Original URL: http://www.theregister.co.uk/2006/12/20/security_wish_list/

All I want for Christmas...

Security wish list

By Mark Rasch

Posted in Security, 20th December 2006 11:24 GMT

Mark Rasch takes a step back and offers his holiday and New Year's wish list of all things security - items that should exist, be made available and be easy to use for everyone over the coming year.

It is traditional this time of year for people to make lists of what they want for the holidays. You know, a Nintendo Wii, a PS3, a Treo 700p... depending on whether you have been naughty or nice (I hope you all are taking notes). But for the information security-minded, I have developed my own personal wish list of technologies and applications which, as both a lawyer and an information security professional, I would like to see both developed and implemented in the coming year. Now I know that individual aspects of these technologies actually already exist - some of them for many many years. And I know that niche products may meet some or all of the goals I want to achieve here. I welcome comments about how a particular technology may meet the needs. What I want for Christmas (or Hanukkah, Kwanzaa, Eid, or whatever) is a solution that works seamlessly and with no user input. So here is my Christmas list:

1. Easy encryption

Lets face it, communications and files are not secure. What I want is to send an e-mail just the way I always do: look up an address (or click on a link, or retrieve a stored address) and have it sent in a way that cannot be intercepted, read or interfered with by anyone other than the intended recipient. Oh, and authentication of both the sender and receiver would be nice as well, so I can block spam more easily, and so the recipient can know the mail came from me. I want this done with little or no overhead costs, and no user input. I just want to send secure e-mail.

The files on my computer also should be encrypted seamlessly and effortlessly. In other words, when (note I say when, and not if) I lose my laptop computer, I want to know that the only thing they got that was useful was the hardware itself no data, and I mean absolutely no data should be compromised. Imagine if the Veterans Administration had something like that. Yeah, I know RSA and PGP have programs that do this, and that Vista will do the same thing, but I want it to be idiot-proof, or at least idiot resistant. I want the stuff scrambled without my input. So much for data breach notifications.

On the other hand, as an administrator, manager or compliance officer, I want to be able to monitor everything going on inside the company. I want free range (with appropriate auditing) to look at any files within the company I need to see. Nobody said this was going to be easy or even possible. Remember, as Ralph Waldo Emerson said, a foolish consistency is the hobgoblin of little minds.

2. Know what you know...search for the rest

I can conduct a Google search of a few billion web pages in about 3.2 seconds, including the use of boolean searches, key word searches, and other kinds of searches to find relevant information. But, as a lawyer and litigator, if I get a document request in discovery for all documents relating to the Jones contract, it takes months to sort through all the files in the company and index them to find the right documents. In fact, most companies see the process of inventorying, collating and examining documents as a necessary evil in preparation for or in response to litigation or threats of litigation.

What this means as a practical matter is that the company is spending money and resources to help out the person suing them to learn what happened in a particular transaction or series of transactions. This is silly. What a company should be able to do is to conduct a search of all documents oh, and I mean all documents (documents, spreadsheets, e-mails, instant messages, chat sessions) within the company (on every desktop, laptop, and server anywhere in the world) no matter how it is maintained (or stored on i Pod, thumb drive, and so on) It should be able to find these documents long before and irrespective of any litigation.

The law presumes that a collective entity known as a company, a partnership, or a government agency knows everything that any part of that entity knows. So if Employee X in Chicago knows one thing, and Employee Y in Santiago Chile knows something else, then the Company knows both things. We all know that this presumption is absurd. The problem is, as a decision maker, you should have the ability to at least find the information that is collected within the IT systems of the company as easily as you could find a decent pair of tennis shoes. Moreover, you shouldn't wait for a lawsuit to do this. It is important to know what you know as you are making decisions, not afterwards.

Of course, this would require not only indexing and searching every bit of digital information within the enterprise, but also deciding in advance who would have the authority to search for these files, and for what purposes. Oh, and remember where I said above that everything in the company would be encrypted? Again, consistency is not essential here, we are talking Santa Claus today. This is a wish list. If Santa can fit down the chimney of my gas powered fireplace, surely he can do this.

