Menu
Tax Notes logo

Full Text: Booz-Allen Principal's Testimony at IRS Restructuring Commission Meeting

MAR. 13, 1997

Full Text: Booz-Allen Principal's Testimony at IRS Restructuring Commission Meeting

DATED MAR. 13, 1997
DOCUMENT ATTRIBUTES
  • Authors
    Mahaffee, Joseph
  • Institutional Authors
    Booz-Allen & Hamilton Inc.
  • Cross-Reference
    For prior coverage, see Doc 97-7352 (5 pages), 97 TNT 50-3, or H&D,

    March 14, 1997, p. 3250.
  • Subject Area/Tax Topics
  • Index Terms
    tax administration
    IRS, budget
    compliance
    returns, information
    IRS, records management
  • Jurisdictions
  • Language
    English
  • Tax Analysts Document Number
    Doc 97-7357 (10 pages)
  • Tax Analysts Electronic Citation
    97 TNT 51-59
====== FULL TEXT ======

INFORMATION SECURITY TECHNOLOGY AND TRENDS

 

presented to

 

The National Commission on Restructuring

 

the Internal Revenue Service

March 13, 1997

prepared by

Joseph Mahaffee Edward Rothenheber

 

Booz-Allen & Hamilton Inc. Booz-Allen & Hamilton Inc.

 

8283 Greensboro Drive 8283 Greensboro Drive

 

McLean, VA 22102 McLean, VA 22102

Acknowledgments

Special thanks to:

Armando Gomez and Chuck Lacijan for providing Booz-Allen & Hamilton

 

Inc. the opportunity to brief The National Commission on

 

Restructuring the Internal Revenue Service

Melissa Hathaway for establishing contact with the information

 

security staff at Booz-Allen & Hamilton Inc. and facilitating the

 

opportunity for the authors to present their views on information

 

security technology and trends

Deborah Banning, Rich Dean, Joanne Evans, Dale Hapeman, Stuart Moore,

 

Mike Otten, and Tom Russell for their technical contributions

INFORMATION SECURITY TECHNOLOGY AND TRENDS

BACKGROUND

[1] More than ever, the national security departments and agencies, are being challenged to provide affordable, interoperable, and evolutionary network security solutions in a timely manner. Over the last few years, they have recognized the dramatic benefits offered by the highly interconnected information systems as illustrated by our nation's dependence on them in all facets of society. However, they also recognize that these systems have the effect of exposing our national information systems to the borderless threat of Information Warfare (IW). So while changes in the political climate have reduced some mission threats, new threats are emerging within the networked world.

[2] Over the past year, it has become a weekly or even daily routine to hear about successful attempts of hackers to break into networks from around the world with the intent of eavesdropping, modifying, spoofing, or disrupting the information systems and/or the information that they process and store. Of course, for any Department of Defense (DoD), Federal, or commercial security system, the ultimate objective is to prevent unauthorized disclosure or undetected modification of user information and system resources while ensuring the availability of the system to authorized users. Typically, the national security departments and agencies use six security services, as shown below, to achieve this objective:

o CONFIDENTIALITY -- Ensures the privacy of the information and

 

prevents an unauthorized third party from reading the data.

o INTEGRITY -- Ensures that the system configuration,

 

application software, and associated data have not be modified

 

or destroyed.

o AUTHENTICATION -- Ensures that the person or system with whom

 

you are exchanging information, is in fact the person or

 

system they claimed to be.

o NON-REPUDIATION -- Provides positive confirmation that an

 

action took place.

o ACCESS CONTROL -- Limits access to the system and its data to

 

those who are authorized.

o AVAILABILITY -- Ensures the system or information is available

 

when needed.

[3] Any of these services may be implemented by physical, administrative, procedural or electronic mechanisms. Often, a combination is employed. From a practical perspective, many of the security services can be implemented with cryptographic products. In fact, the same cryptographic product can be used to encrypt the data, authenticate the user, maintain data integrity with digital signatures, and support system availability. Trusted security products can also support many of the security services, except for confidentiality. However, trusted security products are more expensive and trusted technology is relatively immature. Given cryptographic products are more readily available and inexpensive than trusted products, they appear to offer a more reasonable set of solutions for the IRS and other Federal communities.

[4] The assurance provided by any of the security services previously mentioned can be ascertained by determining the strength and correctness of the mechanism that provides the service. For physical, administrative, and procedural mechanisms, the assurance level is determined by reviewing the processes that are implemented. For electronic mechanisms, empirical or exhaustive techniques are generally used. In recent weeks, the news media reported that a high school student required only three hours to successfully "break" a 40-bit code cryptographic algorithm. For cryptographic devices, the assurance level or strength is largely dependent on the length of the codes used in the algorithm. In national security applications, where classified information is processed, or in Federal and Commercial applications where privacy is a major concern, higher assurances levels are required, which necessitates the use of longer codes.

