This article draws on elements of gravity theory to help visualise information security concepts and to describe how to practically implement security policy objectives. It describes a metaphorical model where gravitational forces are analogous to the level of security controls we apply to an organisation’s information. Be warned, this will quite possibly be the nerdiest article I have written, but will be simple enough.. no degree in particle physics required to grasp it.
What is Gravity?
Gravity is a force which attracts and pulls physical objects towards each other. All objects are known to be affected by gravity, from the smallest atom to the largest star in the night sky. A general rule for gravity is, that the greater the mass of an object, the more gravitational force it will exert on the other objects around it. The sun, for instance, pulls the earth towards it in the same way that the earth pulls the moon ever closer as time passes.
At an atomic level, the closer to the center of an object we get, the greater the gravitational force is. As density increases, the movement of those central atoms is more restricted whereas the outer atoms are often able to move more freely.
In the same way as gravity applies force to those atoms drawing them towards the center, we can secure information by applying varying levels of enforcement based on sensitivity. If we imagine the sum of our organisation’s information as a spherical object made up of thousands of information atoms, we can start to visualize the relationship. Our most sensitive information is at the core of our infosphere (information sphere) and we must apply more force to protect it. As we move further towards the surface of our infosphere, the controls we will want to apply will be less restrictive and we will let those less sensitive information atoms move more freely.
The sensitivity of information does decrease over time, meaning that to follow the analogy strictly, there should be provision for information atoms to move to the outer layers as time passes. Gravity, of course, doesn’t do this.. so in order to avoid having to draft in some professors of physics to come up with a plausible fact for this, we will continue with the understanding that the analogy refers to the forces applied at a specific moment in time.
Increasing Security Toward The Core
The images above show four layers leading to the center of our infosphere. In order to apply controls to our information we must first categorize it by sensitivity level, in other words give it a classification. As an organisation, we define a security policy that mandates the rules and regulations that all people in the company must follow, when dealing with the organisations information. As part of this policy, a classification scheme helps us to define what types of information we have and how important it is to us.
A typical corporate classification scheme might include:
Or for a government organisation:
To refer back to our infosphere, UNCLASSIFIED may refer to our outer layer of information atoms, and TOP SECRET atoms would be in the core.
In loose terms, there are also four levels of controls that we may want to apply to information and these are as follows:
None – Information we do not want to control or protect (e.g. emails including “Someone left their lights on in the car park”)
Awareness – Controls such as security labels to make information users aware of the nature of the information they are working with.
Restrictions – Controls to block access to information or restrict it’s transmission from person to person (e.g. clearance checking tools, gateways and DLP)
Enforcement – Full protection of information including physical security, encryption and logical access control mechanisms (encryption, firewalls, rights management, etc)
These levels are by no means exclusive and there may be an amount of overlap.
Practical Application of Security Policy Controls
We now have the basis of our security policy complete. We know what types of information our organisation deals with and also the classifications we are going to apply to the different information. In addition, we should also know what controls we intend to apply to the different classification levels. A mapping of controls may look something like this:
|SECRET||Awareness, Restrictions, Enforcement|
|TOP SECRET||Awareness, Restrictions, Enforcement|
So how do we implement this on our systems? Most information is stored in documents and emails. There are artificially intelligent systems that scan the content of these and attempt to apply controls based on their understanding of the content. They are often unreliable and very rarely do this at the point of origin or creation, which is at the user’s desktop. By giving the user the ability to apply a classification or label to their document or email at the point of origin, we can invoke tools to bridge the gap between the policy objective and the technical implementation of the controls. It is of course necessary to apply controls that are not user driven. Malicious users will often try to do bad things.
TheBoldon James Email and Office Classifier products provide a way to implement technical controls in Microsoft environments. Based on the label selected by the user, Classifier can automatically invoke controls including:
- Applying a visual marking to emails/documents to increase user awareness
- Applying restrictions on who can receive emails/documents.
- Automatically invoke SMIME encryption on emails.
- Automatically apply Active Directory Rights Management Services templates to emails/documents.
By understanding our information security needs and implementing the correct technical controls, we can ensure that people only get access to the relevant layers of the infosphere for which they are authorised.
To summarize, this article discussed the relationship between gravity and mass. We then went on to discuss how this could be metaphorically applied to the relationship between the sensitivity of information and the level of security required to protect it appropriately. Classification of our information was then covered, followed by a practical description of how we can achieve some our security policy objectives using different levels types of controls.