As India embarks on its e-Governance journey, it is about time to firstly recap and learn from the recent security breaches that took place in developed countries like United States. In May 2006, Veteran’s Administration lost laptop and disks with 26.5 million veterans and 2.2 million active military. Again, a computer containing 16,000 US Veterans was lost from an office in August 2006. These incidents raise serious concern particularly when thehappen in developed countries.It has, therefore, now become imperative to provide ‘Secure Access’ to users coming in from all different locations (urban and rural, private or public networks, contro-lled or public locations) as e-Government applications are developed and more data sources are built and identified.
Users of e-Government systems are identified, controlled and managed using authentication and authorisation systems that provide unique Identity (using PAN, Passport No. or equivalent) and access controls. Combination of public and private networks (shared/dedicated, wired/wireless, and dial-up/broadband) are used for Access (connectivity) and traditional technologies such as user id/passwords, firewalls, SSL, encryption, and anti-virus come to play in security. It is essential to provide an ‘Identity, Access and Security (IAS) Platform’ that integrates the above distinct technologies to provide centralised Identity and Access management (across different identity stores, covering strong authentication such as tokens/biometric and Single Sign On; and granular and differentiated access controls at application level); normalised Secure Access (irrespective of the access method used); and End-to-End Security (all the way from user’s access device/PC to the application/data server, covering end-device security, encrypted channels and application firewalls).
Identity theft is a non-discriminatory crime. It can happen to anyone, and at any time, irrespective of gender, age, race, social or financial status. Recent statistics about identity theft are quite revealing. According to FBI [Federal Bureau of Investigation], about 9.91 million of Americans became victims of identity theft suffering losses amounting to US$52.1bn. Identity theft victims spent an average of 30 hours resolving the problem.
In 2005, incidents of mass identity theft were reported in the United States. In April that year, investment firm Ameritrade reported that backup tapes containing details of nearly 200,000 account holders had been lost in transit. During the same period, Citigroup and Bank of America disclosed that backup tapes with the data of nearly 3.9 million and 1.2 million account holders respectively had been lost. MasterCard’s data-collection firm Choicepoint gave information on nearly 150,000 US citizens to criminal groups posing as legitimate businesses. Let it be known that data leaks such as these would continue until and unless companies begin realising consu-mers’ pain when these breaches happen.
For enrolment into any organisation or service (computerised or not), the provider requires user’s confidential data such as DOB, PAN (or SSN), Passport No., and POB. Once a complete set of identity information is shared with the provider, what else is left for the user that is strictly confidential, except to go biometric! On top of that, this information is recorded in ‘multiple copies’– on paper applications and computer databases (online and offline). Combine these elements with ‘easy access’ and lack of policies and methods, this current infrastructure, as clearly evident, is ‘weak’ and vulnerable to pilfering and susceptible to crimes such as ‘identity theft’.
VA laptop theft: Lessons learnt
In Untied States, VA (Veteran’s Administration) laptop theft in May this year made waves, due to the sensitivity of the war at hand. The Office of Inspector General published the investigation report on 11 July 2006, and focused on key issues. These included whether the employee had an official need to access the data that was stolen, whether he was authorised to take it home and whether it was properly safeguarded; whether the response of Managers and Senior Executives to the notification of the stolen data – was appropriate and timely; Information Security officials acted with indifference and little sense of urgency; and, policies and procedures did not adequately safeguard protected information.
The investigation concluded that the employee did not have the need nor was authorised to take VA data to home. In 2003, the employee was working on a phone survey project to verify results. The project was not critical. The employee downloaded the personal databank of the affected, took it home and dumped on an external hard disk (without encryption or password protection). Processing of the notification of theft was not timely, without a sense of urgency. The incident was reported on May 3, and it took 12 days to reach the Office of Inspector General. Number of managers and agencies, in the path of reporting, simply were not capable of determining the extent and seriousness of the damage. The investigation concluded that in order to address the above issues policies and procedures should be strong, using strict controls and systems; comprehensive, covering different scenarios; and, traceable/measurable.
Security breaches are gaining worldwide attention, and unlike before, for compliance reasons – companies and organisations are freely publishing the complete investigation and facts. It is best to have a group to track these worldwide activities and reports, and organise frequent updates and seminars, in order that the learning can become quick and ‘early’ from others’ mistakes.
