Protection Posture Case Studies

The first step in providing protection is performing a protection posture assessment. Over the last several years, I have worked with a group of well-seasoned information protection specialists doing top-level qualitative analyses of the protection posture of many organizations. For this book, portions of several of these studies have been extracted and identities disguised to illuminate the topics discussed earlier.

How To Do A Protection Posture Assessment

Several people have asked how these studies can be done so that the same quality results can be attained with lower quality personnel. They ask for checklists and all sorts of other short cuts, but in the end, this is just not how you do a really good protection posture assessment. That is not to say that you cannot do a lower quality assessment with things like checklists and, in fact, many companies offer such a service.

In response to one request, I prepared a draft document describing what it takes to do such an assessment. What follows is a variation on that document in which company-specific information and references to previous studies are removed. This discussion concentrates on studies for large organizations, but many of the points apply to all organizations. This discussion is also oriented toward a 30-day study addressing a situation in which losses could have high value. This seems to be the norm for this sort of study in a large organization. It should be helpful both to those readers who are interested in performing these sorts of studies for others and for those readers who are considering hiring someone to do such a study.


The information protection posture assessment requires a team of expert personnel with general knowledge and experience in a wide variety of areas, and special expertise in all of the aspects of information protection. Specifically:

Areas Covered

The areas covered (protection management, protection policy, standards and procedures, documentation, protection audit, technical safeguards, incident response, testing, physical protection, personnel issues, legal considerations, protection awareness, training and education, and organizational suitability) are detailed elsewhere in this book and I will not take the time to reiterate them here. It is important to have people who are well-versed in all of these areas because the language used by people in different corporate roles is quite different. In order to communicate effectively and be viewed as a professional, you must be able to switch languages while speaking to different people and understand the nuances of these different languages. For example, the term wire room means something very different to a facilities manager than to someone in charge of electronic funds transfers. Similarly, the abbreviations used are very different for different people with different backgrounds, so it is vital to have enough knowledge of these areas to be understood and understand properly.


The assessment process consists of the following steps:


This sort of assessment is designed to provide a very rapid, low-cost, top-level, qualitative assessment. For that reason, it depends on extremes in expertise. Some alternative approaches that are widely practiced in the industry include:

Selling (and Buying) a Posture Assessment

``Nothing happens till someone sells something,'' is a famous quote from a well-known expert on marketing. Unfortunately, selling a protection posture assessment has not historically been a very easy task. Some have equated it to pulling teeth, but I must have a better dentist or a higher threshold of pain than they have because selling a posture assessment has always been much more painful in my experience.

Political Documents

Despite their technical content and reasonable accuracy, all protection posture assessments are essentially political documents from the point of view of the customer. In particular, they are designed to address the specific desires of the client to make changes in their organization.

Why Organizations Don't Get Posture Assessments

Many people have legitimate concerns about information protection, but of those, very few do much about it. In some cases, the cost of an assessment prevents it from being done. In other cases, the person who wants the assessment done is not powerful enough to get it done without approvals that can never be attained.

Probably the dominant reason that such a study is a rarity is that the person in charge of information protection doesn't want to have a report hanging around that describes inadequacies. Here are just some of the reasons such a report may be seen as undesirable:

There is a fundamental issue in here somewhere. And I think the issue is that people in most organizations are punished for being less than perfect. This means that it is better for the individual to cover up possible problems than it is to expose them and correct them. But a study of protection, by definition, is designed to expose problems. Even worse, it costs money to have such a study done, so you are spending money and identifying shortcomings, the two worst things you can do as an individual in an unenlightened organization.

Why Organizations Do Get Assessments

Over the years, I have encountered five main exceptions to the rule of never buying trouble in the form of a protection posture assessment:

Case Study 1:A Ma and Pa Business

This information was extracted from a study done for a small restaurant corporation as a side effect of looking at other issues in their information technology area.

This situation is typical in that this business is not interested in keeping secrets, but they have a vital need for availability of information services and integrity in those services. They have a small network used in one location and they are considering using elements of the NII as a conduit for connecting a second location to their first location, but this is not emphasized in the particular report.

