Full Text: Booz-Allen Principal's Testimony at IRS Restructuring Commission Meeting
Full Text: Booz-Allen Principal's Testimony at IRS Restructuring Commission Meeting
- AuthorsMahaffee, Joseph
- Institutional AuthorsBooz-Allen & Hamilton Inc.
- Cross-ReferenceFor prior coverage, see Doc 97-7352 (5 pages), 97 TNT 50-3, or H&D,
- Subject Area/Tax Topics
- Index Termstax administrationIRS, budgetcompliancereturns, informationIRS, records management
- Jurisdictions
- LanguageEnglish
- Tax Analysts Document NumberDoc 97-7357 (10 pages)
- Tax Analysts Electronic Citation97 TNT 51-59
INFORMATION SECURITY TECHNOLOGY AND TRENDS
presented to
The National Commission on Restructuring
the Internal Revenue Service
March 13, 1997
prepared by
Joseph Mahaffee Edward Rothenheber
Booz-Allen & Hamilton Inc. Booz-Allen & Hamilton Inc.
8283 Greensboro Drive 8283 Greensboro Drive
McLean, VA 22102 McLean, VA 22102
Acknowledgments
Special thanks to:
Armando Gomez and Chuck Lacijan for providing Booz-Allen & Hamilton
Inc. the opportunity to brief The National Commission on
Restructuring the Internal Revenue Service
Melissa Hathaway for establishing contact with the information
security staff at Booz-Allen & Hamilton Inc. and facilitating the
opportunity for the authors to present their views on information
security technology and trends
Deborah Banning, Rich Dean, Joanne Evans, Dale Hapeman, Stuart Moore,
Mike Otten, and Tom Russell for their technical contributions
INFORMATION SECURITY TECHNOLOGY AND TRENDS
BACKGROUND
[1] More than ever, the national security departments and agencies, are being challenged to provide affordable, interoperable, and evolutionary network security solutions in a timely manner. Over the last few years, they have recognized the dramatic benefits offered by the highly interconnected information systems as illustrated by our nation's dependence on them in all facets of society. However, they also recognize that these systems have the effect of exposing our national information systems to the borderless threat of Information Warfare (IW). So while changes in the political climate have reduced some mission threats, new threats are emerging within the networked world.
[2] Over the past year, it has become a weekly or even daily routine to hear about successful attempts of hackers to break into networks from around the world with the intent of eavesdropping, modifying, spoofing, or disrupting the information systems and/or the information that they process and store. Of course, for any Department of Defense (DoD), Federal, or commercial security system, the ultimate objective is to prevent unauthorized disclosure or undetected modification of user information and system resources while ensuring the availability of the system to authorized users. Typically, the national security departments and agencies use six security services, as shown below, to achieve this objective:
o CONFIDENTIALITY -- Ensures the privacy of the information and
prevents an unauthorized third party from reading the data.
o INTEGRITY -- Ensures that the system configuration,
application software, and associated data have not be modified
or destroyed.
o AUTHENTICATION -- Ensures that the person or system with whom
you are exchanging information, is in fact the person or
system they claimed to be.
o NON-REPUDIATION -- Provides positive confirmation that an
action took place.
o ACCESS CONTROL -- Limits access to the system and its data to
those who are authorized.
o AVAILABILITY -- Ensures the system or information is available
when needed.
[3] Any of these services may be implemented by physical, administrative, procedural or electronic mechanisms. Often, a combination is employed. From a practical perspective, many of the security services can be implemented with cryptographic products. In fact, the same cryptographic product can be used to encrypt the data, authenticate the user, maintain data integrity with digital signatures, and support system availability. Trusted security products can also support many of the security services, except for confidentiality. However, trusted security products are more expensive and trusted technology is relatively immature. Given cryptographic products are more readily available and inexpensive than trusted products, they appear to offer a more reasonable set of solutions for the IRS and other Federal communities.
[4] The assurance provided by any of the security services previously mentioned can be ascertained by determining the strength and correctness of the mechanism that provides the service. For physical, administrative, and procedural mechanisms, the assurance level is determined by reviewing the processes that are implemented. For electronic mechanisms, empirical or exhaustive techniques are generally used. In recent weeks, the news media reported that a high school student required only three hours to successfully "break" a 40-bit code cryptographic algorithm. For cryptographic devices, the assurance level or strength is largely dependent on the length of the codes used in the algorithm. In national security applications, where classified information is processed, or in Federal and Commercial applications where privacy is a major concern, higher assurances levels are required, which necessitates the use of longer codes.
