86-10-10 End-User Computing Security Guidelines Previous screen Ron Hale Payoff Providing effective security in an end-user computing environment is a challenge. First, what is meant by security must be defined, and then the services that are required to meet management's expectations concerning security must be established. This article examines security within the context of an architecture based on quality.

Problems Addressed This article examines security within the context of an architecture based on quality. To achieve quality, the elements of continuity, confidentiality, and integrity need to be provided. Confidentiality as it relates to quality can be defined as access control. It includes an authorization process, authentication of users, a management capability, and auditability. This last element, auditability, extends beyond a traditional definition of the term to encompass the ability of management to detect unusual or unauthorized circumstances and actions and to trace events in an historical fashion. Integrity, another element of quality, involves the usual components of validity and accuracy but also includes individual accountability. All information system security implementations need to achieve these components of quality in some fashion. In distributed and end-user computing environments, however, they may be difficult to implement.

The Current Security Environment As end-user computing systems have advanced, many of the security and management issues have been addressed. A central administration capability and an effective level of access authorization and authentication generally exist for current systems that are connected to networks. In prior architectures, the network was only a transport mechanism. In many of the systems that are being designed and implemented today, however, the network is the system and provides many of the security services that had been available on the mainframe. For example, many workstations now provide power-on passwords; storage capacity has expanded sufficiently so that workers are not required to maintain diskette files; and control over access to system functions and to data is protected not only through physical means but also through logical security, encryption, and other techniques.

Architectural Approaches to Information Protection Although tools are becoming available (e.g., from hardware providers, security product developers, and network vendors) that can be used to solve many of the confidentiality and integrity problems common in end-user computing, the approach to implementing security is often not as straightforward as is common in centralized processing environments. The goals of worker empowerment, increased functionality and utility, and the ability of end- users to control their environment must be guarded. In many organizations, end-users have the political strength and independence to resist security efforts that are seen as restrictive or costly. In addition, networks, remote access, distributed data servers, Internet tools, and the other components that have become part of the end-user environment have made security a difficult task. To address the complexity of end-user computing, an architectural approach is required. A security architecture is a way of designing and implementing security solutions so that control points are identified, the effectiveness of controls is ensured, and monitoring and reporting capabilities are provided. It also helps to ensure that an organization's Previous screen security strategy and technical strategy are mutually supportive. The components of an information protection architecture include management, confidentiality and integrity controls, and continuity controls.

Management Structure Perhaps the best and most expedient means of bringing security to the end-user platform is to develop an effective management structure.

Distributed Security Management Because end-user computing is highly distributed, and because local personnel and managers are responsible for controlling the business environment where end-user solutions are implemented, it is appropriate that security and control responsibilities are also distributed. Centralized administration and management of security in a highly decentralized environment cannot work without a great deal of effort and a large staff. When authority for managing security is distributed within the organization, management can expect a higher degree of voluntary compliance; in particular where adherence to security policies and procedures is included in personnel evaluation criteria. If distributed security responsibility is properly implemented, ensuring that the goals of the security program are consistent with the requirements and goals of the business unit is more likely to be successful. Distributing security responsibilities may mean that traditional information protection roles need to be redefined. In many centralized security organizations, security specialists are responsible for implementing and managing access control. In a distributed end-user environment, this is not practical. There are too many systems and users for the security organization to manage access control. Even with the availability of network and other security tools, it may not be appropriate for security personnel to be responsible for access administration. In many distributed environments where advanced networks have been implemented, access controls may best be managed by network administrators. In a similar manner, server security, UNIX security, and any other system security may best be managed by personnel responsible for that environment. With many technologies that are used in distributed and end-user computing environments, no special classes of administration are defined for security. Administrators have access to root or operate at the operating system level with all rights and privileges. In such cases, it is not appropriate for security personnel to take an active role in managing access security. Their role should be more consultative in nature. They could also be involved with monitoring and risk management planning, which are potentially more beneficial to the organization and more in line with security management responsibilities.