Proposed e-Governance platform
When one attempts a ‘holistic’ approach to designing ‘end-to-end’ security, there is no single product that can satisfy every need at every point of the network. While anti-virus is applied at a point (user device, server or mail host), a firewall protects the network at the perimeter. What one needs is a ‘platform’ – to pull all pieces together. A Security Platform or ‘Security Middleware’ provides a framework to tie Identity, Access and Security in an enterprise. The concept is similar to Enterprise Service Bus, Application Server or TP Monitor – tying application clients, servers and databases together. A ‘security platform/middleware’ can effectively cover the security requirements, across devices, applications, and networks, with flexibility to integrate existing mechanisms with newer approaches and thereby tightening and taking control of ICT environments. Large implementations like e-Governance need to employ a good ‘security middleware’ to build the ICT foundation.
End-to-end Enterprise Security:
There is a need to identify steps/stages for ‘end-to-end’ enterprise security. The different steps/stages for ‘end-to-end’ enterprise security includes Assess – identify the user device and assess the security level of the end device/point – if the prescribed security profile requiring personal firewall, antivirus and others, of appropriate versions, are up and running on the device; Identify – users, internal or external, using user id, password, tokens, SMS or digital certificates; along with their end device, connectivity, time and location; Authorise – access to specific set of applications and data; differentiate based on user identity, user role, device and location; using granular ‘application controls’; Access/deliver – applications (of all types, browser, client/server or terminal-based), data and networks; with application intelligence; with a choice of access method (client-less, client based, or network-level) – delivered to the user’s access device; Protect – critical applications such as web portals, ERP and CRM apps, using built-in and configurable application firewall; URL cloaking to mask internal web sites; intermediate user sessions for additional security; and, Audit – logs recording user identity, access IP, time of access and application/data accessed; downloadable or redirected to internal log servers; for industry compliance such as BS7799, HIPAA, GLB, or Sarbans-Oxley.
Security solutions need to be designed comprehensively, with an understanding of the end-to-end flow of data – from a user’s end device, network to application/data servers. This is the only method for enterprises to improve ‘visibility’ into their network and security configuration. Three tiers of a typical corporate IT set up are – Application, Network and End Device.
For application security requirements, there is a need to protect applications and data servers from unauthorised access, without requiring complex network or firewall changes; ability to provide Differentiated and Granular Access to target applications, and by differentiating between different types of users (power users, regular users, guest users); protection from malware such as viruses, worms, Trojan Horses, spyware, etc. that can contaminate and compromise the servers; and, protecting browser-based applica-tions from web hacking (against meta characters, SQL injection). Applications are improving to handle these errors, but legacy applications and new/not-properly-tested applications can slip by.
Providing ‘Secure Access’ to users coming from diverse locations be they rural, private or public networks has become imperative as e-Government applications are developed and more data sources are built and identified. Users of e-Government systems are identified, controlled and managed using authentication and authorisation systems that provide unique identity and access controls
Regarding network security requirements, as the number of firewalls increase and their policies are being updated/modified frequently, ‘security’ condition of the enterprise is no longer under control and clearly visible; ‘Transparency’ and ‘visibility’ in implementing access and security requirements are lacking in the current environment; and, Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS) are deployed host-based on specific critical server machines or network based. They typically require high maintenance (to update attack signatures) and are reactive in approach.
End Device Security:
Without an accurate way to assess the “health” of a user’s end device, even the most trustworthy user can inadvertently expose everyone else on the network to significant risks, posed by either an infected device, or by one that is not properly protected against infection. Hence, it is imperative to assess and enforce a ‘permitted state of end device security’.
Network Admission Control (NAC):
Cisco’s NAC is an industry initiative with about 60 partners, including Microsoft. With NAC in place, whenever an endpoint device attempts to make a network connection, the network access device automatically requests a ‘security profile’ of the endpoint device, which is provided either through an installed client or through assessment tools. This profile is compared to network security policy, and based on the ‘level of device compliance’ the network can do one of the following – Permit or Deny access; Restrict access by redirecting the device to a network segment with limited exposure; or, Quarantine a noncompliant device by redirecting it to a remediation server. NAC is a powerful method, when the technology becomes available and implemented. Implementation requires substantial investment in switches and routers, without which NAC cannot be complete. Roll out may be speeded up if the existing network equipment and systems can be upgraded using software.
Authentication and Authorisation
New user data flows use Strong Authentication, Application-level access and Single Sign On. User Identity issues can be addressed through the possible solutions that include authentication, authorisation, and alternate identity.
Authentication: A centralised ‘Identity and Access Management’, with a hierarchy of authentication systems need to be planned, to have control on a billion citizen country like India. Depending on the role of the user, you may combine ‘strong authentication’ using biometric, token, or smart card approaches and ‘traditional authentication’ of user id and password. Once you front end the network using strong authentication, you can consider Single Sign On methods to speed up access to applications reliably.
