key Word Metadata
14.12.3 Reference Identity and Information Asset Description
14.12.4 Information Asset Name
14.12.5 Information Asset Description
14.13 Key Management Simplication
14.13.1 Information Asset
14.14 Import or Export of Information Assets
15.1 Delegation Service
15.2 Service Description for Delegation
15.3 Form of Extended Claims Record
15.4 Special Delegation Service
16 The Enterprise Attribute Ecosystem
16.1 User and Data Owner Convenience Functions
16.1.1 Self-Registration (Partial)
16.1.2 User Attribute Service
16.1.3 Service Discovery
16.1.4 User Claim Query Service
16.1.5 Direct Service/Application Invocation
16.1.6 Trusted Delegation Service
16.1.7 Special Delegation Service
16.2 Attribute Ecosystems Use Cases
16.2.1 Process Flows Related to Security for Each Service
16.2.2 Updating Claims
16.2.3 Adding a New Identity
16.2.4 Adding a Service
16.2.5 Accessing Services
16.2.6 Providing Delegation
16.2.7 Providing Special Delegation
16.3 Attribute Ecosystem Services
16.3.1 Authoritative Content Import Service(s)
16.3.2 Manage Import and Aggregation Web Application
16.3.3 Manual Entry Web Application for Attributes
16.3.4 AE Import Service
16.3.5 Enterprise Service Registry Web Application
16.3.6 Manage Claims Engine Web Application
16.3.7 Claims Engine
16.3.8 Manage Claims Web Application
16.3.9 Manage Delegation Web Application and Service
16.3.10 Claims Exposure and Editor Web Service
16.3.11 Provide Claims Web Service
16.3.12 Delegation Web Application and Web Service
16.3.13 Manage Groups and Roles Web App
16.3.14 Autoregistration Web App
16.3.15 Write Attribute List
16.3.16 User Query Attributes
16.3.17 User Query Claims
16.3.18 Special Delegation Web Application and Web Service
17 Database Access
17.1 Database Models
17.2 Database Interfaces and Protocols
17.2.1 SQL Databases
17.2.2 XML Databases
17.2.3 Large-Scale Databases
17.2.4 Geospatial Databases
17.3 Overall Database Considerations
17.4 Enterprise Resource Planning Business Software
17.5 ERP as a Legacy System
17.5.1 ERP Attribute System Synchronization
17.5.2 ERP Border System
17.6 Hardening of ERP Database Systems
17.6.1 Hardening Stage One: Encryption of Data at Rest
17.6.2 Hardening Stage Two: Encryption of Data in Transit
17.6.3 Hardening Stage Three: Claims Identity, Access, and Privilege
17.6.4 Hardening Stage Four: Least Privilege for Application
184.108.40.206 Financial Roles
220.127.116.11 Application-Driven Database Operations
18.104.22.168 Application-Driven Annotated Example
22.214.171.124 Data-Driven Database Operations
126.96.36.199 Data-Driven Annotated Example
17.6.5 Hardening Stage Five: Homomorphic Encryption
18 Building Enterprise Software
18.1 Services Types
18.2 Functionality of All Services
18.2.1 Evaluating Inputs
188.8.131.52 Extensible Markup Language
18.2.3 PKI Required: X.509 Certificates
18.2.4 PKI Bilateral Authentication
18.2.5 Authorization Using Authorization Handlers
18.2.6 Agents in the Enterprise
184.108.40.206 Self-Help Agents
220.127.116.11 Embedded Agents
18.104.22.168 Monitor Sweep Agents
22.214.171.124 Import Agents
126.96.36.199 Self-Protection Agents
18.2.7 Data Keeping and Correlation
18.3 Service Model
18.4 Enterprise Services Checklist
18.5 Enterprise Service Registry
18.6 Service Discovery: Manual and Automated
18.7 Additional Considerations
18.7.1 Agents in the Enterprise Environment
18.7.2 Code Elements of a Service
18.7.3 Anatomy of a Service
188.8.131.52 Commercial Of-the-Shelf and Legacy Software
184.108.40.206 Load Balancing Applications
220.127.116.11 Web Service Monitor Activities
18.9 ELS Interface
18.10 Access Control List
19 Vulnerability Analyses
19.1 Vulnerability Causes
19.2 Related Work
19.2.1 Static Code Analysis
19.2.2 Dynamic Code Analysis
19.2.3 Penetration Testing
19.2.4 Code Analysis and Penetration Testing Summary
19.3 Vulnerability Analysis
