Microsoft: Security Keeps The Money Flowing
Written by Dan Griffin
I’ve written before about the importance of protecting data on the move in scenarios such as a traveling executive. Imagine the potential damage to reputation and future revenue if a laptop is left in the back of a taxi, and the hard drive is filled with acquisition plans, software source code, emails to the board of directors, and specification documents.
Likewise, everyone is aware now of the risk posed by trusted insiders. WikiLeaks has made the challenge of data loss prevention (DLP) difficult to ignore. Trusted insiders—those with access to sensitive information due to the nature of their employment—can, out of anger or for idealistic reasons, decide to exfiltrate data in any number of ways. Aldrich Ames, the spy from the 1980s, used a photocopier in order to duplicate classified documents that he then sold to Russia. It is said that he spent so much time using the office photocopier that his coworkers, out of frustration and not realising the damage he was doing, started helping him complete his copy jobs so that they could get their own work done.
Needless to say, traitors have an easier time copying digital data today. The result is that the damage can be greater. While a photocopier thirty years ago could perhaps produce a few copies per minute, a single second is now enough time to transfer thousands of documents anywhere in the world.
A Conceptual Framework for Data Loss Prevention
Still, there’s good news: software security technology has never been better. And while security still poses the classic tradeoff with usability and convenience, any organisation can find technologies on the open market that provide the appropriate mix. I’ve found that a conceptual framework is helpful when evaluating DLP technologies. I’ve written previously about The Four Tenets of Security. The same tenets apply to DLP:
- Access control
Data Encryption as a Tool for Authorisation
Enforcing data encryption policy is the best way to mitigate the lost laptop risk. Windows 8.1 enables full-volume disk encryption by default. And self-encrypting drives are becoming more common. For PCs, features such as BitLocker can be used to ensure not only that managed devices have encrypted drives, but also that the device can’t be booted without knowledge of a PIN, and that the drive can’t be removed and decrypted on any other device. This approach—using data encryption as an authorisation tool—is a powerful combination.
A Tougher Problem: Auditing
Encryption provides confidentiality. But auditing is a tenet of the DLP framework that can be more difficult to manage. Regarding auditing, consider this: when an executive leaves her laptop in the back of a taxi, an important question that must be answered as quickly as possible is this: what data was on that device? For many organisations, if a security baseline has been established such that all data in the device is known to have been encrypted, answering what data was present may be uninteresting. But for other organisations, especially in situations where disk encryption is encouraged but not enforced, auditing access to unencrypted becomes critically important.
For example, the corporate email server has a record all of messages retrieved (or read online) by that user. But the situation is more complicated if a cloud email service such as Gmail or Office 365 is being used. Indeed, in the absence of email encryption policy to mitigate this risk, new technologies are needed in order to provide this auditing capability. An example of such a technology is Plasma, an IETF data protection draft standard. Plasma requires users to obtain a read token, associated with a thumbprint of the document or message, from a policy server before the data can be accessed. This provides the security administrator with an audit log of the data that was decrypted by a given user on a given device.
Device Attributes and Claims-Based Authorisation
Plasma is an example of an authorisation technology as well. With Plasma, the administrator can assert that only user that meet certain criteria at the time of the request can obtain permission to read the data. Likewise, read capabilities can be restricted to devices that are rootkit- and virus-free, and that are using disk encryption. Such device policies are possible to enforce by way of the Trusted Platform Module (TPM), the tamper-resistant security logic present on most new servers and mobile devices.
In fact, the TPM gives us another powerful tool for mitigating DLP risk, the ability to bind cryptographic keys to a specific device in a specific state. In the example above, suppose an authorised user obtains read permission on a policy compliant device, but then disables disk encryption shortly thereafter. Ideally, we would like for the ability to read the data to be lost immediately when the device becomes non-compliant. The TPM allows us to do this by way of the following mechanism:
- The server completes a handshake with the client device. The handshake demonstrates to the server that the client device is indeed using a known-good TPM.
- The server applies policy to the device measurements available from the TPM – is there a rootkit, is anti-virus enabled, is disk encryption enforced, etc.
- The server creates a cryptographic key and encrypts it to the device TPM in such a way that only that TPM can decrypt it, and only so long as the device policy measurements remain unaltered.
- The server encrypts the requested data using the TPM-bound key and sends that data to the device
Windows Server 2012 R2 includes support for TPM protected key management in the Enterprise Certificate Authority (CA) role. For more information, see Support for Certificate Renewal with Same Keyon TechNet. JW Secure is developing a solution that complements the Windows CA with end to end enforcement of more complex key protection policies.
In summary, with the Four Tenets of Security framework in mind, DLP is a tractable problem. But while security technology is amazingly advanced, so is the motivation and sophistication of our adversaries. Still, there’s an analogy to home and automobile security systems: all things being equal, the criminal is less likely to break into your house if you have a security system and your neighbor doesn’t. Instead, the thief will choose the easier target: the neighbor; likewise for electronic data assets. Invest the time to classify your data, and apply the strongest protection to the most valuable data. By establishing data security policies, you enable your employees to better do their jobs and to protect the long term interests of the organisation. In short, security keeps the money flowing.