Computer Security Breaches Are Preventable
Security system breaches resulting in exposure of large quantities of sensitive information have become increasingly common. As data-hungry enterprises aggregate larger and larger caches of sensitive information, the damage from the inevitable breaches becomes more significant and far-reaching. Is there something fundamentally wrong with the design of our security systems? Can these risks be mitigated?
Nearly all computer systems housing sensitive information use a perimeter security model. They attempt to enforce controlled access to a virtual enclosure in which the sensitive information is stored. Once inside the enclosure, all the sensitive information is equally accessible. Of course, this creates a high-value target for hackers, making it worthwhile to invest significant resources in gaining access. The failure mode is catastrophic, exposing all of the sensitive information during a single successful attack.
Perimeter security operates like a bank vault. If the vault is breached, all of the secured content is subject to theft. However, there is another mechanism for securing individual caches of value. A lock-box or safety-deposit box provides independent secure storage for multiple tenants. Breaching one box does not provide access to any of the other boxes. Possession of a specific key allows access to a particular box. Depending on the design of the lock-box, deposit and withdrawal capabilities may depend on separate keys. In some cases, multiple keys may be required for specific kinds of access.
Capability Security
The capability security model works like a lock-box. Access to sensitive information can be partitioned so that each can be secured separately. Access can be granted for specific uses or specific time-frames. Access can be made revocable, with revocation rights held be a third party if desired.
With such fine-grained access control, there are no large caches of valuable information, so there is much less motivation to hack the system. Subverting the security system would require separate effort for each piece of information, greatly increasing the cost of making the attempt.
Capabilities make additional common usage patterns easy to implement. You can share your access to a resource (with restrictions and time-limits as needed), without allowing someone else to impersonate you. Derivative access rights can be tracked and audited, allowing assignment of responsibility for any particular action. Access can be further delegated to assistants and agents without requiring additional involvement from the original rights-holder.
These very useful interaction patterns are extremely difficult (or impossible) to implement in traditional systems. The usual work-around is to share identification credentials, giving access to far more information than would be needed to do the job, and seriously complicating accountability-tracking.
Summary
Large-scale computer security breaches are the inevitable result of perimeter-based access controls, like having one large vault for all the sensitive information in an enterprise. Capability-based access controls allow each piece of sensitive information to be individually secured, like a collection of lock-boxes.
Tags: authentication, authorization, capability, POLA, security
A real-world example. https://medium.com/agoric/pola-would-have-prevented-the-event-stream-incident-45653ecbda99