This study is also typical in that it is presented in the language used in the organization. For example, ``servers'' are the people that go out to the tables and ``the system'' consists of several PCs, a network, a file server, several printers in various locations, the point of sale terminals used by cashiers, and some office systems interconnected to the network. Many of the product names are known to those at this restaurant and several technologies are familiar to them, but in other areas, they know very little.

Executive Summary

Critical Repairs


  1. There must be a way to quickly and safely ``reset'' the system to allow it to start processing a new day's activities regardless of other circumstances. When an error in closing the last day's activity prevents the business from opening the next morning, there must be an easy way to restart operations. As an example, on the Sunday morning after Christmas (one of the busiest shopping days of the year), the system could not be used because the ``close'' from the previous day had failed.
  2. There appears to be a problem related to holidays that causes the system to fail when a day passes without the system being operated. This condition occurred on Thanksgiving and again on Christmas. This indicates that there may be many other date-related problems such as leap-year errors, leap-century problems (the year 2000 is a leap-century), and other similar problems. This is almost certainly related to design errors.
  3. There are cases where the user is told to not change anything and contact the vendor representative in the morning. A restaurant cannot be out of business until the next morning because of a software failure of this sort. The system should be able to log errors and attempt to restart by saving critical files in a backup area and restoring the system to a usable state.
  4. When components fail and those failures directly effect the moment-to-moment operation of the business, the system must adequately notify the affected users so as to cause them to act to repair these failures in a timely fashion. An example is the incident where the kitchen printer had an out-of-paper condition when it was not fully out of paper, and gave no other indication of the problem. For more than 10 minutes, the kitchen staff was unaware of many orders placed by the servers because the system did not notify either of the failure. Any and all known conditions of this sort must be addressed before the system will be suitable.
  5. Software errors in noncritical functions must not prevent other critical functions from operating. An example is the software-induced error that prevents users from using the order entry system. In this case, the limited key pad used by servers is not capable of entering the necessary keystrokes to clear the error condition (i.e., `y' in response to the DOS critical error handler to continue the batch file processing used for menu start-up). On a full keyboard, it is possible to clear the error condition and continue the order entry process, but the interaction of the limited key pad with the software's failure to properly handle the error condition causes the system to become unusable.
  6. Security is cumbersome and inadequate. Specifically, it is trivial for anyone with access to a standard keyboard to bypass all protection by interrupting the system start up process. Thereafter, all information on the file server is open to arbitrary examination and/or modification. For example, a cashier with minimal DOS user experience could easily delete all business records without a trace and without recourse. This is particularly disturbing considering the extensive requirements for using passwords throughout the system and the ease of implementing stronger access controls through the network software. In light of the substantial protection capabilities provided by the LANtastic software used for networking in this environment, it would be an easy matter to implement controls limiting nonback-office users and computers from accessing those functions and files.
  7. Backup and recovery facilities are nonexistent. In an environment such as this, a single disk failure (typical mean time to failure is only 2 operating years) will cause the entire business to stop operating and may result in total loss of all historical data other than that printed out in daily reports. The software vendor apparently didn't specify or provide for this requirement. This is clearly an accident waiting to happen.
  8. All data collected and stored by the system should be made available for use by outside analysis programs in DBase compatible form to allow further analysis via programmed means. This is critical to using the business information now being gathered by the system in ways not anticipated by the existing product.

Hardware and Operations:

  1. Operation critical floppy disk drives and keypads must not be left unprotected in areas where they are exposed to food, drinks, spillage, smoke, and other similar environmental factors. These disk drives will almost certainly fail in 3 to 6 months in the present environment unless steps are taken to protect them from environmental exposures. Since these are critical to operations, the problem should be addressed post-haste. The best solution may be the use of mechanical barriers for the disks and plastic covers for the keypads.
  2. The file server is currently in a very hazardous location and is in a high traffic area. It is not adequately protected from environmental factors and is particularly critical to operations. This machine should be moved to the office area immediately.
  3. The floppy disks used to bootstrap the computers are not write-protected. They should be.

