jump to navigation

Information Protection Challenges September 13, 2013

Posted by patrickcallan2013 in Security.
trackback

Protecting information in computing systems presents many challenges. The wide variances in who should have what type of access to information requires sophisticated schemes to control access. Saltzer and Schroeder note three “potential security violations” involving information can occur: “… 1) Unauthorized information release … 2) Unauthorized information modification … [and] … 3) Unauthorized denial of use”. [p. 2 in [1]] Most organizations require a considerable amount of collaborative work which means information will be shared to a certain extent. Difficulties arise when various group members have information which cannot be shared with all group members. How can information access within a work group be managed so only authorized employees access key data files? There is a great deal of complexity in securing a multitude of data files needing varying degrees of security along with managing individual and/or group access privileges to that data. There is also the additional issue of modification rights – who can change the data file? Considering just the variations in data access by individual employees, the variation in the sensitivity of the data stored in various files, and the variations in what authorized users can do with a data file creates a significant level of complexity to manage to insure that information remains adequately protected. Many organizations rely upon several broad groupings of employees to implement a very rough information protection scheme because a finer grained approach is very labor intensive and difficult to maintain – there are many dynamic details to track such as new users, files, and privileges, and users get frustrated by the continual requests to gain access to files needed to complete their work tasks.

An important point which Saltzer and Schroeder make is “… the “intruder” … may be an otherwise legitimate user of the computer system.” [p. 3 in [1]] Many security breaches are the result of employee misuse of information systems. Employees transfer corporate data into poorly secured personal devices – smart phones, USB drives, laptops and home computer systems – or utilize insecure public cloud storage providers to store corporate data. [2] The fact that confidential corporate data is leaking onto the Internet is confirmed in numerous news reports. [3] Securing data within an organization is extremely difficult but the current surge in the movement of corporate data into less secure personal environments poses serious risks to protecting information. Users play a major role in maintaining system security and protecting information. [4]

Multiple approaches to security like combining hardware and software based security strengthen security by creating multiple layers of protection which have to be breached to compromise information. Saltzer and Schroeder’s description of combining software and hardware “descriptor-based” security measures appears directed at computing environments where the organization controls the hardware. [p. 12 in [1]] Implementing and managing descriptor-based hardware security would be difficult in today’s highly distributed computing environment where users are interacting with multiple computing systems, virtualized systems that migrate applications and data to maintain performance, and increasing use of mobile computing devices and cloud based platforms. The shifting of processing and information across multiple hardware devices may not be controlled by the user or his/her organization, and determining which hardware descriptor-based registers to evaluate to maintain security poses significant challenges in increasingly virtualized computing environments. Despite the challenges of virtualized computing environments, research continues on combined hardware and software solutions to enhance information systems security. [5]

[1] Saltzer, Jerome H., and Michael D. Schroeder. “The Protection of Information in Computer Systems”. Proceedings of the IEEE, Volume 63 Issue 9. 1975.

[2] Kirk, Jeremy. “Dropbox Takes a Peek at Files”. CIO. September 12, 2013. Accessed on 9/12/2013 at http://www.cio.com/article/739573/Dropbox_Takes_a_Peek_At_Files .

[3] Hardy, Quentin. “Where apps meet work, secret data is at risk.” New York Times. March 3, 2013. Accessed on 9/1/2013 at http://www.nytimes.com/2013/03/04/technology/it-managers-struggle-to-contain-corporate-data-in-the-mobile-age.html?pagewanted=all&_r=0 .

[4] Kaneshige, Tom. “Confidential Data is Leaving on Workers’ Mobile Devices”. CIO. August 29, 2013. Accessed on 9/4/2013 at http://www.cio.com/article/738922/Confidential_Data_Is_Leaving_on_Workers_Mobile_Devices?source=CIONLE_nlt_enterprise_2013-09-04 .

[5] Jiang, Xiaowei and Yan Solihin. “Architectural Framework for Supporting Operating System Survivability”. 2011 IEEE 17th International Symposium on High Performance Computer Architecture (HPCA). 2011.

Advertisements

Comments»

No comments yet — be the first.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: