Paper vs. The Computer

by Kevin Borders - November 20th, 2006

Fewer and fewer people nowadays remember a time when everyone used typewriters. People use computers now, of course, because they are a lot more powerful than their mechanical predecessors. If that is the case, then let me ask you this: Why are computers so insecure compared to plain old ink and paper? This question has dogmatic answers that you have probably heard before. “Security is an afterthought.” “Complexity is the enemy of security.” I am sure you can come up with more. But shouldn’t a computer that has so much more power be at least a little bit more secure than a typewriter? Yes, it should. This article is going to tell you why.

What Was

Before we start talking about what is and is not secure, we need to take a step back and look at what used to be the state-of-the-art. It is sometimes easy to forget what happens outside of the box when thinking about computer security. Back when typewriters were still in use, what security threats did organizations have to deal with, and how did they handle them? Here is a list of threats and counter-measures circa 1960:

Physical break-in and theft
Security guards, cameras, alarms, locks, and safes
Sneak in using fake ID, picking locks, etc.
Better locks, better IDs, human recognition of intruders
Verbal disclosure by insider
Background investigations and other counter-intelligence techniques
Physical copying/disclosure by authorized insider
Check people for documents when leaving the building, restrict ability to copy documents
Physical theft/disclosure by unauthorized insider
Safes, information flow control training and policies.

As you can see, countermeasures primarily consist of physical data protection (locks), physical authentication (keys), and human-based policy enforcement. Forty years ago, information security relied on the fact that Alice will not give Bob a document that he is not supposed to see, or accidentally leave it out on her desk when Bob walks by. Security also depended on Bob’s inability to break or pick the lock on Alice’s file cabinet after she went home at night. As you can see, protecting a physical document can be quite difficult, and requires a fair amount of human effort. Humans are not perfect, and we all use less-than-stellar security practices from time to time.

What Could Have Been

Think about all of the security challenges from the Alice and Bob document example above. How could technology help this situation? First, Alice’s decision whether or not to give Bob a document could be made by a computer. If a trusted component in Alice’s operating system governs what documents she is allowed to transfer and to whom, the room for human error by anyone other than the document’s author is eliminated. Furthermore, if Alice’s trusted operating system does not let her print sensitive documents, and they are stored on a central server, then Alice cannot take them home with her, aside from manually copying them or photographing her screen. Next, Alice’s computer should “lock” automatically when she leaves her desk and require authentication to resume functionality. (To be fair, this is done well in today’s secure computing systems.) Finally, encryption allows us to completely hide the contents of a document. Unlike physical locks, which are subject to being broken or picked, cryptographic keys require theoretically long periods of time to crack. Trying every possible value of a 128-bit key would require testing 10^22 keys per second, which is slightly less than some estimates of the number of grains of sand in the world, for a billion years. So, if important documents are encrypted with a strong key, then it will not matter if they are stolen by a non-keyholder.

Naturally, these security enhancements are not perfect. Such a system would still be prone to password guessing and key stealing. However, if computers were used correctly to protect digital information, then they would be much more secure than paper and ink. Any outsider who was able to steal data would need to crack passwords and cryptographic keys to read anything. Most policy decisions would be made by computers instead of people, which are a lot better at following rules. Finally, computers could allow people to view information without having access to its physical representation (i.e. the disk), which would prevent insider theft. As you are probably aware, almost none of this happened. Computers are the bane of confidentiality. Where did everything go so horribly wrong?

What Is

The purpose and goal of computing during its development was never security. Security mechanisms that do exist in today’s software and operating systems are almost all there because something went wrong in the past and needed to be fixed. Software is laden with features and interfaces that contain all kinds of security vulnerabilities. How much sensitive digital information is really encrypted before being written to disk? Very Little. How many systems use trusted computing primitives to ensure software integrity? Not very many. Are there any systems that control who you send data to over the network and force you to use encryption? I have never seen one.

What we end up with today is a huge blob of interconnected digital resources. Every once in a while something will be encrypted somewhere, but it is usually not very hard to compromise an end host and obtain the plain text. There are firewalls here and there, but if you have physical access to a machine, the game is over. Computers have a wide variety of devices connected to them, and many of them can be used to attack the machine or steal information. Input devices allow malware to enter the system and output devices can grab gigabytes of sensitive data in a matter of minutes. Some attempts have been made to restrict device activity, particularly in the case of removable media, but they have had limited success. Even people who know nothing about security know that it does not work just by reading regular news reports of catastrophic data leaks, and receiving letters from their banks offering free credit monitoring and telling them to close their accounts.

What Will Be (There is Hope!)

If computers today are a huge interconnected blob, what can we change to make this blob into something that is actually secure, like it has the potential to be? It has been said by some people in the security business that selling security products is akin to selling snake oil. This could just be frustration due to failed marketing efforts, but it also has some truth. In all honesty most home users probably know nothing about security other than what they are told in advertisements. However, people who are in charge of purchasing and evaluating security products for large organizations with critical resources do know what they are doing. Once these organizations start purchasing a security product, others will fall in line. Although home users may be a tough sell, consumers in general are not to blame for the widespread lack of computer security.

If one were to gather a group of ten security experts today and ask them to design a secure system using encryption, trusted computing, and all the other principles that would make computers more secure than paper, they could probably do it. Some work has already been done in this area [See VOFS]. However, it can take a long time to transition from research systems to software you can buy. This gap between publication and production may be even larger due to the need for a solution with many different components working together in an enterprise network. A complete solution must include secure servers as well as secure clients, which may utilize a wide range of services.

The question we are left with is: How long will it take for secure research systems to become available for deployment in an enterprise environment? This is a hard question to answer because it depends on a lot of factors. Often times professors and graduate students who design and build proof-of-concept security software stay in academia. For the software to become a commercial product, a group of developers, who may not be the original software designers, must take a significant risk by departing from traditional methods and implementing a brand new idea. Issues with intellectual property rights involving academic institutions can also slow down the time to market and create a financial barrier to development. One example of a research system that became a commercial product is SimOS, which led to the creation of VMWare. The first SimOS publication appeared in Winter of 1995. VMWare, in turn, was founded in 1998 and finished the VMWare workstation product in 1999, followed by the ESX and GSX servers in 2001. The time between publication and viable commercial software was approximately four years. The original Web Tap paper was first published in Fall of 2004. Now, in Fall of 2006, Web Tap Personal is freely available and Web Tap Enterprise is in Beta development. In general, the amount of time required to productize a research system can vary, but two to five years is a reasonable estimate.

Although paper-equivalent security looks to be on the horizon, it is not here yet and we must do what we can in the meantime to protect confidential information. Adding flow controls to our systems and cutting off as much unwanted information leakage as possible is necessary to mitigate the threats that we face today. At Web Tap Security, we are working hard to do the best job we can at eliminating data loss from spyware, hackers, web tunnels, and malicious insiders, which are currently the most dangerous threats. In the future, we hope to play a key role in developing a comprehensive computer security solution and move everyone beyond paper once and for all.