[5] The successful application of security services and mechanisms requires security management support for the overall operational environment. Specifically, security management includes the distribution, collection, and analysis of management information (e.g., cryptographic keys, audit data, registration data) for the security services and mechanisms. One of the primary issues noted with the implementation of security management functions concerns the distribution of security management responsibilities across multiple security administrators. For example, one person may be responsible for monitoring the firewall and a second may be responsible for administering the web site. Case studies have shown that hackers often attempt to penetrate multiple points in a network. Unfortunately, news of a potential attack at one point is not always communicated to the other system administrators whose systems may also be under attack. This example highlights the need for the IRS and all defense, civil, and commercial organizations to implement a coordinated security management approach.
TRENDS AND TECHNOLOGIES
[6] From the perspective of the national security departments and agencies, it is obvious that the "groundrules" have changed dramatically over the past decade with respect to defining and fielding security solutions. These changes are being driven by several major paradigm shifts in the public and private networking world, and within the DoD and Intelligence communities as shown below:
o Rapid evolution of information technology and systems
o Explosive growth of the Internet
o Evolution from "stovepipe" to open, integrated, multimedia
systems
o Increasing public and commercial awareness and concern over
network and information security
o Increasing availability and compatibility of commercial
network products and solutions
o Transformation from requirements driven to market driven
solutions
o Evolution from risk avoidance (absolute security) to risk
management (adequate or appropriate security)
o Migration from standalone "Black Boxes" to integrated system
security solutions
o Transformation from product development to customer service
orientation
o Migration from stand-alone systems connected by point-to-point
links to networked systems
o New emphasis on security for "sensitive but unclassified
(SBU)" applications, in addition to classified applications
o Unprecedented downsizing, staff turnover, and budget reduction
[7] Two obvious challenges that the national security departments and agencies are facing as a result of these paradigm shifts are: 1) keeping pace with rapidly evolving technology and a rapidly emerging network security market in which future directions are sometimes unclear, and 2) continuing to improve system security processes and procedures that reflect more of a commercial orientation.
[8] In general, the national security departments and agencies are responding to these changes by placing more emphasis on:
o Establishing new policies, procedures, and criteria that will
adequately address the changing threat environment and yield
consistent and reliable security solutions
o Developing security architectures and generic security
solutions that may be tailored to meet specific applications
o Defining security standards and protocols that can be
integrated into commercial standards and protocols
o Fielding currently available security products and tools that
will help them "close the front doors" to their networks and
optimize system performance
o Evaluating and using commercial off-the-shelf (COTS) products
and systems
[9] In the following paragraphs, we will discuss the efforts being pursued and how they may be applied to the IRS applications.
[10] DEFINING POLICIES, PROCEDURES AND CRITERIA: In the post- cold war environment, defense budgets have continued to decline. As such, the notion of perfect security is being replaced with that of affordable security and user assumed risk. This change, more than any other, is driving the security analysts to develop and apply improved security analysis procedures, tools, and methodologies that can effectively deal with the complexity of modern information systems and provide balanced, cost-effective security solutions.
[11] One of the biggest challenges for the defense, civil, and commercial communities is to develop and implement policies and business processes that are in many ways equivalent or better than existing processes. In general, security technology is available or will be available in the very near future. The real challenge is to integrate those technologies in the context of the business processes. To do this, most effectively, the IRS will have to examine their current policies and processes from an information perspective, define a set of security policies and requirements based on the information content, develop a security strategy that takes into account their existing system architecture and their desired system capabilities, and define a migration plan given the current and future availability of security technology. Achieving a common view on security as it relates to the IRS business processes will be paramount, particularly when considering taxpayer trust and acceptance.
[12] Information engineering will be the key for successful integration of security services into any information system. In this process, it is most important for the "owners" of the information to establish the system requirements, including general requirements for security. The security analyst can then work with the system designers and administrators to define the appropriate security solutions, based on information content and business practices.
[13] DEVELOPING SECURITY ARCHITECTURES: A system security architecture is a means for describing the structure and organization of the security aspects of an information technology system or application. It provides a conceptual means to grasp how a large, complex system will be made secure without unduly constraining the actual implementation. By defining the security services and functions that must be provided and the relationship between these security services and functions, the system security architecture provides a foundation for designing and building systems within common structures, using consistent standards. This approach promotes interoperability, commonality of security solutions, and a thorough understanding of how system security is being provided. The DoD has successfully applied this approach in the development of their security architectures (e.g., Defense Message System and the Defense Information System Network).
