Thursday, July 13, 2017
An Architecture for Creating an Ultra-secure Network and Datastore
According to United States records, from 2006 cyber attacks to 2016, (crimes, intelligence gathering, and warfare) have gone up 1300 percent. Other reports identified in Forbes Magazine indicate that between 2015 and 2016 there was a 200 to 450 percent increase in attacks. I suspect that though the numbers vastly underestimate the total number of attacks. I know that in the late 1980s, one company was averaging 10,000 attacks per day on its website and access points to the internet; of which 4000 originated in Russia (then the USSR), China, North Korea, and the like
There are two goals for attacks, to disrupt the entire IT infrastructure or to gather or change protected data for various nefarious purposes. There is a multiplicity of reasons for these attack, monetary gain, political change, and so on; the “so on” is too long to enumerate.
The cost for preventing and mitigating the effects of these attacks has spawned a new multi-billion dollar industry. Consequently, the need is for an entirely new system (network and datastore) that completely defeats all attack vectors. That is what I’m proposing here.
The goal of the architecture presented here is to define a highly secure system for the transmission and storage of data.
The architecture is for a fundamentally different “new” network and datastore. I put “new” in quotes because I based the architecture on a number of concepts and standards from the late 1970s to the mid-1990s. For reasons of economies and business politics these concepts and standards were abandoned. When I submitted the architecture for a patent and even though the architecture uses old concepts and standard in a new way, I was told that since it was based on well known concepts and standards the architecture it is unpatentable.
Consequently, I’m presenting it in this post in the hope that someone will take serious look at it and communicate with me so that I can present the details and we can build a secure network and datastore.
My fundamental idea is to create a separate “data only” network and datastore. While initially, having a worldwide network for the storage and transmission of data separate from the Internet “of everything” may seem as a ludicrous idea for those looking at the “short-term” costs for an organization; what the cost of having data stolen, corrupted, or destroyed would be for an organization? And remember that there are initial and recurring costs for data security on a cloud or across the internet.
This new architecture has five components. One of them has evolved over the past twenty years. One of them was declared obsolete thirty years ago. One of them is based on petrified standards of the 1980s. And one uses a new twist on current hardware and software. The fifth is a particular form of governance.
The base technology of the new user interface has been evolving over the past twenty years at least. It is a combination of three functional technologies. The first is biometric recognition. Any secure system requires some form of authentication; that you are who you say you are. Various forms of biometric authentication, facial recognition, fingerprint identification, retinal pattern recognition, and so on, are currently the least likely forms of identification to be broken by cyber attacks.
The second security technology is a version of the smartcard. These are credit-card-like with a data storage computer chip embedded. Under this new function the card reader would communicate the location, time of day, and date, whereupon the card would generate a pass code based on those parameters.
At the same time the reader would generate a pass code also based on those parameters. The system would accept the identification if and only if they matched. Since any secure system requires at least to factor authentication, a user would need both the smart card (which additionally could store the biometric data) and their own body.
Finally, authorization and access control are both static for a given user interface to the system. This means that the user of a given device (be it a terminal, PC, smart phone, etc.) can only gain access to the set of data, records, or summaries to which their entitled.
So a contract specialist has no access to engineering data for the contract or only a limited set. If the contract specialist attempted to sign on to another device, to which he was not preapproved, he could not get to the data to which he is entitled. The reason is that an individual must be preapproved of every terminal the individual wants to use.
Or a doctor may not see a patient’s complete medical history without the patient’s permission. This would be a two step process. The doctor would have to sign in on his or her device using the two-factor authentication, described above. Then the patient would have to sign on to the same device using the same two-factor authentication to give the doctor permission to access his or her medical record.
The security meta-data and parameters are stored on the ultra-secure data network (USDN). Any updates or changes must be made and approved through the system’s security governance function. No dynamic changes can be made until the changes are approved. In a political/cultural context, this governance process will be the most difficult to secure since users expect changes to be made “NOW” and the process doesn’t allow “NOW” to happen.
The second architectural component is the bridge from the Internet to the USDN. This is really the key component securing the USDN from attacks. And this is the component that was declared obsolete thirty years ago. In the early 1980s there were many proprietary data networks. To communicate data from one network to another required a network bridge.
The following diagram is from the patent that I applied for. It shows an example of how changing the protocol layers or stacks creates a portcullis in the bridge that provides the ultra-security. On the left side of the bridge are the standard Internet protocols. Other than the top layer (called the Application Layer in the OSI model) and the bottom layer (the Physical Layer in the OSI model), all layers link and guide the communications between the sender and receiver.
Notice that the functional protocols on each side of the bridge, with the exception of the physical layer are different. On the left side all protocols are current Internet standards. However, on the right side the bridge uses protocols from the Open Systems Interconnect (OSI) suite. These protocols were abandoned in the 1990s in favor of the earlier TCP/IP suite, that at the time were less expensive and much less capable. [Sidebar: “The first example of a superior principle is always less capable than a mature example of an inferior principle”].
What this means is that the entire USDN will use these OSI protocols. Any cyber attack software developed for Internet protocols would have to be redesigned for the OSI protocols.
Even if the hackers of whatever stripe did develop software capable of exploiting vulnerabilities in the OSI protocol stack they would still need to get it onto the network. But the design of the bridge includes a portcullis in the middle of the bridge.