[5] The successful application of security services and mechanisms requires security management support for the overall operational environment. Specifically, security management includes the distribution, collection, and analysis of management information (e.g., cryptographic keys, audit data, registration data) for the security services and mechanisms. One of the primary issues noted with the implementation of security management functions concerns the distribution of security management responsibilities across multiple security administrators. For example, one person may be responsible for monitoring the firewall and a second may be responsible for administering the web site. Case studies have shown that hackers often attempt to penetrate multiple points in a network. Unfortunately, news of a potential attack at one point is not always communicated to the other system administrators whose systems may also be under attack. This example highlights the need for the IRS and all defense, civil, and commercial organizations to implement a coordinated security management approach.

TRENDS AND TECHNOLOGIES

[6] From the perspective of the national security departments and agencies, it is obvious that the "groundrules" have changed dramatically over the past decade with respect to defining and fielding security solutions. These changes are being driven by several major paradigm shifts in the public and private networking world, and within the DoD and Intelligence communities as shown below:

o Rapid evolution of information technology and systems

 

o Explosive growth of the Internet

 

o Evolution from "stovepipe" to open, integrated, multimedia

 

systems

 

o Increasing public and commercial awareness and concern over

 

network and information security

 

o Increasing availability and compatibility of commercial

 

network products and solutions

 

o Transformation from requirements driven to market driven

 

solutions

 

o Evolution from risk avoidance (absolute security) to risk

 

management (adequate or appropriate security)

 

o Migration from standalone "Black Boxes" to integrated system

 

security solutions

 

o Transformation from product development to customer service

 

orientation

 

o Migration from stand-alone systems connected by point-to-point

 

links to networked systems

 

o New emphasis on security for "sensitive but unclassified

 

(SBU)" applications, in addition to classified applications

 

o Unprecedented downsizing, staff turnover, and budget reduction

[7] Two obvious challenges that the national security departments and agencies are facing as a result of these paradigm shifts are: 1) keeping pace with rapidly evolving technology and a rapidly emerging network security market in which future directions are sometimes unclear, and 2) continuing to improve system security processes and procedures that reflect more of a commercial orientation.

[8] In general, the national security departments and agencies are responding to these changes by placing more emphasis on:

o Establishing new policies, procedures, and criteria that will

 

adequately address the changing threat environment and yield

 

consistent and reliable security solutions

 

o Developing security architectures and generic security

 

solutions that may be tailored to meet specific applications

 

o Defining security standards and protocols that can be

 

integrated into commercial standards and protocols

 

o Fielding currently available security products and tools that

 

will help them "close the front doors" to their networks and

 

optimize system performance

 

o Evaluating and using commercial off-the-shelf (COTS) products

 

and systems

[9] In the following paragraphs, we will discuss the efforts being pursued and how they may be applied to the IRS applications.

[10] DEFINING POLICIES, PROCEDURES AND CRITERIA: In the post- cold war environment, defense budgets have continued to decline. As such, the notion of perfect security is being replaced with that of affordable security and user assumed risk. This change, more than any other, is driving the security analysts to develop and apply improved security analysis procedures, tools, and methodologies that can effectively deal with the complexity of modern information systems and provide balanced, cost-effective security solutions.

[11] One of the biggest challenges for the defense, civil, and commercial communities is to develop and implement policies and business processes that are in many ways equivalent or better than existing processes. In general, security technology is available or will be available in the very near future. The real challenge is to integrate those technologies in the context of the business processes. To do this, most effectively, the IRS will have to examine their current policies and processes from an information perspective, define a set of security policies and requirements based on the information content, develop a security strategy that takes into account their existing system architecture and their desired system capabilities, and define a migration plan given the current and future availability of security technology. Achieving a common view on security as it relates to the IRS business processes will be paramount, particularly when considering taxpayer trust and acceptance.

[12] Information engineering will be the key for successful integration of security services into any information system. In this process, it is most important for the "owners" of the information to establish the system requirements, including general requirements for security. The security analyst can then work with the system designers and administrators to define the appropriate security solutions, based on information content and business practices.

[13] DEVELOPING SECURITY ARCHITECTURES: A system security architecture is a means for describing the structure and organization of the security aspects of an information technology system or application. It provides a conceptual means to grasp how a large, complex system will be made secure without unduly constraining the actual implementation. By defining the security services and functions that must be provided and the relationship between these security services and functions, the system security architecture provides a foundation for designing and building systems within common structures, using consistent standards. This approach promotes interoperability, commonality of security solutions, and a thorough understanding of how system security is being provided. The DoD has successfully applied this approach in the development of their security architectures (e.g., Defense Message System and the Defense Information System Network).