[14] As the IRS systems and networks continue to evolve, it will be important that a comprehensive information technology and security strategy be developed from which a system security architecture could be defined. Additionally, it will be increasingly important to model the system architecture in an effort to predict performance issues associated with integrating security services into the network and scaling the network size to meet user (i.e., the taxpayer) demands. Developing and modeling the security architecture will allow the IRS to focus on the information content and consistently implement security solutions throughout the networks and systems. The IRS should leverage the results of current security architectures (e.g., Target Security Architecture for the Defense Information Infrastructure [DII]) developed for the DoD, as appropriate. Doing so will promote compatibility between the Defense Information Infrastructure and the National Information Infrastructure.
[15] DEFINING SECURITY STANDARDS AND PROTOCOLS: The national security organizations have made a conscious decision to limit the development of custom products and systems, in favor of using commercial off-the-shelf (COTS) hardware and software. To ensure the COTS products incorporate appropriate security services that meet their needs, the Government is placing a significant amount of energy into the definition and development of security standards and protocols. Specifically, the DoD is working directly with the national and international standards bodies, such as the Internet Engineering Task Force (IETF) to influence future standards and protocols, with respect to key management and other security services. Additionally, they are working with several product vendors and service providers, such as RSA, Netscape, and Microsoft to name but a few, to collaborate on the development of security protocols that will be implemented in their respective offerings. By doing so, they have taken the burden off the Government to supply their customers with specific security products. Instead, they have created a market that will promote interoperability and competition for security products and services that may be employed in IRS and other Federal applications.
[16] FIELDING PRODUCTS AND TOOLS: Many security products have been developed to provide security services and to meet threats to information systems and data. These products range from those narrowly designed to provide a specific service, such as encryptors, to more general products, such as firewalls, which can be configured to provide a variety of services. The products themselves can be loosely grouped into the following classes:
o FIREWALL: A firewall is used to protect a network from another
untrusted network (e.g., Internet). Its main purpose is to
control access to or from a protected network. Firewalls
shield a network from protocols and application services that
can be abused from hosts outside the shielded network.
Firewalls can generally be configured to meet a user's
specific requirements. For example, many firewalls maintain
access control lists to identify users who are allowed to
enter or exit through the firewall. The range of capabilities
of firewalls varies by product and user needs, so care must be
taken to select a firewall that meets the operational
requirements. Organizations throughout the Department of
Defense (DoD) are deploying firewalls to protect their
enclaves from attacks launched from the Internet and even from
their connections to the Defense Information System Network
(DISN). For IRS applications, where users and third parties
login and access the IRS Web site, it may be appropriate to
consider implementing multiple firewalls or a single firewall
with multiple ports that will permit the establishment of
public and private (IRS) information domains. Most
organizations implement a single firewall, which provides some
inherent protection. However, if a hacker is able to penetrate
the firewall, the hacker in this scenario would have access to
the private information.
o SECURE APPLICATION PACKAGES: Many software developers are
including security features directly into their applications
(e.g., e-mail, web browsers, database). For example, every
computer user is familiar with being prompted to enter a
password. These application packages make good use of the
network environment by distributing information repositories
and allowing multiple users to access and share information.
These very capabilities raise specific security concerns with
respect to maintaining the confidentiality and integrity of
information as it moves through the network and ensuring only
authorized users have access to the information. Additionally,
with recent developments in the web environment, users are
downloading and executing software onto their machines without
any assurance in the source or integrity of the software. This
capability while facilitating the transfer of information
creates additional security concerns (e.g., viruses, trojan
horses). The security being integrated into these application
packages presumably addresses these concerns, but the degree
of protection varies from product to product. As subsequently
discussed in the section concerning "Evaluating COTS
Products", it would be beneficial to have an independent
agent, similar to Underwriters Laboratory, evaluate and
disseminate information regarding the security actually
provided by a given product in a specific environment.
o PUBLIC KEY INFRASTRUCTURE: The public key infrastructure (PKI)
supports public key cryptography. Public key cryptography is a
special class of encryption algorithms that rely on the
exchange of private and public keys between two users on a
network. The private and public keys are used to generate the
secret code that in turn is used to encrypt the data exchanges
between the two network users. These algorithms provide
inherent benefits associated with minimizing the logistical
burden of having to physically distribute keys to all
potential users prior to them being used. With the exception
of a few secure voice applications, most of the encryption
algorithms used in national security applications today do not
make use of public key cryptography, simply because the
technology was not available when the systems were developed.