This portcullis is designed to allow only data and records in well defined formats to pass. This means that no documents can move across the bridge. In this case “documents” includes e-mail, documents, unformatted text, files, or other unformatted data.
This stringent requirement eliminates nearly every attack vector by hackers. For example, there is no way that a Trojan horse attachment can get into the system because e-mail, let along e-mail with attachments, is allowed access across the bridge.
As shown in the diagram, only data in specific and static XML formats is allowed to move through the portcullis. The XML data structures are installed in the portcullis only after approval using one of the governance processes.
So, for example, medical data would use an XML version of the international medical standards, engineering data would use an XML version of STEP, and so on. Only data exactly following those standards to which the user is entitled would get through the portcullis.. This would initially have a very large overburden in meta-security and access control data about all individuals.
The third architectural component is the network. The network is based on petrified standards of the 1980s. Inside the portcullis-bridge data would be free to move among the various nodes of the network using the same OSI protocol stack that is used on the right side of the portcullis-bridge shown in the diagram.
Additionally, it would use improved versions of the Directory Service (X.500) standard. This would include using static routing meta-data (which many network analysts would say is not an improvement). However, static routing meta-data means that if an unauthorized node magically appeared on the USDN (because some hacker tapped one of the USDN lines) the node would be recognized as a threat immediately. Consequently, any attempt to breach the security imposed by the portcullis-bridge by directly attacking the network would fail, as long as good governance is in place.
The last technical function is data storage. This datastore function uses a new twist on current hardware and software design for the storage of data and information. The twist is that only specific data and records are store, not files from outside the network.
An organization using an USDN-like system would have its data file structures created by authorized personnel inside the USDN. These file structures would follow the various authorized XML data structures. No freeform data like e-mail or documents would be allowed. [Sidebar: remember its much much simpler to create documents from data than to glean data from documents.]
The only applications that are authorized to run on the USDN and its datastore computers are those that create, read, update, or delete records or data elements. Reading data would include reading for transfer, and for summarization.
For example, suppose the medical profession of a state or of the United States adopts the USDN to protect patients’ medical records. A medical researcher may be granted access to summaries of certain data elements of patients’ record that have a particular medical problem. This access would be granted through an approval process—part of governance—prior to obtaining the summaries.
The advantage is that the medical researcher has access to a complete set of data for the population of an area. The downside for the researcher is that they need to have a well formulated and defensible hypothesis to work from, in order to obtain the data, and that the governance processes take time.
The Governance processes function of the system’s architecture is most critically important of the five functions because it is the only one where humans are involved—Big Time. As discussed above there are many security functions that are static and require administrative functions to change the parameters and meta-data. While I expect that actually changing the meta-data and parameters will be automated, the various decision making processes will not.
One obvious example is in banking. Some financial data must be secure within a financial institution and only shared with a client. Other data, in the form of transactions must be shared between and among banks and other financial institutions.
The USDN security meta-data would determine which data could be sent to another financial organization, what data can be sent, and other characteristics of transaction. It would be within the USDN and not across any portion of the Internet. It can then be retrieved by the destination organization.
For example, if all defense contractors were on the USDN then when teams formed to respond to a DoD Request For Proposal (RFP), the various teams of contractors and subcontractors could share requirements and other data within their team. When the DoD chose the winning team, program/project, risk, and design data could be shared and shared with the customer without fear a cyber attack on one of the sub-contractors leading to the capture or corruption of the program or mission critical data. [Sidebar: frequently a third or fourth tier sub-contractor has more vulnerabilities than the prime contractor.]
Again,”The first instance of a superior principle is always inferior to a mature example of an inferior principle.”
There are three issues with the creation of such a system.
The first is cost; creating an entire nationwide or worldwide network is very expensive in the startup phase. Creating (or really resurrecting in many cases) software to support the functions of the USDN will be very expensive. There is the cost of implementing software services to interface with existing organizational applications. Acquiring the physical cabling for the system will be expensive.
Modifying routers to use the new protocols will be expensive. Designing, constructing, and testing the new portcullis-bridge will be very expensive. Most of this investment will need to be done before one data element is protected.
The cost is more than a straight financial issue of building the system. It will threaten much of the multi-billion dollar cyber security industry’s income stream. This industry will market and lobby against building out the system.
The second issue may be used by that industry as an argument against the USDN. The issue that the system only protects data and not other types of information like e-mail and documents. This is true. However, the core of any organization is its data. Documents can be easily constructed from data, but not the other was around.
The third issue, at least initially, is the response time of the system. Currently applications and users have come to expect nanosecond response times to dynamic requests. Initially, at least, I predict that the response time to requests will be in terms of seconds; maybe many. I saw this with Microsoft DOS—until version 3.1 it was bad—other products from Microsoft, Apple, and Oracle [Sidebar: I worked with Oracle 4.1] and many other hardware and software products.] So it will be a rocky start, but ultimately it will cost much less than the recover, rebuild, patch, upgrade, and get hacked again systems of today.
While the USDN does not protect an organization from cyber attacks, it does make an organization’s mission critical data nearly invulnerable an organization will be able to recover from an attack and will make it nearly impossible for terrorists, cyber criminals, etc. to get a personal data or its mission critical data protected.
For anyone who is interested, please comment on this post. I have much of knowledge of the processes, technology, and construction process involved than I can put in a post, but would be happy to discuss it.