Important Changes


  1. The software fails when a multitude of different menus are used in the course of a single user session. This causes the user to have to reboot the computer and test previous operations to assure that they were properly performed before continuing on. This sort of severe inconvenience should not be necessary at all, but in the worst case, should happen only in limited and well documented situations. Software interlocks should be provided to detect this condition before it happens and prevent it, even if in the process it requires the user to take remedial steps.
  2. The software-induced warning message that states that only one user may perform a particular function at a time, requires that the user determine that no other terminal is currently using these functions. The result of a problem in this area can apparently be severe and there is no reason not to provide proper software interlocks or capabilities for simultaneous access by authorized users. This is clearly a case of poor design that could be easily resolved in a well-designed system. It also adds stress to the users and eventually causes them to ignore the warning because of the high rate (nearly 100 percent) of false positives.
  3. Data is often lost when the system is used in a seemingly reasonably manner. For example, when two checks are combined, both are apparently lost. Many other examples are cited by those who have spent time using the system.
  4. The system seems unable to undo erroneous steps easily. The general lack of editing capability is a minor inconvenience in some cases. For example, a server has to finish a bill and remember any incorrect entries instead of continuously being in an edit mode. In other circumstances, it results in substantial inconvenience and eventually will result in substantial limits on system use. For example, when the number of employees reaches the maximum, you can never add another employee because old employees cannot be removed.
  5. Numerous bugs and unnotified dependencies prevent users from completing an operation which should not have been started without the appropriate preconditions existing. For example, you might enter a whole series of items before finding out that the entire process failed because some file that these operations depend on does not yet exist. The system should identify and, where possible, correct these conditions before permitting data entry to proceed.
  6. Inadequate notice on error conditions causes users to ``quest'' for the cause of a problem rather than being directed to it or, better yet, being allowed to resolve it and continue the interrupted process. For example, doing end-of-day summaries often yields an error if a customer check is not closed. The user then has to search through all servers to find the unclosed check, and even then, the reason it is not closed may not be obvious and may require further effort. Similarly, people cannot check out until they have satisfied the computer. The computer doesn't provide them with the ability to resolve problems as they prepare to leave, rather it requires them to figure out the source of a problem that the computer has already identified. If the computer can identify that there is a problem, it should be able to provide that information to the user so that, at a minimum, the user can resolve the problem. Ideally, the specific problem should be identified and its cure made directly available to the user attempting the operation.
  7. Error messages are often presented in cryptic form and, in some cases, leave users in a position where they can type commands into the Basic command interpreter while files are opened. This presents substantial risks to data integrity. Furthermore, users with limited data entry key pads cannot recover without rebooting the computer.
  8. Schedules don't provide information such as dates. Other reports are not easily reformatted by the user to suit specific reporting requirements of management. All functions that produce reports should be able to provide the same information in ``DBase''-compatible format so that external programs can be used to manipulate it.
  9. The networking package is unable to contend with momentary server failures and reboots. This, in turn, forces the users to reboot all of the workstations whenever the server has to be restarted. The workstations should be able to determine that this condition has taken place and automatically recover via periodic retries until successful.
  10. There should be a way to enter orders via item numbers rather than via menu selections so that servers can enter a series of numbers and produce a whole check without having to look at the screen to find items.


  1. A short-term power failure, power spike, or lightning strike could cause the entire network to become unusable for a substantial period of time, and the resulting data loss could be catastrophic. The use of an uninterruptable power supply is advised.

Aggravating Factors

  1. When examining information, the user is often returned to an unrelated on-line menu rather than a related one. For example, to look at current server activities requires repeated movement between three menus, when it could easily be made to return one menu level to allow the next person's information to be examined without the intervening steps. This seems to be common, in that you cannot reliably predict where you will end up when you finish an operation. This seems to stem from a lack of a well-designed system structure.
  2. Different menus and data entry types work differently. For example, passwords do not require an $<$enter$>$ after entry but most other data does. Different menus appear differently, causing momentary confusion. This inconsistency again reflects a poor overall design strategy.
  3. There is no universal escape from an on-screen menu, so that in each menu, a different strategy must be used to leave. This makes it hard to undo an error and, in many cases, makes it hard to figure out what to do. The delays caused by this are expensive.

