Beruflich Dokumente
Kultur Dokumente
Information Integrity
Version: 1.0, Mar 15, 2007
AUTHOR(S):
Eric Maiwald
(emaiwald@burtongroup.com)
Additional Input:
Dan Blum, Trent Henry
Statement of Problem
What technical approaches should organizations use to protect the integrity
of electronic information in the resource layer?
23039
Publishing Information
Burton Group is a research and consulting firm specializing in network and applications infrastructure technologies.
Burton works to catalyze change and progress in the network computing industry through interaction with leading
vendors and users. Publication headquarters, marketing, and sales offices are located at:
Burton Group
7090 Union Park Center, Suite 200
Midvale, Utah USA 84047-4169
Phone: +1.801.566.2880
Fax: +1.801.566.3611
Toll free in the USA: 800.824.9924
Internet: info@burtongroup.com; www.burtongroup.com
Copyright 2007 Burton Group. ISSN 1048-4620. All rights reserved. All product, technology and service names are
trademarks or service marks of their respective owners.
Terms of Use: Burton customers can freely copy and print this document for their internal use. Customers can also
excerpt material from this document provided that they label the document as Proprietary and Confidential and add
the following notice in the document: Copyright 2007 Burton Group. Used with the permission of the copyright
holder. Contains previously developed intellectual property and methodologies to which Burton Group retains
rights. For internal customer use only.
Requests from non-clients of Burton for permission to reprint or distribute should be addressed to the Client
Services Department at +1.801.304.8174.
Burton Group's Security and Risk Management Strategies service provides objective analysis of networking
technology, market trends, vendor strategies, and related products. The information in Burton Group's Security and
Risk Management Strategies service is gathered from reliable sources and is prepared by experienced analysts, but it
cannot be considered infallible. The opinions expressed are based on judgments made at the time, and are subject to
change. Burton offers no warranty, either expressed or implied, on the information in Burton Group's Security and
Risk Management Strategies service, and accepts no responsibility for errors resulting from its use.
If you do not have a license to Burton Group's Security and Risk Management Strategies service and are interested
in receiving information about becoming a subscriber, please contact Burton Group.
Table Of Contents
Statement of Problem......................................................................................................................................................5
Typical Requirements..................................................................................................................................................... 6
Maintain Integrity in All States of Data......................................................................................................................6
Maintain Integrity Throughout the Information Lifecycle..........................................................................................7
Enterprise Policy..................................................................................................................................................... 7
Infrastructure Surety............................................................................................................................................... 8
Manage Integrity in Context....................................................................................................................................... 9
Protect Each Set of Information Appropriately.......................................................................................................... 9
Alternatives................................................................................................................................................................... 10
Processes and Procedures..........................................................................................................................................10
Adaptation and Disaggregation.................................................................................................................................10
Infrastructure Layer...................................................................................................................................................11
Repository............................................................................................................................................................. 11
Data Self-Protection (Content)..............................................................................................................................11
Applications.......................................................................................................................................................... 12
Systems................................................................................................................................................................. 12
Identity and Access Layer.....................................................................................................................................13
Perimeter Layer.....................................................................................................................................................14
Surety of Protection.................................................................................................................................................. 14
Future Developments.................................................................................................................................................... 16
Evaluation Criteria........................................................................................................................................................ 17
Statement & Basis for Position..................................................................................................................................... 19
Data at Rest Position................................................................................................................................................. 19
Establish an IT security baseline...........................................................................................................................19
Protect the data itself.............................................................................................................................................20
Protect at the application layer..............................................................................................................................21
Use repository protections.................................................................................................................................... 21
Use a change control system................................................................................................................................. 21
Use audit and monitoring processes......................................................................................................................21
Data in Motion Position............................................................................................................................................ 21
Protect the data itself.............................................................................................................................................22
Ignore the missing element................................................................................................................................... 22
Use acknowledgments...........................................................................................................................................23
Use sequencing to detect missing elements.......................................................................................................... 23
Data in Use Position..................................................................................................................................................23
Use application layer mechanisms........................................................................................................................ 23
Data Self-Protection Position....................................................................................................................................23
Use procedural controls, transfer, or avoid the risk.............................................................................................. 24
Use a transform..................................................................................................................................................... 24
Consider accepting the risk................................................................................................................................... 24
Application Layer Protection Position...................................................................................................................... 24
The application should apply separation of duties through its design and functions............................................24
Attempt to disaggregate the information and use procedures to reduce the consequences to medium or low.....