Security Management Committee Because security in end-user computing environments is distributive, greater acceptance of security policies and procedures can be expected if the organization as a whole is involved with defining the security environment. To achieve this, a security management committee can be created that represents some of the largest or most influential information technology users and technology groups. This committee, which reports to the security manager, should be responsible for recommending the security policy and for developing the procedures and standards that will be in force throughout the enterprise. Representation on the committee by the internal audit department is often beneficial, and their support and insight can be important in developing an effective security management structure. However, consideration must be given to the control responsibilities of audit and the need to separate their responsibility for monitoring compliance with controls and for Previous screen developing controls as part of the security committee. In some enterprises, this is not a major issue because internal audit takes a more consultative position. If maintaining the independence of audit is important, then audit can participate as an observer.

Senior Executive Support The internal audit department traditionally had an advantage over the security organization because of its reporting relationship. Internal auditors in most organizations report to senior executives, which enables them to discuss significant control concerns and to get management acceptance of actions that need to be taken to resolve issues. Security has traditionally reported to IS management and has not had the executive exposure unless there has been a security compromise or other incident. In a distributed environment, it may be beneficial to have the security department and the security management committee report to a senior executive who will be a champion and who has sufficient authority within the enterprise to promote information protection as an important and necessary part of managing the business. Such a reporting relationship will also remove security from the purely technical environment of information systems and place it in a more business- focused environment.

Policy and Strategy The ability to communicate security strategy and requirements is essential in an end-user computing environment. This communication generally takes the form of enterprisewide policy statements and is supported by procedures, standards, and guidelines that can be targeted to specific business functions, technology platforms, or information sources.

The Information Protection Policy Statement An information protection policy statement should define management expectations for information protection, the responsibilities of individuals and groups for protecting information, and the organizational structure that will assist management in implementing protection approaches that are consistent with the business strategy. Because the statement will be widely distributed and is meant to clearly communicate management's and users' responsibilities, it should not take the form of a legal document. The effectiveness of the information protection policy depends in large part on its effective communication.

Classification of Information To protect information, users and managers need to have a consistent definition of what information is important and what protective measures are appropriate. In any organization, local management will be inclined to feel that their information is more sensitive and critical than other information within the organization. From an organizational standpoint, this may not be the case. To ensure that the organization protects only to the appropriate level the information that has the highest value or is the most sensitive, a classification method must be in place. In the mainframe environment, all information was protected essentially to the same level by default. In a distributed and end-user computing environment, such levels of protection are not practical and represent a significant cost in terms of organizational efficiency. The information protection policy should clearly identify the criteria that should be used in classification, the labels that are to be used to communicate classification decisions, and the nature of controls that are appropriate for each class of information. Classifying information is a difficult task. There is a tendency to view variations in the Previous screen nature of information or in its use as separate information classes. However, the fewer the classes of information that an enterprise defines, the easier it is to classify the information and to understand what needs to be done to protect it. In many organizations, information is classified only according to its sensitivity and criticality. Classes of sensitivity can be highly sensitive, sensitive, proprietary, and public. Classes of criticality can be defined in terms of the period within which information needs to be made available following a business disruption.

Monitoring and Control A method of monitoring the control system and correcting disruptive variances must be established. Such monitoring can include traditional audit and system reports, but because the system is distributed and addresses all information, total reliance on traditional approaches may not be effective. In an end-user computing environment, relying on business management to call security personnel when they need help is unrealistic. Security needs to be proactive. By periodically meeting with business managers or their representatives and discussing their security issues and concerns, security personnel can determine the difficulties that are being experienced and can detect changes in risk due to new technology, the application of technology, or business processes. By increasing dialogue and promoting the awareness that security wants to improve performance, not to block progress, these meetings can help ensure that business management will seek security assistance when a problem arises.