Long-term Limitations

  1. The underlying environment is not really suitable for a commercial product of this sort. Most critically, the use of Basic for implementing the system has resulted in very high error rates, poor design, inadequate structuring, terrible inconsistencies, and poor expansion of function. It is clear that the original design was augmented again and again to add new functions and features, and that in the process, a badly needed redesign was never done. It is unlikely that this problem can ever be resolved without a complete product redesign. For the foreseeable future, the problems encountered now will continue unabated. When combined with the selection of the networked DOS environment, this design decision caused the product to be more expensive, harder to maintain, and far less reliable than would be expected from a well-designed and well thought out implementation.
  2. Inconsistencies in design likely stemmed from the choice of Basic as the implementation language and the design process previously described. These inconsistencies lead inevitably to the ongoing stream of errors, the inconsistency in user interface, the many user inconveniences, the inability to unify protection decisions, the difficulty in handling error conditions, the inability to resolve problems when they are found, and many of the other problems identified in this report.
  3. The system is at or near its operational limits. For example, the vendor had problems adding drivers for a new printer. If they cannot add a new printer without problems, major problems are likely in adding interfaces and features. Anticipate problems with automated process control, new user interfaces, Lotus and Dbase integration, new analysis and presentation methods, operation between multiple stores, and so on. It is unlikely that the system will be able to integrate well or adapt easily to these future events. Expect to have to replace the system in a few years unless a major redesign is done.

Case Study 2: A (Not-so) Small Business

This study was done for the information systems manager of a small manufacturing automation firm over a very short period of time. It represents a realistic view of the position of many small- to medium-sized companies today with respect to protection. The engineering orientation of this company places more emphasis on confidentiality than many other businesses.

Again, the language of the study is oriented toward the words and phrases used in this company. The study was done for the head of the Information Systems department and the entire firm is engineering-oriented. Little is provided in the way of explanation and many terms are used without explanation. The President of the company at the time this study was done had an engineering background and was familiar with these terms and phrases as well.

One of the important issues detected in this study was the changing nature of their dependency on different portions of their information technology. This sort of change often creeps up on companies, and before they know what happened, their environment has completely changed and their protection plans are no longer meaningful.


This report summarizes and comments on a brief review of information protection at ABCorp. The review was performed in the form of an interview with Mr. John Smith, the manager of information systems at ABCorp, and his chief system administrator. The review consisted of discussions of protection issues and a brief tour of facilities.

In addition to the normal business systems used by most modern corporations of substantial size, ABCorp survives as a company because it has unique information technologies and engineering expertise. To a large and increasing extent, it is information technology that differentiates ABCorp from its competitors. This is especially true in three areas:

At present, the information requirements of these engineering areas balance with or slightly exceed the more common information technology requirements of business and operations. It is highly likely that within the next 3 to 5 years, information technology requirements in the engineering areas will come to far outweigh other business requirements. Correspondingly, the financial values associated with the engineering applications of information systems at ABCorp will come to far exceed the values associated with other areas.

This shift from business applications of information technology to engineering applications is not uncommon and is not proceeding without pain. The increasing use of PCs in the engineering functions is only one example of this shift. Another example is the movement toward far more complex and integrated information systems performing control and analysis functions in products. While the problem of providing backups for PC-based engineering workstations is becoming somewhat of an inconvenience, there is currently little or no centralized control over systems used for complex applications and no central storage of software provided to customers. These problems will only get worse as this shift continues, and without a well thought out plan, it is likely that the situation will get out of control within 2 years.

This study is primarily concerned with assuring that the right information gets to the right place at the right time, taking into account accidental and intentional events that may tend to prevent this from happening. This concern is usually considered in terms of three components: confidentiality of information, integrity of information, and availability of services.

In the case of ABCorp, there are substantial lapses that affect all of these areas, and yet from an overall perspective, the information systems specialists seem to have things reasonably in control. To the extent that the specific findings outline inadequacies, it appears that the people in the information systems department are ready, willing, and able to make reasonable improvements within reasonable time and cost constraints. Unfortunately, the trend seems to be toward a loss of control in the areas where responsibility is poorly defined, and even more unfortunately, this is the engineering area that will soon come to dominate the information component of ABCorp as a business.

