Mon Nov 24 05:37:58 PST 2014

Content control: Data in use: How should data in use be protected?


Options:

Option 1: Use trusted systems with provable separation mechanisms.
Option 2: Use operating environments with solid process separation.
Option 3: Configure discretionary access controls to protect temporary areas.
Option 4: Use cryptographic transforms to allow confidential computation in the open.
Option 5: Only use sensitive content in well controlled areas of the environment.
Option 6: Use configuration controlled computers for sensitive computation.
Option 7: Use real-time checks on data just prior to use.
Option 8: Use redundant computation to assure proper answers and availability of results.
Option 9: Use sanity checks and other similar validation for important results.
Option A: Use microzones to control and enable access only while in use.
Option B: Use local augmented hardware protection.
Option C: Use published methods.
Option D: Use transaction records.
Option E: Do nothing special.

Decision:

"No" indicates that the approach is too expensive to reasonably apply. IACUTRS stand for Integrity, Availability, Confidentiality, Use control, Accountability, Transparency, and Custody respectively. They are used to indicate what protection objectives may be reasonably be addressed by these controls over data in use at these risk levels. For high risk, we generally advise at least two covers for each of IACUTRS, and for Medium risk, at least one cover of each. For each standard approach identified, indicate what controls are in use and the overall coverage attained.
Approach Low Risk Medium risk High risk
Trusted systems No IACUTRS IACUTRS
Strong separation OSs IACUS ICUS IC
DAC temporary area separation No IC IC
Cryptographic transforms CU U No
Control locations of use IACUTS IACUTS IACUTS
Configuration controlled computers IACUT IACUT No
Local augmented hardware protection ICU ICU ICU
Real-time pre-use checks I I I
Redundant computations No A IA
Validate outputs No I IT
Microzones ICUS ICUS IUS
Published methods IR IR R
Transaction records TR TR TR
Overall objectives met . . .
Controls over data in use

Basis:

Use trusted systems with provable separation mechanisms.
Trusted systems such as those used to separation classified information have, in some cases, provably correct process separation mechanisms. These provide protection against outside influences including resource consumption, alteration, leakage, breaks in accountability, and use by unauthorized users. They also provide chain of custody information through their strong audit mechanisms and are typically using published and reviewed methods, improving integrity and transparency.

Use operating environments with solid process separation.
Operating systems with solid process separation include modern version of Windows, Unix-like operating systems, and most other widely used general purpose operating systems. Use of these methods can improve custody, but only to a limited extent.

Configure discretionary access controls to protect temporary areas.
Configuration controls over temporary areas prevent interference with data values in temporary areas including file storage areas used by processes. Programs often fail to provide proper protection for their files and default values are sometimes overly broad for control over the content in use.

Use cryptographic transforms to allow confidential computation in the open.
These mechanisms use encrypted forms of content that have particular properties that allow the encrypted forms to be useful for specific types of computation. The most common use is for things like password protection, where plaintext of passwords is never stored and in use, passwords are checked by passing them through a one-way cryptographic hash function and comparing results to the stored hash. This is only workable when the number of values is high enough and the algorithm complex enough to prevent exhausting the value space. Its use for things like social security numbers is relatively easy to defeat, and thus while it affords limited protection, it is not sound for substantial threats. It also takes a great deal of performance for all feasible approaches today other than the strict comparison of values, and even these are significantly slowed.

Only use sensitive content in well controlled areas of the environment and in specific physical locations.
In a zones and physically secured environment, these controls may be adequate to reduce threats and available exploitation paths to a desired level. However, this depends on the properties of a lot of other controls. This also helps support chain of custody by limiting locations.

Use local augmented hardware protection.
This includes methods like directional screen covers to limit angle or readability, physically securing input and output device ports, hardened enclosures or packaging, local biometrics, and similar methods.

Use configuration controlled computers for sensitive computation.
This is an effective means for limiting the things that can happen in the normal environment, however; it is only of limited utility for higher threat levels.

Use real-time checks on data just prior to use.
These include antivirus checks just prior to execution of programs, integrity shells, and other similar pre-use checks. For each program, integrity checks for all incoming data should be applied, and this also falls under this category.

Use redundant computation to assure proper answers and availability of results.
Redundant computation ranges from having multiple DNS servers for assured availability to the use of N-modular redundancy for assuring proper results in computations for life-critical applications and real-time control systems.

Use sanity checks and other similar validation for important results.
Output checks on the results are sensible when the results are important enough to cause significant harm. Checks of audit records against executions are also used to assure accountability in some high risk systems.

Use microzones to control and enable access only while in use.
Microzoning and its combination of encryption and virtual machines (VMs) provide for separation of use in time (the VM running state and content are only available while in use), in use by VM (i.e., separate VMs have little or no direct interaction - but do have covert channels) and decryption of content (VMs may selectively decrypt content internally for use in a microzoning approach). At this granularity level, these mechanisms can be effective, but they are not normally high surety today.

Use published methods.
Published methods are typically better vetted and more widely understood. This makes actions more transparent and, to a lesser extent improves integrity..

Use transaction records.
Transaction records track each use at some level of granularity, typically identifying inputs, outputs, and actions taken / methods applied. This supports the ability to review what took place and allow for processes to be later verified and or redone with the same or other methods. This makes processes more accountable and transparent.

Use microzones to control and enable access only while in use.
Microzoning and its combination of encryption and virtual machines (VMs) provide for separation of use in time (the VM running state and content are only available while in use), in use by VM (i.e., separate VMs have little or no direct interaction - but do have covert channels) and decryption of content (VMs may selectively decrypt content internally for use in a microzoning approach). At this granularity level, these mechanisms can be effective, but they are not normally high surety today.

Do nothing special.
It speaks for itself. In low risk systems, due diligence probably dictates some controls in some situations, but this remains a feasible option.

Copyright(c) Fred Cohen, 1988-2015 - All Rights Reserved