3. Permission please (document permissions, retention and destruction)

One of the biggest problems for IT and legal staff is the fact that document destruction and retention policies simply don't work. This is because there is currently no available technology to effectively enforce them. The problem is part legal, part administrative, and part technological.

First of all, there is the old adage that delete doesn't and restore won't. Thus, to some extent deleting documents compounds the problems related to discovery and disclosure, and doesn't solve them. You see, if a document or record exists, it is discoverable. If you simply delete the document, but fail to wipe it (or if you only delete some but not all copies of the document) not only is the document still discoverable (because it exists), but you have increased the cost of recovery and therefore disclosure of that document at a cost that you may be responsible for (although new US federal e-discovery rules have had some marginal impact on this). When we are talking about electronic communications (including documents transmitted electronically) it becomes very difficult for a company to effectively enforce a document retention or destruction policy (well, really it's just a document destruction policy), unless every copy of the communication and document remains within the enterprise. You can only delete your copy of the document.

Thus, what I would love to see is something whereby, with no intervention on the part of the user, the document (or communication) is automatically assigned both permissions and embedded with some document destruction rules (such as, "Good morning, Mr. Phelps.. this document will self-destruct in five minutes..."). The document permissions would control things like who had rights to read, forward, print, view, and edit the document. It could also know whether the document related to corporate trade secrets or privilege (based upon the identity of sender, recipient and subject matter), or other protected matter. It would know if it was required to be kept for 30 days, 3 months or 6 years based on the same things a human (remember humans?) would do, such as its subject matter and regulatory requirements and document retention policies. Sure, we could set such permissions right now but most of us don't.

These permissions would need to be embedded at the file level so that no matter where the document was sent, it couldn't be misused. And upon expiration, the document would die (or irreversibly encrypt itself). Thus, your document destruction and retention policy would enforce itself even on stored or sent documents irrespective of where the documents are stored.

4. Mobile devices that phone home

Modern enterprises are, in a very real sense, distributed environments. They are fundamentally different than the office of 20 years ago where creation and storage of electronic records took place on a large mainframe computer. They're even different from just five years ago where many documents were created on desktop machines which stayed resident at the office. Now, most information is created on and stored on mobile devices, typically laptop computers. This trend will accelerate as more corporate information will be created and stored on smaller, lighter and even more portable devices palmtops, sub-notebooks, smart phones and the like.

While the encryption schemes mentioned above may serve to protect the data on these devices, there remains the problem that under many current configuration schemes, the data only resides on the portable device, and is not backed up onto any server or storage device by the employer. Thus, if the portable machine is lost or stolen, the company permanently loses the data on the machine. What is worse, the company doesn't know what it has lost, because it had no reference to the latest version of the files that may have been lost. Now of course, companies can configure their networks to allow for automatic backup of files onto a network drive or server, but many do not. This should change.

5. Mobile access

I want my files, and I want them now! I want to be able to seamlessly access all of my files and records no matter where they are. I want to get to them from my desktop, my laptop, any machine in my house, my palm pilot, cell phone and any other device. If I change a document, I want the changes to synchronize. I don't want to have to put all my music, video, etc., on every machine separately. Store it once, and forget it. Oh, and I want it 100% secure.

6. Strong authentication with anonymity

Once again, from the mutually contradictory wishes I want my access to be strongly authenticated - preferably without something I have to carry around (which I will misplace) or remember (which I won't remember). That probably leaves me with a biometric device, which scares the bejeezus out of me. I want me and only me to access my files (okay, maybe my boss too) but - and here is the big one - I don't want there to be a record of what I did. In other words, I want to be anonymous when I want or need to.

7. Milk and cookies for Santa

So that's it. My holiday and New Year's wish list for the security community. Oh, and while I am at it, I want a pony and peace on earth, and good will towards men. If all of that is too much to ask, well, how 'bout that Wii?

This article originally appeared in Security Focus.

Copyright © 2006, SecurityFocus

SecurityFocus columnist Mark D Rasch, J.D., is a former head of the Justice Department's computer crime unit, and now serves as a lawyer specialising in computer crime, computer security, and privacy matters in Bethesda, Maryland.