25
Use additional testing to validate the proper operation of the application and log all actions............................. 25
Log all actions....................................................................................................................................................... 25
Slowly Changing Unstructured Data at Rest Position.............................................................................................. 25
Attempt to disaggregate the information and use procedures to reduce the consequences to medium or low.....
26
Use transforms to detect an unauthorized change and react as necessary............................................................ 26
Periodically replace the data with a known good version.....................................................................................26
Accept the risk...................................................................................................................................................... 27
3
BURTON GROUP 7090 Union Park Center Suite 200 Midvale Utah 84047 P 801.566.2880 F 801.566.3611 www.burtongroup.com
4
BURTON GROUP 7090 Union Park Center Suite 200 Midvale Utah 84047 P 801.566.2880 F 801.566.3611 www.burtongroup.com
Statement of Problem
What technical approaches should organizations use to protect the integrity of electronic information in the
resource layer?
5
BURTON GROUP 7090 Union Park Center Suite 200 Midvale Utah 84047 P 801.566.2880 F 801.566.3611 www.burtongroup.com
Typical Requirements
Integrity is a security objective to prevent unauthorized or inappropriate changes to information (the knowledge,
ideas, or business data that is represented in some electronic form) and to ensure that it maintains internal and
external consistency. Verifying that the information actually reflects the reality of the real world is outside the
scope of this Technical Position. For Burton Group's short definition of integrity and a detailed discussion of
integrity and other security objectives, see the Security and Risk Management overviews, Concepts and
Definitions and An Objectives-Based Assessment Framework for Security Solutions.
The requirements for integrity come directly from the business. In order for the business to function properly, the
information used in transactions and the configurations of hosts, applications, and network devices must be free
from unauthorized or inappropriate modifications. Information reported to various regulatory agencies and to
stockholders, employees, customers, and partners must also be free from unauthorized modifications. Such
changes to information can have a range of consequences from simple embarrassment or minor outages to
regulatory penalties or even incarceration for senior executives. Successful theft or fraud perpetrated against the
organization may also have its roots in the unauthorized modification of information which is then used to process
transactions. In fact, it was the potential for fraud that led to the use of certain accounting procedures (such as
double entry bookkeeping and separation of duties between those who can authorize a financial transaction and
those who actually execute it).
Protecting business information such as accounting data is only one aspect of integrity that enterprises should be
concerned with. The other primary aspect of integrity is that of host and network device configurations. Although
configurations seem to be different from electronic information on the surface, they are, in reality, just another set
of informationalbeit with a different purpose. The integrity of configuration information is then also covered
under the requirements and alternatives discussed in this Technical Position. It should be noted, however, that the
integrity of configuration information is also discussed to a greater depth of detail in the following Reference
Architecture Technical Positions:
This Technical Position examines the architectural options an enterprise may use to prevent, detect, and respond
to inappropriate modification or deletion of electronic information at rest, in motion, and in use. The requirements
for information integrity are as follows:
Maintain integrity in all states of data
Maintain integrity throughout the information lifecycle
Manage integrity in context
6
BURTON GROUP 7090 Union Park Center Suite 200 Midvale Utah 84047 P 801.566.2880 F 801.566.3611 www.burtongroup.com
Enterprise Policy
7
BURTON GROUP 7090 Union Park Center Suite 200 Midvale Utah 84047 P 801.566.2880 F 801.566.3611 www.burtongroup.com
Translating the business requirements for integrity (as they are embodied in various business processes) into the
IT domain is not straightforward. An early attempt at defining an integrity policy for secure computer systems
was made by K. J. Biba.2 This policy stated that information exists at different levels of integrity and systems
should prevent information at lower levels of integrity from contaminating information at higher levels.