Standards, Procedures, and Guidelines The other elements of effective management—standards, procedures, and guidelines— define in terms of technology and business processes precisely how controls are to be implemented. Standards could be developed for documenting end-user applications and spreadsheets, access controls and access paths, system implementation and design specifications, and other elements that need to be consistent across an enterprise. Procedures define how something is done, such as testing applications, managing change in end-user environments, and gaining approval for access to information and systems. Guidelines provide a suggested approach to security when differences in organizations make consistency difficult or when local processes need to be defined. Policies, procedures, standards, and guidelines are each a significant component in the information protection architecture.

Confidentiality and Integrity Controls Confidentiality and integrity controls are intended to operate on physical, logical, and procedural levels. Because end-user computing is primarily business and user focused, security solutions need to be tightly integrated into the way the business is managed and how work is done.

Physical Controls In early end-user computing solutions, physical security was the only available control to ensure the protection of the hardware, software, and information. This control helped to ensure the availability of the system as well as to prevent unauthorized access to information and functions. With the spread of distributed computing and local networks, physical controls still maintain a certain significance. Devices such as data, application, and security servers need to be protected from unauthorized access; and continuity of service needs to be ensured. Previous screen For example, the integrity of the system must be protected in cases where local users have been given access to servers and have installed programs or made modifications that resulted in service interruptions. Contract maintenance personnel should be prevented from running diagnostics or performing other procedures unless they are escorted and supervised. System code should be protected from unauthorized modifications. Vendor personnel should be monitored to ensure that any modifications or diagnostic routines will not compromise system integrity or provide unknown or unauthorized access paths. The network represents a critical element of end-user computing solutions. Network devices, including the transmission path, need to be protected from unauthorized access. Protection of the path is important to ensure the continuity of network traffic and to prevent unauthorized monitoring of the traffic. Lastly, media used with end-user systems need to be protected. As with mainframe systems, files on user workstations and servers need to be backed up regularly. Backup copies need to be taken off-site to ensure that they will be available in the event of a disaster. During transit and in storage, media need to be protected from unauthorized access or modification. Media that are used with the local workstation may also need to be protected. Users may produce magnetic output to store intermediate work products, to provide local backup of strategic files, or to take home to work with. These media, and all media associated with end-user systems, need to be protected to the highest level of classification of the information contained therein.

System Controls System security in end-user computing solutions is as significant as mainframe security is in centralized architectures. The difference lies in the tools and techniques that are available in the distributed world, which are often not as all-encompassing or as effective as are mainframe tools, and in the types of vulnerabilities. Security Tools. In the mainframe world, one tool can be used to identify and to protect all data as well as system resources. For each device in the distributed environment, there may be an associated internal security capability and tool. Tools are often not consistent across platforms and are not complementary. They do not allow for a single point of administration and provide little efficiency from an enterprise standpoint. To gain this efficiency, additional security products need to be installed. Even when a multiplicity of security tools is used, a decision needs to be made about where to place the locus of control. In some central management solutions, the mainframe becomes the center of access control and authentication. However, this may not be appropriate in organizations that have made the decision to move away from mainframe solutions. Distributed security management solutions may be practical for some of the many systems used in an environment, but may not address security in all environments. Another approach to implementing a consistent access control system across all environments is to use tools such as Kerberos. Because considerable effort may be required to link existing mainframe applications and users with end users, such an approach requires a strong commitment from the organization. Security Vulnerabilities. In some systems used to support end-user computing, problems in the design of the operating system or with the tools and functions that are bundled with the system have resulted in security vulnerabilities. For example, UNIX administrators have reported compromises of system integrity due to bugs in system software such as editors and main programs. These compromises have been well publicized and exploited by system Previous screen crackers. The lack of experience in effective system management has introduced other vulnerabilities. Distributed, open systems may be easier to break because they are open. UNIX source code is available, and high schools and universities teach classes on how to work with UNIX. Persons intent on breaking UNIX systems have these systems available to practice on, the ready documentation to learn a great deal about the system, and a cracker underground that can mentor their activities and provide additional insights. MVS systems, on the contrary, are not open, available, or easy to break. Although UNIX is frequently pointed to as a security problem, similar vulnerabilities can be found in many systems typically used in the end-user or distributed system environment. The task of security then is to identify areas of risk or technical compromise and to find ways to mitigate the risk or to detect attempts to compromise the integrity of the system. The risk of outsiders penetrating system security should not be management's only concern. Insiders represent a substantial risk, because they not only have all of the knowledge that is available to the cracker community but also understand the security environment, have increased availability to systems, and have potentially more time to attempt to break the system. Thus, an internal compromise may be more significant than an attack from outside of the organization.