[14] As the IRS systems and networks continue to evolve, it will be important that a comprehensive information technology and security strategy be developed from which a system security architecture could be defined. Additionally, it will be increasingly important to model the system architecture in an effort to predict performance issues associated with integrating security services into the network and scaling the network size to meet user (i.e., the taxpayer) demands. Developing and modeling the security architecture will allow the IRS to focus on the information content and consistently implement security solutions throughout the networks and systems. The IRS should leverage the results of current security architectures (e.g., Target Security Architecture for the Defense Information Infrastructure [DII]) developed for the DoD, as appropriate. Doing so will promote compatibility between the Defense Information Infrastructure and the National Information Infrastructure.

[15] DEFINING SECURITY STANDARDS AND PROTOCOLS: The national security organizations have made a conscious decision to limit the development of custom products and systems, in favor of using commercial off-the-shelf (COTS) hardware and software. To ensure the COTS products incorporate appropriate security services that meet their needs, the Government is placing a significant amount of energy into the definition and development of security standards and protocols. Specifically, the DoD is working directly with the national and international standards bodies, such as the Internet Engineering Task Force (IETF) to influence future standards and protocols, with respect to key management and other security services. Additionally, they are working with several product vendors and service providers, such as RSA, Netscape, and Microsoft to name but a few, to collaborate on the development of security protocols that will be implemented in their respective offerings. By doing so, they have taken the burden off the Government to supply their customers with specific security products. Instead, they have created a market that will promote interoperability and competition for security products and services that may be employed in IRS and other Federal applications.

[16] FIELDING PRODUCTS AND TOOLS: Many security products have been developed to provide security services and to meet threats to information systems and data. These products range from those narrowly designed to provide a specific service, such as encryptors, to more general products, such as firewalls, which can be configured to provide a variety of services. The products themselves can be loosely grouped into the following classes:

o FIREWALL: A firewall is used to protect a network from another

 

untrusted network (e.g., Internet). Its main purpose is to

 

control access to or from a protected network. Firewalls

 

shield a network from protocols and application services that

 

can be abused from hosts outside the shielded network.

 

Firewalls can generally be configured to meet a user's

 

specific requirements. For example, many firewalls maintain

 

access control lists to identify users who are allowed to

 

enter or exit through the firewall. The range of capabilities

 

of firewalls varies by product and user needs, so care must be

 

taken to select a firewall that meets the operational

 

requirements. Organizations throughout the Department of

 

Defense (DoD) are deploying firewalls to protect their

 

enclaves from attacks launched from the Internet and even from

 

their connections to the Defense Information System Network

 

(DISN). For IRS applications, where users and third parties

 

login and access the IRS Web site, it may be appropriate to

 

consider implementing multiple firewalls or a single firewall

 

with multiple ports that will permit the establishment of

 

public and private (IRS) information domains. Most

 

organizations implement a single firewall, which provides some

 

inherent protection. However, if a hacker is able to penetrate

 

the firewall, the hacker in this scenario would have access to

 

the private information.

o SECURE APPLICATION PACKAGES: Many software developers are

 

including security features directly into their applications

 

(e.g., e-mail, web browsers, database). For example, every

 

computer user is familiar with being prompted to enter a

 

password. These application packages make good use of the

 

network environment by distributing information repositories

 

and allowing multiple users to access and share information.

 

These very capabilities raise specific security concerns with

 

respect to maintaining the confidentiality and integrity of

 

information as it moves through the network and ensuring only

 

authorized users have access to the information. Additionally,

 

with recent developments in the web environment, users are

 

downloading and executing software onto their machines without

 

any assurance in the source or integrity of the software. This

 

capability while facilitating the transfer of information

 

creates additional security concerns (e.g., viruses, trojan

 

horses). The security being integrated into these application

 

packages presumably addresses these concerns, but the degree

 

of protection varies from product to product. As subsequently

 

discussed in the section concerning "Evaluating COTS

 

Products", it would be beneficial to have an independent

 

agent, similar to Underwriters Laboratory, evaluate and

 

disseminate information regarding the security actually

 

provided by a given product in a specific environment.

o PUBLIC KEY INFRASTRUCTURE: The public key infrastructure (PKI)

 

supports public key cryptography. Public key cryptography is a

 

special class of encryption algorithms that rely on the

 

exchange of private and public keys between two users on a

 

network. The private and public keys are used to generate the

 

secret code that in turn is used to encrypt the data exchanges

 

between the two network users. These algorithms provide

 

inherent benefits associated with minimizing the logistical

 

burden of having to physically distribute keys to all

 

potential users prior to them being used. With the exception

 

of a few secure voice applications, most of the encryption

 

algorithms used in national security applications today do not

 

make use of public key cryptography, simply because the

 

technology was not available when the systems were developed.