Implementing this policy would prevent a user or application from reading low-integrity information and writing
it to a high-integrity file. Unfortunately, though this model is relatively simple, it does not reflect business
requirements.
A more appropriate policy was defined in 1987 by David Clark and David Wilson.3 This model put forward the
certification (C) and enforcement (E) rules shown in Table 1.
Infrastructure Surety
8
BURTON GROUP 7090 Union Park Center Suite 200 Midvale Utah 84047 P 801.566.2880 F 801.566.3611 www.burtongroup.com
Surety is the combination of function and an assurance that the expected mechanism performs as intended.
Different security mechanisms provide different levels of surety. The need for a particular level of surety is driven
by the risk the organization faces. High-risk (or -consequence) situations should require high-surety control
mechanisms so that the risk is properly managed. Low-risk situations can be managed by low-, medium-, or highsurety controls, but the costs associated with the medium- and high-surety controls usually cause organizations to
use those of low surety. More information about the surety of mechanisms can be found in the Security and Risk
Management Strategies overview, Surety Ratings of Security Mechanisms for Architecture Planning.
Risks for integrity can be less obvious than those for confidentiality. For example, although the confidentiality of
information on a website may not need to be protected, the integrity of that information may be very important to
the public reputation of the organization.
Not all integrity risk must be mitigated. Organizations may choose alternative approaches, such as to transfer,
avoid, or accept the risk. More details on these alternative approaches can be found in the Security and Risk
Management Strategies report, Risk Management: Concepts and Frameworks.
9
BURTON GROUP 7090 Union Park Center Suite 200 Midvale Utah 84047 P 801.566.2880 F 801.566.3611 www.burtongroup.com
Alternatives
Integrity is similar to, but not the same as, confidentiality. While many of the same mechanisms can be used to
protect both integrity and confidentiality, in some cases, the mechanisms used to protect integrity may be at odds
with the need to protect confidentiality. Detailed positions on confidentiality protection can be found in the
Reference Architecture Technical Position, Information Confidentiality.
The purpose of this Technical Position is not to go into great detail on all of the various mechanisms that can be
used to prevent or detect integrity violations. Rather, this Technical Position will map high-level alternatives into
categories of protection. Other Technical Positions will provide greater detail on specific technical architectures
and mechanisms that can be used to provide the protection. For example, perimeter controls can be used to
prevent unauthorized access to protected information but the details of perimeter controls are discussed in the
Reference Architecture Technical Position, Perimeters and Zones.
Many mechanisms exist to provide integrity protection for information that is in physical form. Many of these
mechanisms fall into the category of processes and procedures discussed in the next section. However, the
protection of information in physical form is beyond the scope of this Technical Position.
This Technical Position is designed so that the reader begins with knowledge of the different sets of information
requiring integrity protection. For each set, its state (i.e., at rest, in motion, in use) is determined and the reader
uses that position as the starting point. Working through the initial positions may take the reader to additional
positions regarding data self-protection, application layer protection, or the various aspects of unstructured data.
Nothing in these positions should be taken to mean that only a single protection mechanism should be used. On
the contrary, where possible, a layered approach is typically preferred so that there is some amount of defense in
depth.
10
BURTON GROUP 7090 Union Park Center Suite 200 Midvale Utah 84047 P 801.566.2880 F 801.566.3611 www.burtongroup.com
Risk disaggregation can be thought of as dividing your eggs between multiple baskets. In the case of integrity,
risk may be reduced by keeping multiple copies of protected information in different locations. Doing so makes it
more difficult for an intentional or accidental action to modify all copies of the information while at the same time
making it easier to compare the copies to identify that a modification has been made. Of course, distributing
information to multiple locations may impact the confidentiality of the information and may actually conflict with
confidentiality requirements calling for the physical separation of the information. Here is a case where
mechanisms that help integrity may adversely impact confidentiality.
Another approach to risk disaggregation is to create redundant systems, each of which contains a part of one or
more information sets. For example, concerned that an integrity failure of its auctions database would doom its
business, an online auction site could create multiple independent auctions databases. Such disaggregation
reduces the benefits of centralization and may increase complexity, especially if the databases must appear to
support a single seamless application and be able to exchange data with one another. For a general discussion of
risk disaggregation, see the Security and Risk Management Strategies overview, Risk Aggregation: The
Unintended Consequence.
