Integrity and the History of Data Security
From an academic perspective, security has historically been classified into three distinct tenets – confidentiality, integrity and availability (CIA). Ask security professionals to describe these components and you will receive a uniform response for confidentiality and availability, however integrity (what it means and how to address it) is much more abstract, and will typically generate a much wider variety of answers.
Figure 1: The Data Security CIA Triad
Thinking in terms of patient records then an availability attack would represent a denial of service attack, losing access to a patient’s online records, a confidentiality attack would represent the exfiltration of those records. An integrity attack however would represent a malicious manipulation of those records, either to cause harm, cover up negligence or conduct fraud such as backdating to ensure insurance coverage. It is important to note that the scope of integrity should not limited to just records. In reality the definition of integrity is much broader, encompassing systems, processes and operations.
We are now seeing data breaches health-care institutions with alarming regularity. It’s clear that existing perimeter and signature based security controls are simply not working effectively. The attacks led to a loss of confidential information, but importantly the attacks were initiated by malware that compromised the integrity of the systems it infected.
Put simply, the breaches were the result of an integrity attack. We believe that you cannot have confidentiality without integrity. Indeed confidentiality is what you get if your systems have integrity.
For the health-care domain we can also include medical devices as “systems”, whether MRI scanners or pacemakers they all consist of software and firmware components whose integrity is a paramount to the correct functioning of the device. An integrity guarantee here would mean proving the provenance and integrity of every software component all the way back to the manufacturers code base with end to end verification and legal recourse in the event those devices fail.
One of the major failings of the US health-care system is the lack of interoperability and it is almost universally seen as a major obstacle to effectively using and meeting the potential of health IT. Transferring data from one institution to another is expensive and standards are so loosely defined that they wind up becoming interoperability barriers instead of enablers. This is a process or supply chain problem and if you can guarantee the integrity of the process with end to end chain of custody for information you a very effective means of eliminating the hurdles to interoperability. It may have been be impossible for a bad actor to manipulate information to cover their tracks but if the integrity of the supply chain can be verified then those actions can be detected and importantly, the who, what and how can be verified without the need for lengthy and uncertain forensic investigations.
The actions of Edward Snowden were an operational integrity problem as he operated outside of the rules of the system he was tasked to administer. Today Medicare fraud through improper payment is estimated at 50 billion dollars per year. This is an enormous sum and a significant percentage of which could be reduced if there was a means to verify the integrity, provenance and history of the documents being used to create those fraudulent claims. Phantom billing, kickbacks and unbundling are all examples of a breach of operational integrity which have been effectively eliminated in Estonia through end to end verification of operational integrity.In summary if we define integrity in a similar fashion to the human quality as “the absence of compromise” it becomes clear what its value is for the security of health care systems. If you can guarantee integrity then you can guarantee the absence of compromise, which leads to a very different security model.
Why Integrity has Historically been Forgotten
Despite its increasing importance integrity has largely been
overlooked from a security perspective and this is primarily for historical
Firstly - for the first years of the Internet, security was synonymous with confidentiality of data in motion, with the presumption that features such as access control and firewalls were more than adequate for protecting data at rest. This was a natural consequence of how organizations operated, as isolated networks that assumed a hardened perimeter, and securing ecommerce or information exchange necessitated the need for secure messaging.
However the advent of cloud computing, mobile networks, and the Internet of Things has severely challenged this approach, as well as an increasing awareness from diverse thought leaders across the security community, including researchers such as Bruce Schneier, NSA Director Admiral Michael S Rogers and Director of National Intelligence James Clapper, and there is now emerging consensus that in reality system integrity is the biggest threat in cyberspace, not confidentiality of data in motion.
As an example consider the relative importance of
confidentiality and integrity in the health care domain:
Figure 2: Integrity Breach vs Confidentiality Breach in Healthcare
Secondly - integrity was widely considered to be a ‘solved problem’ after the invention of Public Key Infrastructure (PKI). The impetus behind PKI was key-exchange across an insecure channel and it was quickly recognized that it could also be used for digital signatures and verifying integrity of system components.. Although cryptographers may consider it a solved problem in reality PKI has a number of hidden challenges that mean in practice it is far from ideal in addressing this use case. The complexity and cost of key management alone make it very challenging to implement correctly especially for long term data retention. Indeed Rob Joyce, head of the NSA Tailored Access Office, highlighted recently how the NSA approach network exploitation first by targeting the credentials of the system administrators. Once a credential has been compromised then an attacker will have unfettered access to the internals of a network, achieve persistence (by modifying firmware, key configuration parameters etc) which then leads to data exfiltration. PKI has other problems, not least of which are complexity, and then the reliance on trust anchors called Certificate Authorities (CAs), and we know from well publicized events that certificates can and have been exploited in the past, which brings the whole question of trust into focus.Using PKI as a Swiss army knife for both confidentiality and integrity is indicative of the lack of innovation around integrity technologies and until recently we simply have not found the right technology. An important insight as to why this approach fails is the observation that integrity and confidentiality are diametrically opposite problems. Consider for example a crime in the physical world: the more people who witness a crime the stronger the integrity of the evidence, yet the less confidential the evidence becomes. For integrity we want more witnesses, for confidentiality we want less.