 

However, public key cryptography is clearly the preferred

 

choice for future security applications, particularly given

 

newer versions of public key algorithms will support higher

 

transmission speeds, provide greater protection, and be more

 

efficient.

o CERTIFICATE AUTHORITY: The certificate authority supports

 

public key cryptography. The certificate authority is

 

responsible for registering end users, defining their security

 

privileges, and providing them with certificates that are used

 

to support cryptographic functions. In many ways an analogy

 

can be drawn between the PKI and acquiring a driver's license.

 

Specifically, a driver's license is the certificate a user

 

presents to authenticate his right to operate a car and a PKI

 

certificate is a mechanism that can be used to authenticate a

 

user to access and "operate" a remote computer. Carrying the

 

analogy one step further, the Motor Vehicle Administration is

 

responsible for verifying a driver's information, determining

 

his/her rights to operate different vehicles (e.g., cars,

 

motorcycles, or tractor trailers), and issuing the license.

 

The certificate authority performs a similar operation for the

 

user's PKI certificate.

In general, the technology associated with the certificate

 

authority is available today, but the specific policies and

 

procedures are still being defined and implemented by industry.

 

Potential organizations being considered as the certificate

 

authorities include the U.S. Postal Service and banking

 

institutions. Assuming the IRS moves forward with a plan to

 

implement a public key infrastructure, decisions will have to

 

be made as to whether the IRS should use the Federal-wide

 

certificate authority or one unique to the IRS.

o SECURE TOKENS: The most common means of identificating [sic]

 

and authenticating a source is to use passwords. However,

 

significant vulnerabilities have been identified with the use

 

of passwords. Secure tokens have been developed to combat this

 

vulnerability and to provide a more secure means of

 

identifying and authenticating users. The most common form of

 

a token is a card that contains information specific to a

 

user. For example, the card can contain the user's private

 

key, which in public key cryptography allows the user to

 

authenticate themselves or establish a cryptographically

 

protected communication connection across the network. The

 

private sector and the national security communities have

 

developed secure token systems. These systems are expected to

 

be used more frequently for commercial and Government

 

applications. However, the IRS will have to decide if a common

 

token may be used for multiple applications (e.g., filing tax

 

returns, trading stock) or if an IRS unique token would be

 

required.

o NETWORK INTRUSION DEVICES: Network intrusion devices monitor

 

the operation of the user's networks. For example, a network

 

intrusion device will look at the unsuccessful login

 

attempts. These attempts could signify that a hacker is trying

 

to penetrate the network. Additionally, these devices can

 

monitor the flow of information and compare it to normal

 

operations to detect unusual activities. State-of-the-art

 

intrusion detection devices use smart technology to analyze

 

information exchanges in real-time and cut-off the

 

communications link when unusual activity is detected.

[17] EVALUATING COTS PRODUCTS: With the Government emphasizing the use of COTS products to satisfy the majority of their future needs, it is extremely important to have an understanding of all the products that are on the market and determine if the products perform as advertised. Unfortunately, most users of information technology products are unable to keep up with the multitude of security products hitting the market each day. Furthermore, the users generally do not understand the technical details with respect to how the products are configured and operated. They can only rely on information they read in brochures and journals, which often advertise the individual product capabilities, as opposed to examining the product in a system context. Evaluating security products from a system perspective is very difficult, particularly when considering the way systems and networks are customized to meet business objectives. The national security community has established programs and initiatives to monitor the availability of COTS products, evaluate their capabilities, and make smart decisions relative to their potential system applications. A similar effort to evaluate COTS products for a broader community (i.e., Federal and commercial) would be beneficial.

SUMMARY

[18] Once again, the basic set of security products and technologies are available or will be available in the very near future to support most known information applications. The real challenges lie in the areas of defining the policies and the business processes to take advantage of the security products and services. As appropriate, the business processes will have to change to accommodate the technologies or in some cases it may be necessary to develop a whole new set of processes. However, as with any system that attempts to automate existing business processes, the real success will be determined by the degree of trust and comfort established with the end users (i.e., taxpayers).

DOCUMENT ATTRIBUTES
  • Authors
    Mahaffee, Joseph
  • Institutional Authors
    Booz-Allen & Hamilton Inc.
  • Cross-Reference
    For prior coverage, see Doc 97-7352 (5 pages), 97 TNT 50-3, or H&D,

    March 14, 1997, p. 3250.
  • Subject Area/Tax Topics
  • Index Terms
    tax administration
    IRS, budget
    compliance
    returns, information
    IRS, records management
  • Jurisdictions
  • Language
    English
  • Tax Analysts Document Number
    Doc 97-7357 (10 pages)
  • Tax Analysts Electronic Citation
    97 TNT 51-59
Copy RID