Infrastructure Layer
The layers at which integrity protection can be deployed correspond to the layers described in the Reference
Architecture Root Template, Information Security Technology Model. These include the repository, content,
applications, systems, identity and access, and perimeter layers.
Repository
Repositories, content management systems, or database management systems (DBMSs) are places of protection
for both structured and unstructured data at rest. Files are checked into the repository and it controls who is
allowed to access the files. Although repositories are often considered controls for confidentiality, they can also
provide protection for integrity. The repository can control who is authorized to update a file and can also log all
access and changes and provide rollback capability.
Historically, repositories were only used for high-value data, primarily due to the cost of the repository products
and the impact they had on the normal work of employees. However, this is changing with the cost of these
products coming down and the integration with normal employee workflow increasing.
11
BURTON GROUP 7090 Union Park Center Suite 200 Midvale Utah 84047 P 801.566.2880 F 801.566.3611 www.burtongroup.com
Applications
Applications use data to perform transactions. Therefore, applications are a critical component of any information
integrity architecture. Applications provide the following:
Applications are also involved in data in motion as it may be the application that detects missing or modified data.
The impact on the application will also determine if small amounts of information can be lost (thereby
determining if some type of acknowledgment or sequencing mechanism must be used). Audio and video
transmission is an example of data that can sustain the loss of small amounts of information. In fact, in that
example, it is normally more disruptive to attempt to retransmit missing information.
Since applications are so critical for information integrity, it is important that they be designed and developed
properly. The surety associated with an application must match the risk level of the function performed and of the
data being processed unless compensated for by other controls. The surety required will impact the testing and
validation requirements of the application.
Protection provided by applications must be recreated or reapplied for each application that is to be developed.
Therefore, it may be more appropriate to implement global procedures within the DBMS.
Related Reference Architecture components include:
Application Security (Application Platform Strategies Technical Position)
Relevant Security and Risk Management Strategies research documents include:
Systems
Integrity protection mechanisms on systems include both preventative controls and detection mechanisms.
Mechanisms are deployed to prevent unauthorized user access with the idea that if unauthorized access is
prevented, modifications cannot be made to protected information. Preventative controls include such things as
antivirus software, host intrusion prevention system (HIPS) products, system firewalls, and various types of data
encryption products. These same controls can be used to protect the confidentiality of information. In other words,
these mechanisms prevent any type of unauthorized access.
12
BURTON GROUP 7090 Union Park Center Suite 200 Midvale Utah 84047 P 801.566.2880 F 801.566.3611 www.burtongroup.com
Detection mechanisms on systems focus on detecting and correcting unauthorized changes to system
configurations. These mechanisms generally fit into the vulnerability management category, but this category has
expanded to include policy and configuration management products. To some extent, these products are also
preventative in nature as the proper configuration of the system prevents unauthorized access attempts from
succeeding.
Generally, all system protection mechanisms are low surety as they rely on the operating system to not subvert the
security mechanism. Encryption products may achieve medium surety if the algorithm is vetted and the
implementation is properly tested. But even here, the encryption software must run under the operating system so
medium surety is still difficult to achieve without some type of hardware component. Increasing the security
provided by the operating system increases the overall preventative security provided by the system.
Related Reference Architecture components include:
13
BURTON GROUP 7090 Union Park Center Suite 200 Midvale Utah 84047 P 801.566.2880 F 801.566.3611 www.burtongroup.com
Perimeter Layer
The perimeter layer provides preventative integrity protections in that the deployment of perimeter mechanisms
prevents unauthorized users from gaining access to systems and information. In a number of cases (such as
information provided on a website), preventative controls focus not so much on preventing information from
being accessed, but rather on preventing unauthorized users from gaining write access (i.e., the ability to make a
change) to the information.
Filters are used by many perimeter mechanisms to block attacks or malicious content from entering a network.