19.3.1 Vulnerability Analysis Objective
19.3.2 Vulnerability Analysis Information
19.3.3 Obtaining Vulnerabilities
19.3.4 Deriving Penetration Tests
19.3.5 Continuous Updating
19.3.6 Review and Approve
19.4 Flaw Remediation
19.4.1 Flaw Remediation Objectives
19.4.2 Flaw Remediation Information
19.4.3 A Flaw Remediation Process
19.4.4 Flaw Remediation Quality System
19.4.5 Flaw Remediation Reporting
19.4.6 Review and Approve
20 An Enterprise Support Desk
20.2 Data Repository System
20.3 Information for Service Monitoring
20.4 Centralized Repository
20.5 Services by Type
20.6 Data Keeping Requirements
20.7 Naming Schema
20.8 Monitor Activities
20.8.1 Data Generation
20.8.2 Log 4j Specification
20.8.3 Alerts and Automatic Response
20.8.4 SMTP Format for Alerts
20.8.5 Requirements for Java and Service Exception Errors
20.8.6 Record Storage
20.9 Help Desk Breakdown
20.10 Customer Support and Help Desk
20.11 Levels of Service
20.11.1 Level 0: Client Self-Help
20.11.2 Level 1: Basic Information
20.11.3 Level 2: Interactive Support
20.11.4 Level 3: Security, Serious Bugs, and Vendor Support
20.12 Using the Knowledge Repository
20.12.1 Information for Help Desk Operations
20.13 ESD Summary
21 Network Defense
21.1 Expected Behavior
21.3 Current Protection Approaches
21.3.1 Current: Unencrypted Traffic
21.3.2 Current: Encrypted Traffic
21.4 An Alternative to Private Key Passing
21.5 A Distributed Protection System
21.5.1 Appliance Functionality In-Line
21.5.2 Appliance Functionality as a Service
21.6 Next Steps for Appliances
21.6.1 Real Demilitarized Zone
21.6.2 Security Issue
21.6.3 Taking Advantage of Software-Only Functionality
21.6.4 Protecting the Server
21.6.5 Handlers in the Server
21.7 Appliances at Change Content
21.7.1 Wide Area Network Acceleration
21.7.2 An Introduction to WAN Acceleration
21.7.3 Current WAN Accelerator Approaches
21.7.4 An Alternative to Private Key Passing
21.7.5 Integrity in a TLS Session
21.7.6 Flows in a High Integrity System
21.7.7 Summary of WAN Acceleration
21.8 Appliances: A Work in Progress
22 Concluding Remarks
22.1 Where We Have Been and Where We Are Going
22.2 Understanding the Approach
22.3 About Those Takeaways
Enterprise Level Security 2
Chapter 1. The First 16 Years.
1.1 The Beginning of Enterprise Level Security (ELS)
1.2 Design Principles.
1.3 Key Concepts.
Chapter 2. A Brief Review of the Initial Book.
2.1 Security Principles.
2.2 ELS Framework.
Chapter 3. Minimal Requirements for the Advanced Topics.
3.1 Needed Capabilities.
3.2 Creating an Attribute Store.
3.3 Registering a Service.
3.4 Computing Claims.
3.5 User Convenience Services.
3.6 The Enterprise Attribute Ecosystem.
Identity and Access Advanced Topics.
Chapter 4. Identity Claims in High Assurance.
4.1 Who Are You?.
4.2 Entity Vetting.
4.4 Key and Credential Generation.
4.5 Key and Credential Access Control.
4.6 Key and Credential Management.
4.7 Key and Credential Use.
4.8 Some Other Considerations.
Chapter 5. Cloud Key Management.
5.2 ELS in a Private Cloud.
5.3 The Public Cloud Challenge.
5.4 Potential Hybrid Cloud Solutions.
5.5 Proposed Secure Solutions.
5.7 Cloud Key Management Summary.
Chapter 6. Enhanced Assurance Needs.
6.1 Enhanced Identity Issues.
6.2 Scale of Identity Assurance.
6.3 Implementing the Identity Assurance Requirement.
6.4 Additional Requirements.
6.5 Enhanced Assurance Summary.
Chapter 7. Temporary Certificates.
7.1 Users That Do Not Have a PIV.
7.2 Non-PIV STS/CA-Issued Certificate.
7.3 Required Additional Elements.
7.4 Precluding the Use of Temporary Certificates.
7.5 Temporary Certificate Summary.
Chapter 8. Derived Certificates on Mobile Devices.
8.1 Derived Credentials.
8.2 Authentication with the Derived Credential.
8.3 Encryption with the Derived Credential.
8.4 Security Considerations.
8.5 Certificate Management.
Chapter 9. Veracity and Counter Claims.