Data Base Controls Access to the data base represents another area of risk in a distributed environment. In mainframe systems, access paths to data are limited, and the security system can be used to control both the data and the paths. In distributed and end-user systems, data can distributed across an enterprise. In many instances, the path to the data is expected to be controlled through the application. However, users frequently are given other software tools that can provide access through an alternate, unprotected path. For example, user access to data may be defined within client software provided on their systems. Controls may be menu driven or table driven. At the same time, users may be provided with interactive Structured Query Language products that can be used to define SELECTS and other data base operations. If the data base is implemented on top of the system level, and if access is provided through a listener port that will acquiesce to any request, users may have the ability to access, modify, and write anything to the data base.

Network and Communications Controls Access path controls also need to be implemented at the network level. In many environments, various access paths are used, each with different security characteristics and levels of control. One path may be intended for after-hour employee access. Another may be developed to provide system manager access for trouble shooting and testing. Vendors and support personnel may have an entirely different path. In addition, individual users may implement their own access path through internal modems using remote communication software such as PC Anywhere. Multiple and inconsistent paths can create an opportunity for system compromise. Some paths might not be effectively monitored, so if a compromise were to occur, security and system management might not be aware of the condition. Access Path Controls. To help ensure the integrity of the network, it is best to provide only limited access points. This helps both in detecting unauthorized access attempts and in correcting problems. Different levels of access may require different levels of security. Because system support personnel will be operating at the system level, they may require the use of one-time passwords. Individual users may be given multiple-use passwords if their access Previous screen is not considered to be a significant security risk and if monitoring and detection controls are effective. Access Path Schematic. If multiple access paths are provided, the cost of security may not be consistent with the risks or the risks may not be effectively controlled to support business protection requirements. To identify where control reliance is placed and the consistency of controls across an environment, an access path schematic should be used. This schematic depicts users; the path that they take to system resources, including data; control points; and the extent of reliance on controls. Often, it shows control points where major reliance is placed or where the control is inappropriate and the level of reliance is inconsistent with the general security architecture. Some users (e.g., network support) may employ several diverse access paths, including dial-in access, Internet access, or private network access, depending on the type of maintenance or diagnostic activities that are required. For system and application access, reliance is placed at the control level on the use of shared identifiers and passwords. Routers that are accessed by network support may have two levels of access provided, one that permits modification of router tables and another that permits only read access to this information. This could represent a significant security vulnerability, in particular when certain routers are used as firewalls between the Internet and the internal network. External users are provided with dial-back access to the network. At each level of access through the application, they are required to enter individual user identifiers and passwords, user authentication is performed, and an access decision is made. This may be a burden for the users and could provide ineffective security, in particular when password format and change interval requirements are not consistent. An excessive number of passwords, frequent changes, and a perception on the part of users that security is too restrictive may lead to writing passwords down, selecting trivial passwords, or using other measures that weaken the level of security.