These filtering mechanisms may be deployed within firewalls or network intrusion detection and response
systems (NIDRS), but they tend to be low surety.
Transforms (in the form of encrypted VPNs) may be used to protect data in motion as it traverses untrusted
networks. The VPNs may be implemented as part of the perimeter layer. It should be noted that information can
also be transformed at the application layer. Transforms may achieve medium surety if properly implemented.
The perimeter layer is also used to enforce separation. Physical separation can be used as a high-surety
mechanism to protect information. However, separation does not have the same utility for integrity as it does for
confidentiality; therefore, it is less likely to prove valuable because information may need to be read even when
writing is prohibited.
Related Reference Architecture components include:
Web Application Firewalls Are Dead! Long Live Web Application Firewall Functionality (report)
Network Intrusion Detection and Response: More than Just Speed Bumps on the Network? (report)
Firewall Futures: Can a Mature Technology Learn New Tricks? (overview)
Enforcing Access Security: Maturing Role for SSL VPNs (report)
Wireless LAN Intrusion Detection Systems: Something's in the Air' (report)
Enterprise Firewalls and Perimeter Architecture (report)
Surety of Protection
The surety of protection should be matched to the risk associated with an integrity violation. The vast majority of
technical controls are low-surety mechanisms. Even in cases where medium-surety mechanisms can be found
(such as in the cases of properly implemented cryptographic devices), much depends on the surrounding devices
and system components. The surety of applications is related to the development process and to the testing that
the application undergoes. It should be stressed that security testing (i.e., testing to determine that no fault exists
that will allow unauthorized transactions to occur) is significantly different and more resource intensive than
functional testing (i.e., testing that certain functions work as required and designed).
14
BURTON GROUP 7090 Union Park Center Suite 200 Midvale Utah 84047 P 801.566.2880 F 801.566.3611 www.burtongroup.com
15
BURTON GROUP 7090 Union Park Center Suite 200 Midvale Utah 84047 P 801.566.2880 F 801.566.3611 www.burtongroup.com
Future Developments
While the future developments of specific technologies and mechanisms are considered in Reference Architecture
Technical Positions specifically devoted to those technologies and mechanisms, some larger issues and changes
are coming that will impact how integrity protection is provided.
In many ways, integrity has been the poor stepbrother of confidentiality and this has resulted in a focus on
protecting information from unauthorized disclosure. While this protection has also prevented many types of
unauthorized modification from taking place (if I can't see it, I can't change it), integrity protection is becoming
more of an issue. Recent regulatory changes that require executives to sign off on financial statements or that have
changed how information is disclosed during legal procedures have increased the requirements for information
integrity. It is likely that this trend will continue so that enterprises will need to define the integrity requirements
for information. This will likely lead to more-detailed integrity requirements for applications processing
information.
Information management systems or repositories are becoming more available and their increased use will
provide a more comprehensive environment for managing unstructured data. As the repositories become more a
part of day-to-day workflow, organizations will have a built-in ability to track how information is changed over
time.
The nature of our information is also changing. Today, there is a difference between how structured and
unstructured information are used, processed, and stored. But changes are coming as DBMSs (the traditional
home of structured data) become capable of storing free-flowing text (normally considered unstructured data).
The control capabilities of the DBMS will improve the mechanisms around the unstructured data but does that
mean that the mechanisms will be able to detect changes to the necessary level of granularity? On the other end of
the spectrum, text files (traditionally the definition of unstructured data) are becoming more structured through
the use of Extensible Markup Language (XML) tags. Perhaps this will make it easier to detect modifications and
track how a file is changing over time.
On systems, the promise of secure or trusted operating systems and modules continues to loom on the horizon.
Deployment of trusted platform modules (TPMs) to more systems opens the possibility of greater surety over
cryptographic mechanisms, including those used to detect integrity violations. Matching the hardware modules
with more-trusted operating systems and application code may increase the surety levels provided by systems.
16
BURTON GROUP 7090 Union Park Center Suite 200 Midvale Utah 84047 P 801.566.2880 F 801.566.3611 www.burtongroup.com
Evaluation Criteria
In addition to the Reference Architecture Principles, the following evaluation criteria should guide an
organization's information integrity architecture decisions through the position statements found in the next
section. In some cases, these evaluation criteria need to be considered separately for multiple sets of information.
