IDENTIFYING EXISTING DATA SECURITY SOFTWARE

In order to translate functional and technical criteria into a set of procure-ment alternatives, the potential user must understand the various types of data security software packages currently on the market. The user who has gained a basic understanding of security software can then begin the process of evaluation, selection, procurement, and implementation.

Secure Operating Systems

The basic concept in secure operating systems design is the security kernel.

The security kernel mediates the access of all active system elements (people or programs), which are referred to as subjects, to all system elements con-taining information (e.g., files, records, data bases), which are referred to as objects. All of the security-related functions of a conventional operating sys-tem are collected into a small, primitive operating syssys-tem called a security kernel. The three essential characteristics of this security kernel are:

• Completeness-All accesses of all objects by all subjects are checked by the security kernel.

• Isolation-The code that comprises the kernel is protected from modifi-cation or interference by any other software in the system.

• Correctness-The code performs the functions for which it is intended and no other functions.

Most of the development work in secure operating systems has been conduc-ted by the Department of Defense in support of militruy and intelligence-related computing requirements. As a spin-off from this work, TYMSHARE, of Cupertino, California, has developed a secure operating system called GNOSIS for commercial applications.

SELECTING SECURITY SOFTWARE 133

GNOSIS. This capability-based operating system is designed to run on machines with an IBM System/370 architecture. The 370 architecture was chosen because it includes a wide range of available CPUs, extending from very small to very large configurations. A second consideration was that the 360/370 architecture has become an implicit industry standard and is expected to have a very long operational life.

In GNOSIS, every application, and, in fact, most of the operating system itself, is divided into small, self-contained units called domains. Domains communicate with other domains via explicitly authorized communication paths called capabilities. Domains are created and supervised by a very small kernel of system code. A GNOSIS domain serves the same purpose as does an address space or a virtual machine in other systems: it provides a place for the program and its data to exist and to execute. The difference is that a GNOSIS application typically consists of several domains, each containing a small subsystem (typically 50 to 1,000 lines of source code) that implements a special function.

Each domain holds capabilities that allow it to communicate with a small number of other domains. It is impossible for a domain to access its capabili-ties directly or to counterfeit the ability to interact with another domain. Thus, a domain may only interact with those domains for which it has been given a capability to interact. The same compartmentalization into domains has been applied to the operating system, so the difference between the operating system and the application is blurred; in fact, since almost everything except the kernel is in domains, there is no monolithic operating system. This ar-rangement makes it possible to replace application code selectively. If an application module is not performing properly, it may be safely replaced without jeopardizing the remainder of the program.

The GNOSIS kernel performs some of the tasks usually assigned to the supervisor. The kernel is very small (about 10,000 lines of code as opposed to 500,000 lines in some of the large IBM operating systems) because it imple-ments and enforces, rather than defines, security policy.

The major significance of GNOSIS is that it is the first commercially available, fully supported kernelized operating system for a large-scale ma-chine. Because of the high cost of replacing an entire operating system and the inevitable conversion problems, only those installations that require a level of data security considerably higber than normal commercial requirements should consider GNOSIS.

Access Control Software

The increased interest in software security and the growing realization that most existing operating systems are not very secure has led to the develop-ment of a number of security software packages designed to enhance the existing access control, transaction monitoring, and audit reporting features of current systems. These packages, unlike secure operating systems, do not fundamentally alter the software architecture of the target system. Although a

134 DATA CENTER OPERATIONS MANAGEMENT number of these packages (e.g., RACF, ACF2, SECURE) are currently on the market and each performs in a somewhat different manner, they have certain basic functions in common.

Access Mediation. This function enforces controlled access to system resources and data, based on access rules defined by the user. Attempts to access any protected resources or data are intercepted, checked for legitimacy of access authorization, and then either terminated or accepted for execution.

System Auditing and Logging. Attempted violations of access rules are reported to the system ,managers, either through operator alerts (for serious breaches) or through logging and audit reporting procedures (for violations of lesser severity). Most of these systems audit a number of security-related functions, and this audit trail serves as a permanent record of these system transactions:

• Accesses-The system monitors who accesses what. Accesses and ac-cess attempts can be logged and reported.

• Violations-The system monitors who attempts what. Attempted viola-tions can be logged and reported.

• Modifications-The system monitors who changes what. Modifications to data (e.g., add, change, delete, extend) are logged and reported.

File-Encryption Software Packages

Recent experience has amply demonstrated that existing software and hard-ware protection mechanisms (including access control softhard-ware systems) are highly susceptible to subversion, particularly by insiders having detailed knowledge of the systems software. Therefore, increased attention is being given to using software packages for encrypting data. These systems operate on the principle that even if the access control mechanisms are breached and unauthorized users gain access to data, the data will be unintelligible. Two types of file encryption software systems are currently on the market.

Symmetric Cryptosystems. Most of these systems are based on the Data Encryption Standard (DES) established by the National Bureau of Standards (NBS). These systems are called symmetric because they use a single key for both encrypting (coding) and decrypting (decoding) data. This key is then stored in system tables, where it is protected by the operating system. Unfor-tunately, subversion of operating system controls can compromise the key.

The key can also be stored in encrypted form using the master key of the host system. When the data is decrypted, the data key is decrypted first by the host master key. Access to the master key gives access to the data key, however, and thus to the stored data. This approach requires that two parties who want to share a private communication must first both have the key. Key distribution is usually handled manually by courier or registered mail-a complicated process if keys are changed frequently. In addition, the key is exposed to compromise while in transit.

SELECTING SECURITY SOFTWARE 135

Asymmetric (Public Key) Cryptosystems. The most recent development in commercially available software cryptosystems is a new class of systems called asymmetrical or public key systems. In these systems, enclyption and decryption are governed by different keys. It is impossible to derive one key from the other by mathematical computation.

Each user of the system is initially given a pair of keys. When one key is used to encrypt, the other must be used to decrypt, and vice versa. One key can be placed in a public directory available to all system users, while the other key is kept private. When two users communicate, the sender encrypts the communication, using the public key of the recipient, who then decrypts the message, using his or her private key. Even if an unauthorized user is able to breach the operating system's controls, the only thing found is the public key directory, which is common knowledge anyway. Without the recipient's private key, the unauthorized user cannot decrypt the communication. This approach provides a very high level of data security and is implemented in a small applications software module that is completely independent of the operating system.