Changing the security fortress mentality of banking software
Context-aware security will improve security and usability but to get there we have to start thinking outside the box…
Context-aware security will improve security and usability but to get there we have to stop thinking about security as a wall and start thinking about it as a nervous system.
Last month I wrote about context-aware security and how it could lead to a generation of applications that deliver smarter security decisions and better usability.
Context-aware security uses information from sensors in the software to build a real-time context for the application as it is being used. This context enables smarter security decisions. Where traditional applications have inflexible security protocols, context-aware applications use their situational awareness to make security dynamic and responsive to the application’s environment. These new applications progressively raise or lower their guard and are also better able to protect themselves from unknown forms of attack.
To achieve this step-change in security, those of us who develop software will have to start thinking about application security in a very different way.
As Gartner rightly points out in their report, The Future of Information Security is Context Aware and Adaptive:
“Context-aware and adaptive security will be the only way to securely support the dynamic business and IT Infrastructures emerging during the next 10 years”
I’ve been giving some thought to how we should design situational awareness into financial software products; how to add smart security to the arsenal in the fight against cybercrime.
The software security model as a fortress:
Let’s start by considering a common analogy for the traditional software security model – the fortress or castle.
Much of the security that we rely upon today, from individual applications to corporate networks, uses a fortress-like approach to software design. Security is typically implemented like a thick castle wall built around an otherwise insecure and vulnerable core. The barrier is separate and distinct from its contents and entry to the core is only permitted through a small number of heavily guarded entrances.
The fortress approach is easy to understand and, crucially, is easily retrofitted to software that’s old or designed with inadequate security to begin with.
Putting a wall around software creates an obvious and imposing barrier and can provide strong protection against known attacks but anyone who can force or bluff their way past the wall faces little resistance thereafter.
Since the only way to increase the level of security is smaller doors or more and thicker walls a secure fortress can make life difficult or uncomfortable for legitimate users as well as deterring attackers.
The fortress is not intelligent. Its goal is to prevent intrusions, not learn more about the potential intruders. Yet data about the intruder is there for the security system to collect and respond to. It is critical to leverage this data because cyber-criminals are continually probing our perimeter to find new ways in. Our security systems must be aware and respond.
Moving beyond the fortress:
What should we build instead?
We need to think about the next generation of security a little less like a fortress and more like a modern, international hotel.
The modern hotel familiar to those who travel is an intelligent, integrated whole. It is designed to control and monitor ingress and egress, to assure guests’ privacy, comfort and security and to keep them safe from threats as dangerous and diverse as fires and terrorist attacks.
At the heart of a busy international hotel is a sophisticated ‘nervous system’ fed by a network of people and sensors that detect what’s going on inside the building in real time. Safety and security is part of the building rather than a separate layer built around it. A major component of the system is situational awareness, with inputs from cameras in elevators, smoke detectors in hallways, electronic entry systems to hotel rooms. But the guest’s experience of the hotel is also paramount, so the security system built around them is all but invisible. It is non-intrusive, but shows itself enough to give the guest the reassurance of knowing that their safety is looked after.
Look at integrated hotel security systems…
The benefits of this model are perhaps best illustrated in the way hotels deal with the threat of fire. The building monitors and responds to fire as a whole entity. Smoke or heat detectors determine the likely nature, scale and location of the threat. The building management system, alerted to the suspicion of danger, makes decisions about the most appropriate response. Because the building’s components are connected digitally to a single central control system, everything from sprinkler systems to the air conditioning system to the elevators and alarms can all be recruited to deal with the threat. Indeed, we have come to expect that modern hotels will have monitoring stations for operators to view the displays and alerts generated by the building management systems. The hotel has a duty of care to watch over the security of their guests.
To bring our analogy back to the world of software design, we can see the building analogy applied in OWASP’s context-aware security prototype, AppSensor.
Instead of smoke alarms and heat detectors AppSensor has a ‘nervous system’ of 60 detection points – sensors that detect undesirable or unusual events that can range from an outright cyber-attack to the mildly suspicious.
The detection points provide a rich flow of data about application context and user behaviour and, as in our modern hotel’s building management system, the sensors pass this data to an intelligent central control system. The rule-based central control system interprets the data, forms an opinion about the current level of security and responds appropriately.
In future we will see less separation between the parts of software that are concerned with ‘security’ and the parts that aren’t. Instead, all parts of a system will combine to provide a real-time context for security decisions and all parts of the software will be available to its defence.