Where is the information?
The location of the information will impact the types of preventative mechanisms that can be deployed to
protect it. Information that exists within repositories also may be protected by the capabilities of the repository.
Where is the control point?
The location of the control point impacts the choice of integrity protection to a large extent. If the control point
is located within the organization, a larger choice is available for preventative and detection mechanisms.
How fast does information change?
Information that is constantly being updated is very difficult to protect using change control procedures.
Therefore, the faster the rate of change, the more after-the-fact detection mechanisms will be used.
Who has to validate that the information has not been modified in an unauthorized manner?
Procedures should be defined for verifying that information has not been modified. These procedures will need
to be implemented in applications and in the processes and procedures around information.
Who can determine that the process implemented in software is a proper mirror of the actual business process?
Because the process is defined by the business, it may not be up to the IT staff to determine that the transaction
process implemented within an application is the same as defined by the business. Business staff will need to
be involved in application testing.
What is the sensitivity of the information stored across the enterprise?
Just as different sets of information have different confidentiality requirements, different sets of information
will have different integrity requirements. It is unlikely that a single classification tag (such as confidential)
will communicate all of the necessary information to determine both confidentiality and integrity requirements.
What are the consequences of a violation of integrity?
Consequences and therefore risk will determine the surety requirements for integrity protection mechanisms.
The consequences of an integrity violation should be determined for each set of data so that proper decisions
can be made.
What business processes are in place to detect violations of integrity?
Existing business processes may reduce the risk of an integrity violation. Alternatively, the business processes
will need to be implemented in applications or within the IT environment.
What existing preventative controls already exist in the organization?
Existing preventative controls can be used to reduce the risk of an integrity violation. For example, if
encryption is already being used to protect information for confidentiality, then the group of users capable of
accessing the information and making a change is already reduced. The same is true for perimeter and system
controlsif they are already in place, they may reduce the risk of unauthorized modification.
What type of information is to be protected (structured vs. unstructured, static vs. dynamic)?
Different types of information require different mechanisms for integrity protection. Protection for structured
data will tend toward applications while protection for unstructured data will tend toward repositories, the use
of transforms, or the use of logging and after-the-fact analysis.
17
BURTON GROUP 7090 Union Park Center Suite 200 Midvale Utah 84047 P 801.566.2880 F 801.566.3611 www.burtongroup.com
How is the information used (does missing an element impact the communication)?
Information use will impact the consequences of an integrity violation and therefore the mechanisms and
surety levels required. If the loss of a small amount of information will impact the sender or receiver, some
mechanism must be deployed to detect the loss and then to cause a retransmission to occur. Applications that
are not impacted from the loss of small amounts of information do not require such mechanisms.
What communication paths are available?
For data in motion, the available communication paths will impact the mechanisms that can be used to detect
integrity violations.
What type of testing is included in the software development lifecycle(SDLC)?
An organization's SDLC process impacts the surety of applications. If testing is only performed to make sure
the required functions are provided, there is less surety than if more-detailed security testing is performed.
18
BURTON GROUP 7090 Union Park Center Suite 200 Midvale Utah 84047 P 801.566.2880 F 801.566.3611 www.burtongroup.com
19
BURTON GROUP 7090 Union Park Center Suite 200 Midvale Utah 84047 P 801.566.2880 F 801.566.3611 www.burtongroup.com
Logging of the use of administrator privileges: Administrators (system, network, and database) can bypass
normal user and application controls due to the nature of their jobs. Although it is nearly impossible to prevent
an administrator from modifying data at rest, recording the actions of the administrator and storing the records
in a protected environment to which the administrator does not have access provides a mechanism to detect the
unauthorized modification.
Proper change control to mitigate mistakes: Proper change control procedures can do much to prevent
mistakes. Change control may include mechanisms such as two-person commit sequences for transactions or
peer review and approval for changes to websites and device configurations.