9.1 The Insider Threat.
9.2 Integrity, Reputation, and Veracity.
9.3 Measuring Veracity.
9.4 Creating a Model & Counter-Claims.
9.5 Veracity and Counter-Claims Summary.
Chapter 10. Delegation of Access and Privilege.
10.1 Access and Privilege.
10.2 Delegation Principles.
10.3 ELS Delegation.
10.4 Delegation Summary.
Chapter 11. Escalation of Privilege.
11.1 Context for Escalation.
11.2 Access and Privilege Escalation.
11.3 Planning for Escalation.
11.4 Invoking Escalation.
11.5 Escalation Implementation within ELS.
11.7 Escalation Summary.
Chapter 12. Federation.
12.1 Federation Technical Considerations.
12.2 Federation Trust Considerations.
12.3 Federation Conclusions.
ELS Extensions – Content Management.
Chapter 13. Content Object Uniqueness for Forensics.
13.1 Exfiltration in Complex Systems.
13.2 Product Identifiers.
13.3 Hidden Messages.
13.4 Content Management.
13.5 Content Object Summary.
Chapter 14. Homomorphic Encryption.
14.1 Full Homomorphic Encryption (FHE).
14.2 Partial Homomorphic Encryption (PHE).
14.3 PHE Performance Evaluation.
14.4 Homomorphic Encryption Conclusions.
ELS Extensions – Data Aggregation.
Chapter 15. Access and Privilege in Big Data Analysis.
15.1 Big Data Access.
15.2 Big Data Related Work.
15.3 Big Data with ELS.
15.4 Big Data Summary.
Chapter 16. Data Mediation.
16.1 Maintaining Security with Data Mediation.
16.2 The Mediation Issue.
16.4 Choosing a Solution.
16.5 Mediation Summary.
ELS Extensions – Mobile Devices.
Chapter 17. Mobile Ad Hoc.
17.1 Mobile Ad Hoc Implementations.
17.2 Network Service Descriptions.
17.3 Other Considerations.
17.4 Mobile Ad Hoc Summary.
Chapter 18. Endpoint Device Management.
18.1 Endpoint Device Choices.
18.2 Endpoint Device Management.
ELS Extensions – Other Topics.
Chapter 19. Endpoint Agent Architecture.
19.1 Agent Architecture.
19.2 Related Work.
19.3 ELS Agent Methods.
19.4 Endpoint Agent Results.
19.5 Endpoint Agent Conclusions.
19.6 Endpoint Agent Extensions.
Chapter 20. Ports and Protocols.
20.2 Communication Models.
20.3 Ports in Transport Protocols.
20.4 Threats Considered.
20.5 Assigning Ports and Protocols.
20.6 Server Configurations.
20.7 Firewalls and Port Blocking.
20.8 Application Firewalls.
20.9 Network Firewalls in ELS.
20.10 Endpoint Protection in ELS.
20.11 Handling and Inspection of Traffic.
20.12 Additional Security Hardening.
Chapter 21. Asynchronous Messaging.
21.1 Why Asynchronous Messaging?.
21.2 Prior Work.
21.3 Asynchronous Messaging Security.
21.4 PSS Rock and Jewel.
Chapter 22. Virtual Application Data Center.
22.2 Enterprise Level Security and VADC Concepts.
22.3 VADC Implementation.
22.4 Resource Utilization.
22.5 Distributed Benefits and Challenges.
22.6 Virtual Application Conclusions.
Chapter 23. Managing System Changes.
23.1 System Change.
23.2 Current Approaches.
23.3 The Vision.
23.4 Realizing the Vision.
23.5 Moving into the Future.
23.6 Managing Information Technology Changes.
Chapter 24. Concluding Remarks.
24.1 Staying Secure in an Uncertain World.
24.2 The Model is Important
24.3 Zero Trust Architecture.
24.4 Computing Efficiencies.
24.5 Current Full ELS System.
24.6 Future Directions.
References and Bibliography.
Dr. Kevin E. Foltz, Institute for Defense Analyses, has over a decade of experience working to improve security in information systems. He has presented and published research on different aspects of enterprise security, security modeling, and high assurance systems. He also has degrees in Mathematics, Computer Science, Electrical Engineering, and Strategic Security Studies.
Dr. William R. Simpson, Institute for Defense Analyses, has over two decades of experience working to improve systems security. He has degrees in Aeronautical Engineering and Business Administration, as well as undergoing military and government training. He spent many years as an expert in aeronautics before delving into the field of electronic and system testing, and he has spent the last 20 years on IT-related themes (mostly security, including processes, damage assessments of cyber intrusions, IT security standards, IT security evaluation, and IT architecture).