Authorisation: It is equally important to ‘differentiate’ between users/roles, log in device, type of connectivity (wired/wireless, public/private), and time/day – and ‘granularly’ map to different sets of applications based on context. ‘Differentiated access’ and ‘granular controls’ are key features to consider. Later section on ‘application-level’ access method discusses more on exercising ‘granular’ controls, compared to typical ‘network-level’ access.
Alternate Identity: While guarding places of storage and securing access are imperative, alternate ‘user identity’ should be ‘created’ and made available for general usage. An ‘operative user id’, instead of a PAN number, issued by a government Post Office or a bank, can be used to apply for non-critical applications such as ‘getting a phone connection’.
Application-level access and security
Typically users, both internal and external, are first allowed to join the network before accessing any of corporate applications or data. How does a user have access to an application? Consider users – internal (employees)/external (guests, consultants, auditors), over internal (LAN/WAN) / external (dial-up, VPN) connectivity. While corporate networks are segmented through physical subnets or virtual networks (VLAN) to create separation and protected using firewalls – this entire set up is constantly under flux. As access/security requirements come from internal or external groups, on a day-to-day basis, the set up of firewalls and subnets is constantly updated.
On Day 0, overall configuration is designed on a ‘whiteboard’ and imple-mented with complete clarity, but after changing the firewalls and subnets over a period of time, there is no continued ‘visibility’ into the corporate network and security conditions. ‘Lack of visibility’ is a major roadblock in managing a networked enterprise.
Applications define user roles and track user activity, after the user successfully logs into the application. There are controls and a record of what the user can do, and what the user did. How about expecting similar controls – from the user’s end device to the applica-tion server – from the point of user entering the network to application login? Enterprise (network) security is about controlling, tracking and ‘recording’ access up to the point of ‘login’. Access records are extremely critical for ‘compliance’ purposes.
More than 95% of end users in a typical enterprise are non-technical – from business groups and management, on LAN or remote locations. These users typically require access to specific applications using specific access clients (browser/client/direct host). Hence, giving ‘more’ access to these business users, and then figuring out ways to pro-tect the network, is a ‘reactive’ approach. A ‘proactive’ approach to controlling the majority user population is using – ‘application-level’ access. Using this method, access is provided and controlled for ‘individual applications’. Separate pipes are set up (virtually) from the application servers to the users, without adding users to the network. This model requires an intermediary (a gateway) between the users and application servers. Using ‘Application-level’ access, enter-prises can identify users, user roles and privileges, and based on their job function and security policy. Most importantly, what applications (or data) can they access from which device and at what time.
Application Gateway – in order to provide ‘application-level access’, the Application Gateway intermediates between users and application servers. Secure links are established from applica-tion servers to the gateway and users connect to the gateway over a secure channel. After the initial configuration, ‘user to application’ access is managed on the gateway, using a single GUI. The gate-way can act as a ‘soft’ switch, providing access to different sets of applications, based on user id, end device, location and time of access.
Standards vs. Security for a foundation
When a set of technologies to form the foundation for security at the national-level is chosen, few points need to be considered seriously in preparation for disasters and national emergencies – physical or electronic.
Dependency on commercial packages:
In this age of global economy, where ICT business of products, technology, people and services is (kind of) freely flowing across national boundaries, it is tempting to go for ‘established’ vendors to imple-ment national-level e-Governance solu- tions. While several factors are in favour of the current vendors, a nation cannot be held hostage – if national policies are chan-ged, or priorities are rearranged in other countries. For example, some large multi-nationals have a policy, even today, not to sell into Indian defence organisations.
Trick of Open/de facto Standards:
Open Standards encourage products and technologies that are interoperable and fairly poised in the markets. When it comes to security, key factors to consider includes different levels of authentication, authorisation, layers of network security, encryption, and data and data centre security. At any of these levels, as one follows standards, one is well understood and can potentially be a target for attack. Hence, sometimes it pays to use an indigenous or small company product, to be ‘different’.
There is therefore a need to stay away from ‘de facto’ standards and products. There are options in Open Systems, starting from desktops to servers, operating systems to databases, which can be considered seriously. Indian Defence Labs believed the approach of developing indigenous technology, without succumbing to any international pressures or politics. ‘Security foundation to e-Governance’ is equally critical and sensitive that begs a similar approach from defence scientists.
Multiple options are open for e-Governance management to acquire and maintain source code of key compo-nents. Some of the options include open source technologies, buying Intellectual Property from companies, and, deviation from open standards/policies and creating ones ‘security differentiator’.