Figure 2 shows a flow chart depicting the logic to use when identifying integrity protections for information at
rest. The protections that may be applied first depend on where the information's control point exists. The second
consideration is the type of data that is being protected. Structured data requires different types of protective
measures than unstructured data. If a repository is available, it should be used for unstructured data as repositories
provide many integrity protections. If a repository is not available, the next consideration is whether the data
changes slowly or quickly.
20
BURTON GROUP 7090 Union Park Center Suite 200 Midvale Utah 84047 P 801.566.2880 F 801.566.3611 www.burtongroup.com
Information may reside on user systems that are not under the control of the enterprise. The control point for
protecting the information from unauthorized modification may also reside outside the control of the enterprise. In
these cases, the ability to prevent unauthorized modification or to determine if the information has been modified
must reside with the information (see the Data Self-Protection position).
Or
21
BURTON GROUP 7090 Union Park Center Suite 200 Midvale Utah 84047 P 801.566.2880 F 801.566.3611 www.burtongroup.com
The protections that may be applied first depend on whether the concern is for the modification of information or
for the complete deletion of the information. Note that it may be necessary to examine both cases for some types
of information. The second consideration is whether the loss of a single element (packet or message) will
adversely impact the sender or receiver of the information. In some cases, the loss of a single packet will not
impact the communication and it is more advantageous to simply ignore the lost information. If the loss of a
single element will impact the sender or receiver, a third consideration is whether there is a path for the receiver to
notify the sender of the lost information.
22
BURTON GROUP 7090 Union Park Center Suite 200 Midvale Utah 84047 P 801.566.2880 F 801.566.3611 www.burtongroup.com
In some cases (such as in the transmission of voice or video), the loss of some information does not impact the
overall operation of either the sender or the recipient of information. In fact, attempts to ask for retransmission
may adversely affect the operation of the system being used. In these cases, it is a better option to simply ignore
the missing element.
Or
Use acknowledgments.
Acknowledgments allow the recipient of information to notify the sender that the information has, in fact, been
received. If the sender does not receive an acknowledgment within some period of time, it can be assumed that the
information did not arrive as planned and the sender can retransmit the information. It should be noted that it is
also possible that the acknowledgment was lost rather than the original information and therefore the recipient
needs a mechanism (such as a sequence number) to determine that the retransmission is a duplicate.
Acknowledgments can occur as part of network protocols or may be built into applications. The use of
acknowledgments requires there to be a communication path from the recipient back to the sender. In some cases,
the acknowledgment itself must be protected from an unauthorized modification. If this is the case, the
acknowledgment becomes the data to be protected (see the Data Self-Protection position).
Or
Use a transform.
Transforms can be used to limit access to data or to detect that the information has been modified. If it is only
necessary to detect and prove that the data has been modified, then a cryptographic checksum can be used and
kept with the information so that the integrity can be verified at the time of use (see the Data in Use position).
However, if confidentiality is also desired, the proper transform should be used as confidentiality mechanisms
also protect the integrity of the protected information.
Or
24
BURTON GROUP 7090 Union Park Center Suite 200 Midvale Utah 84047 P 801.566.2880 F 801.566.3611 www.burtongroup.com
(Note: One of the following positions is recommended in addition to the position listed above.)
IF the consequences of a violation of integrity are high
THENattempt to disaggregate the information and use procedures to reduce the consequences to medium or
low
OTHERWISE IF the consequences of a violation of integrity are medium
THENuse additional testing to validate the proper operation of the application and log all actions
OTHERWISElog all actions
Alternative Application Layer Protection position statements (important: for each set of sensitive
information, choose only one):
What integrity methods should be used to protect slowly changing unstructured data at rest?
In addition to maintaining an IT security baseline as described in the Data at Rest position, the following
positions are also recommended.