Assumptions and Trust Anchors
Ask a security professional for what tools do they use to address the integrity of the systems they are tasked to protect and you will get a wide range of responses but typically include. “We have procedures in place operated by trusted insiders to ensure the proper handling of data”, or “We encrypt our data at rest and rely on key management operated by trusted administrators.“ etc.
As already indicated, this is a fallacy; encryption cannot solve the integrity problem – you simply cannot encrypt firmware, software or configuration files running on a machine, and rely on PKI to maintain state. Key management simply moves the trust anchor to a credential of the administrator of the keys, and we have to suspend healthy skepticism and trust certificates from an upstream CA. This points to the reason why modern security continues to fail at an epic scale; you cannot empirically verify trust.
“Any security technology whose effectiveness can't be empirically determined is indistinguishable from blind luck”
- Dan Geer, security researcher
Put another way when building security systems if you have an assumption that includes trust (in keys, in human administrators) then with sufficient time you will be compromised with probability 1.
This is the promise of blockchain for cybersecurity – if you
can eliminate the need for trust then you can build security systems that don’t
rely on a single authority and create a paradigm shift in security. Instead of
searching for vulnerabilities, equivalent to searching for a needle in a
haystack, you can have mathematical certainty for every digital asset that
constitutes the system you want to protect.
What is a Blockchain?
In a nutshell a blockchain is a distributed database, shared and maintained by multiple parties. Records can only be added to the database, never removed, with each new record cryptographically linked to all previous records in time.
New records can only be added based on synchronous agreement
or “distributed consensus” of the parties maintaining the database. By
cryptographically linking the records it is impossible for one party to
manipulate previous records without breaking the overall consistency of the
Figure 3: The Blockchain Fundamentals
Using the Blockchain as a Trust Anchor
There are two key steps in using a blockchain as a trust anchor for security: registration and verification.
- Registration. A system to be secured will comprise
multiple components: firmware, software,
configuration files, audit and event logs etc. Each component will have an
associated supply chain (i.e. a record of its history and provenance). As an example think about an medical device
such as an MRI scanner, where components in the device may come from a
different manufacturer and will have a history of revisions associated with it.
To register a component a manufacturer
will generate a fingerprint (or hash-value) of each component to be registered
and submit that fingerprint into the network of participants who will attempt
(using a process called ‘distributed consensus’) to simultaneously enter that
fingerprint into their local copies of the blockchain. Once registered, the manufacturer
will be returned a signature that cryptographically links the fingerprint of
the component to an entry in the blockchain.
- Verification. After a component has been registered and a signature generated, then at any point in the future the properties of the component (the time of registration, the integrity and the identity of the registering entity) can be quickly verified. To do this a verifier will regenerate a fingerprint of the component and use the signature as a cryptographic proof to confirm it matches the correct entry in the blockchain. An important and core value proposition of using a blockchain for integrity is that there are no keys to be compromised – the trust anchors in effect are a) the security of the algorithm that generates the fingerprint, as well as b) widely witnessed evidence (the blockchain).
Who do you Trust?
In mathematics, a proof is based on fundamental assumptions (or axioms). In security these assumptions are called trust anchors. So what are the assumptions behind any statement on security? For a CISO trying to protect an organization, whether a regional hospital or a Fortune 500 company there will be a long list of assumptions, almost certainly including the trustworthiness of the administrators of the system and the security of the keys that they manage.
Using a blockchain to verify integrity it is no longer necessary to maintain secrets or keys – verification is based only on publically available information. Contrast this with Public Key Infrastructure (PKI). In PKI the trust anchor is the security of the keys that must be managed by the signing entity, for the entire lifetime of the component. In some compliance regimes this means many years.
Experience tells us that key management is extremely hard to do well, and the major insight of blockchain-based security is that for integrity it is also completely unnecessary. Using the blockchain as a trust anchor makes evidence widely witnessed – anyone who has a copy of the blockchain can verify the absence of compromise without reliance on secrets, keys or administrator credentials.
Estonia – One Million Health Care Records on the Blockchain
In 2007 the Estonian Government was the victim of what is considered the first instance of a state-sponsored cyberattack that paralyzed the government for a period of days. There were many lessons learned from this attack not least of which is the importance of resiliency, the ability to recover, or roll back, to a known good state, and relying on secrets to guarantee that state is a dangerous strategy.
Under the auspices of the Estonian Government a team of scientists set out to build a security technology that could eliminate the need for trusted humans or insiders in this verification process. Today the technology they developed is known as a blockchain and is a core technology and underlying security substrate for government information systems. Every health-care record modification and access, every financial transaction and every security event in cyberspace is registered in the blockchain, producing a level of security, transparency and auditability which has never been possible before.
By deploying blockchain on a large scale the Estonian Government can ensure that every access to health-care records, every change in health-care records and the supply chain for digital data is verifiable using the blockchain guaranteeing system, process and operational integrity.
Although 100% crime prevention is impossible it is now possible to have 100% detection, accountability and auditability across highly complex systems. Where human motivation and behavior must to be verified in conjunction with effective security controls and integrity of systems and processes - think blockchain.
First published by eHealth Law & Policy