Application and Process Controls The last component of confidentiality and integrity controls is involved with applications and processes. Because end-user computing is generally highly integrated into the management of a business function, security solutions need to address not only the technology but also the process. Application development controls need to be consistent with the type and extent of development activity within the end-user area. At a minimum, spreadsheets and other business tools should be documented and the master preserved in a secure location. It may be appropriate to take master copies off-site to ensure their integrity and recovery. Work flow management software can be used to protect the integrity of processes. This software is generally a middleware system that allows management to develop rules that define what is expected or the limits imposed on a process as well as to create graphical images that define the process flow. For example, work flow rules can be developed that establish the organization's purchase authorization limits. If a purchase order exceeds the defined limit, the process flow will control what happens to the transaction and will automatically route it to the user with the appropriate signature authority. Through work flow management software, processes can be controlled, end-user solutions can be tightly integrated into business functions, and effective integrity controls can be ensured throughout the process. Continuity Controls Previous screen Because much of the data and processing capability is distributed in end-user computing environments, continuity controls need to be distributed across an organization if systems are to be adequately protected. Centralized solutions for continuity may not be acceptable. Servers may be backed up by a centralized administration group, but this may not adequately protect work in progress or work that is completed on the user's workstation. In some instances, network backup strategies have been developed to periodically back up the user's workstation. This can be a costly undertaking given the number of workstations and the size of local disk drives. However, with the availability of higher bandwidth networks, compression algorithms, and a strategy of periodically backing up only modified files, a centrally controlled process may be effective in such cases. In many organizations, the risk of business disruption is not in the mainframe environment but in the systems that have been distributed across an enterprise. End-user computing systems need to be considered when the recovery and continuity strategy for an enterprise, and in particular the business function, is developed. Plans need to be developed to address the criticality of end-user systems to each business function and to determine the best approach to recovering these systems as defined by their importance to the overall enterprise.

Recommended Action End-user computing represents a significant departure from traditional data processing. It also represents a unique opportunity to integrate confidentiality, integrity, and continuity with business processes and with the use of information within business units. The following are the confidentiality, integrity, and continuity efforts that should be considered in the context of end-user computing. á Establish an enterprisewide information protection policy. Because information and technology are distributed, responsibility for protecting information also needs to be distributed. A policy should define individual and organizational responsibility for protecting information, the classes of information that need to be protected, and the nature of the protection controls that are required. In addition, the policy should express management's concern for information protection and should provide the basic structure for achieving its goals. á Develop a management structure for information protection. The role of traditional security organizations needs to change to support end-user computing environments. Security needs to be less involved with directly administering access control and more involved with designing controls. Protection management may need to be supported by an enterprisewide committee to represent technical groups as well as users' organizations. The security committee should be chaired by the security manager and should be responsible for managing changes to the protection policy and its implementation throughout the enterprise. á Develop appropriate technical components. An appropriate technical architecture needs to be developed to support the distinct protection requirements of end-user computing. The use of new technologies, increased dependence on networks, easy access to data, and the challenge of protecting end-user-developed applications must be addressed. From a network standpoint, external access points need to be consolidated for better manageability and increased security control. Authentication and monitoring controls need to be implemented at the boundary point between the external and internal networks. Access paths to data need to be identified, and all access paths should be secured to the same level. Application development and change control processes need to be adjusted to reduce integrity and continuity risks. Within the end- Previous screen user environment, security controls must be implemented to ensure that access is authorized, that users can be authenticated, and that responsibility for individual actions can be assigned. Auditability controls, to help ensure that unauthorized actions can be detected, also need to in place. New software solutions, including workforce management middleware solutions, may be used to help ensure that sensitive business processes are effectively controlled. á Provide an execution and feedback mechanism. The end-user computing environment is characterized by rapid and frequent change. The systems that users have available, the software that can be used, and the utilities that can be purchased change daily. To manage change and to provide consistency and control, a means needs to be developed to detect changes either in business processes or requirements or in the technology or its use within an enterprise. To be effective, confidentiality, integrity, and continuity need to be considered in advance of change and throughout the life cycle. Author Biographies Ron Hale Ron Hale is a Senior Manager at Deloitte& Touche LLP in Chicago, Illinois.