However, public key cryptography is clearly the preferred
choice for future security applications, particularly given
newer versions of public key algorithms will support higher
transmission speeds, provide greater protection, and be more
efficient.
o CERTIFICATE AUTHORITY: The certificate authority supports
public key cryptography. The certificate authority is
responsible for registering end users, defining their security
privileges, and providing them with certificates that are used
to support cryptographic functions. In many ways an analogy
can be drawn between the PKI and acquiring a driver's license.
Specifically, a driver's license is the certificate a user
presents to authenticate his right to operate a car and a PKI
certificate is a mechanism that can be used to authenticate a
user to access and "operate" a remote computer. Carrying the
analogy one step further, the Motor Vehicle Administration is
responsible for verifying a driver's information, determining
his/her rights to operate different vehicles (e.g., cars,
motorcycles, or tractor trailers), and issuing the license.
The certificate authority performs a similar operation for the
user's PKI certificate.
In general, the technology associated with the certificate
authority is available today, but the specific policies and
procedures are still being defined and implemented by industry.
Potential organizations being considered as the certificate
authorities include the U.S. Postal Service and banking
institutions. Assuming the IRS moves forward with a plan to
implement a public key infrastructure, decisions will have to
be made as to whether the IRS should use the Federal-wide
certificate authority or one unique to the IRS.
o SECURE TOKENS: The most common means of identificating [sic]
and authenticating a source is to use passwords. However,
significant vulnerabilities have been identified with the use
of passwords. Secure tokens have been developed to combat this
vulnerability and to provide a more secure means of
identifying and authenticating users. The most common form of
a token is a card that contains information specific to a
user. For example, the card can contain the user's private
key, which in public key cryptography allows the user to
authenticate themselves or establish a cryptographically
protected communication connection across the network. The
private sector and the national security communities have
developed secure token systems. These systems are expected to
be used more frequently for commercial and Government
applications. However, the IRS will have to decide if a common
token may be used for multiple applications (e.g., filing tax
returns, trading stock) or if an IRS unique token would be
required.
o NETWORK INTRUSION DEVICES: Network intrusion devices monitor
the operation of the user's networks. For example, a network
intrusion device will look at the unsuccessful login
attempts. These attempts could signify that a hacker is trying
to penetrate the network. Additionally, these devices can
monitor the flow of information and compare it to normal
operations to detect unusual activities. State-of-the-art
intrusion detection devices use smart technology to analyze
information exchanges in real-time and cut-off the
communications link when unusual activity is detected.
[17] EVALUATING COTS PRODUCTS: With the Government emphasizing the use of COTS products to satisfy the majority of their future needs, it is extremely important to have an understanding of all the products that are on the market and determine if the products perform as advertised. Unfortunately, most users of information technology products are unable to keep up with the multitude of security products hitting the market each day. Furthermore, the users generally do not understand the technical details with respect to how the products are configured and operated. They can only rely on information they read in brochures and journals, which often advertise the individual product capabilities, as opposed to examining the product in a system context. Evaluating security products from a system perspective is very difficult, particularly when considering the way systems and networks are customized to meet business objectives. The national security community has established programs and initiatives to monitor the availability of COTS products, evaluate their capabilities, and make smart decisions relative to their potential system applications. A similar effort to evaluate COTS products for a broader community (i.e., Federal and commercial) would be beneficial.
SUMMARY
[18] Once again, the basic set of security products and technologies are available or will be available in the very near future to support most known information applications. The real challenges lie in the areas of defining the policies and the business processes to take advantage of the security products and services. As appropriate, the business processes will have to change to accommodate the technologies or in some cases it may be necessary to develop a whole new set of processes. However, as with any system that attempts to automate existing business processes, the real success will be determined by the degree of trust and comfort established with the end users (i.e., taxpayers).
- AuthorsMahaffee, Joseph
- Institutional AuthorsBooz-Allen & Hamilton Inc.
- Cross-ReferenceFor prior coverage, see Doc 97-7352 (5 pages), 97 TNT 50-3, or H&D,
- Subject Area/Tax Topics
- Index Termstax administrationIRS, budgetcompliancereturns, informationIRS, records management
- Jurisdictions
- LanguageEnglish
- Tax Analysts Document NumberDoc 97-7357 (10 pages)
- Tax Analysts Electronic Citation97 TNT 51-59