IF the consequences of a violation of integrity are high
THENattempt to disaggregate the information and use procedures to reduce the consequences to medium or
low
OTHERWISE IF the consequences of a violation of integrity are medium or the cost of detection is less than the
risk
THENuse transforms to detect an unauthorized change and react as necessary
OTHERWISE IF the data is visible to the public
THENperiodically replace the data with a known good version
OTHERWISEaccept the risk
Alternative Slowly Changing Unstructured Data at Rest position statements (important: for each set of
sensitive information, choose only one):
26
BURTON GROUP 7090 Union Park Center Suite 200 Midvale Utah 84047 P 801.566.2880 F 801.566.3611 www.burtongroup.com
Information that needs to be protected from unauthorized changes may be highly visible (such as on a webpage)
and on a host where the cost of verifying the integrity of the information is too expensive in terms of processing
cycles or time to perform on a regular basis. The information is relatively static and so any change to the
information can be considered to be unauthorized. Rather than perform the steps necessary to verify that the
information has or has not been changed, it may be appropriate to simply replace it with information from a
known good source. The information within the known good source must itself be properly protected from
unauthorized changes, but the cost of verifying the information will be lower so that other controls can be used.
Or
27
BURTON GROUP 7090 Union Park Center Suite 200 Midvale Utah 84047 P 801.566.2880 F 801.566.3611 www.burtongroup.com
Information that changes rapidly is very difficult to manage for integrity. By its very nature, the information is
constantly changing. Static mechanisms do not work well with this type of information and so it is more
advantageous to maintain an audit trail of all changes. Using the audit trail, transactions can be recreated and
verified off line. The audit trail should identify the change that was made and the user or process that made the
change. Audit trails can be used for rollback purposes as well. The use of the audit log should allow the data to be
returned to a known good state. Of course, the audit log itself must be properly protected from unauthorized
modification. Automated analysis of the audit logs may catch up by verifying all changes during off-peak times,
or statistical sampling could be used to identify potential problem areas for more intensive investigation.
Or
28
BURTON GROUP 7090 Union Park Center Suite 200 Midvale Utah 84047 P 801.566.2880 F 801.566.3611 www.burtongroup.com
29
BURTON GROUP 7090 Union Park Center Suite 200 Midvale Utah 84047 P 801.566.2880 F 801.566.3611 www.burtongroup.com
Revision History
March 2007
This is the first iteration of this Technical Position.
30
BURTON GROUP 7090 Union Park Center Suite 200 Midvale Utah 84047 P 801.566.2880 F 801.566.3611 www.burtongroup.com
Notes
1 Burton Group. Security and Risk Management Strategies Concepts and Definitions. 6 Jul 2006.
http://www.burtongroup.com/Content/doc.aspx?cid=644.
2 K. J. Biba. Integrity Considerations for Secure Computer Systems, Technical Report MTR-3153. MITRE
Corporation. Apr 1977.
3 David D. Clark, David R. Wilson. A Comparison of Commercial and Military Computer Security Policies.
IEEE Symposium on Security and Privacy. IEEE Computer Society Press. Apr 1987.
31
BURTON GROUP 7090 Union Park Center Suite 200 Midvale Utah 84047 P 801.566.2880 F 801.566.3611 www.burtongroup.com
Author Bio
Eric Maiwald
Senior Analyst
Emphasis: Information security architecture, perimeter security, enterprise security management, infrastructure
protection, mobility and mobile security
Background: Over 18 years of experience in enterprise information security as a security officer and consultant
(with Fortrex Technologies) for large financial institutions, healthcare providers, services firms, and manufacturers.
Extensive experience in the security field performing assessments, policy development, architecture design, and
product implementations. Also has experience as a product manager for Bluefire Security Technologies.
Primary Distinctions: Respected speaker on enterprise security topics and Certified Information Systems Security
Professional. Named inventor of several patents: "Apparatus and Method for Providing Multi-level Security for
Communications among Computers and Terminals on a Network," "Using Trusted Associations to Establish Trust
in a Computer Network," "Apparatus and Method for Providing Network Security," and "Method for Establishing
Trust in a Computer Network via Association." Author of "Network Security: A Beginner's Guide, Security
Planning and Disaster Recovery," (with William Sieglein); and "Fundamentals of Network Security," all published
by Osborne/McGraw-Hill.
32
BURTON GROUP 7090 Union Park Center Suite 200 Midvale Utah 84047 P 801.566.2880 F 801.566.3611 www.burtongroup.com