The most important finding of this short review is that top-level management must work with engineering and information systems management to arrive at a well-defined policy and plan for this shift in information technology emphasis and that these people must come to work together as a team to regain and maintain control over this vital and growing area of concern.


It is important to note that the vulnerabilities detected in this review are not particularly unusual, that the presence of vulnerabilities does not necessarily indicate the presence of attacks, that exposures resulting from vulnerabilities are not always exploited, and that not all vulnerabilities have to be addressed by technical defenses or at high cost. In many cases, awareness of a potential problem may be an adequate defense.

Policy ABCorp has no written security policy that documents and describes responsibilities of personnel. This is a critical problem that must be corrected in order to address overall protection issues. Among other problems, there is no clear line of responsibility for the proliferating personal computers, and the lack of adequate long-range planning, if left uncorrected, may result in increased cost and ineffective protection as the client-server model of computing becomes more dominant in the ABCorp environment.


A substantial amount of effort will be required in order to address the protection problems outlined in the findings of this report. A reasonable estimate is that 3 person-months worth of effort over the next 6 months will be required by the current information systems manager and staff in order to make appropriate improvements to existing information protection, and that an ongoing effort of 1 to 2 person-weeks per quarter will be required in order to maintain the enhanced protection levels once they are attained. In addition, a budget of $5,000 to $10,000 may be required in order to purchase software enhancements to address specific concerns that effect current networked systems.

The long-term planning requirement is somewhat more difficult to define in terms of costs because proper long-term planning which incorporates protection may not cost more, but it will probably lead to different planning decisions that affect corporate operations over a long period of time. A key component will be the increased awareness of the value of information and the requirement for information protection as a part of the corporate culture at ABCorp.

The change in corporate culture is key for two reasons. The first reason is that it brings the subject into the foreground, which increases the exchange of information, affects how people react when they see things that they used to ignore, changes what people talk about at lunch, and so on. The second, and perhaps more important, reason is that, if properly done, the cultural change creates an environment where people are brought into the protection process rather than disenfranchsied.


This cursory review of protection revealed some simple problems with simple and inexpensive solutions, some more complex problems that require ongoing attention by the information systems staff, and some corporate challenges that are important to the long-term well being of ABCorp.

Although a more thorough review may be appropriate at some future date, it is unlikely that such a review would be appropriate until information systems has time to address the issues pointed out in this study and management takes the time to consider and plan for the long-term implications of the changing information environment.

Case Study 3: A Big Business

It is nearly impossible to get permission to publish even disguised versions of studies done for a big business. Since this is infeasible, a pseudo-case study is used. This is done by taking several reports and combining them together, altering numbers to reflect similar deviations from average statistics, and then generating a report suitable for the case study. In other words, this report could come from any firm of a similar sort, but actually comes from no such firm. Any similarity between the people, places, or incidents in this case study and any actual people, places, or events, is purely coincidental.

In this study, language differences are even more stark. There is a very different language used in the executive summary than in the detailing of what their personnel told us, and a still different language is used in our findings. This is intentional.

Because this case study is quite extensive, only the executive summary is included here. The remainder of the study is included in Appendix B. It is well worth reviewing.

Executive Summary

We were asked to perform an initial protection assessment of XYZ Corporation. This assessment was accomplished by direct observation, interviews with key personnel, and comparison with comparable organizations.

Summary of Findings

XYZ Corporation is highly dependent on information, highly vulnerable to attack, and at great risk of substantial information protection-related losses. Furthermore, substantial losses have been sustained in the past year and ongoing losses are being sustained as of this writing.

XYZ Corporation's assets are at great risk and immediate action is required to address this situation. XYZ Corporation's current overall protection posture is inadequate as the following summary assessment details:


In order for the protection situation to be properly resolved, significant enhancements must be made to XYZ Corporation's information protection posture. We recommend that the following program be undertaken:


  1. Immediate controls are required to cover exposures currently being exploited and exposures with extreme potential for loss.
  1. Planning is required in order to institute a corporate information protection environment suitable to long-term protection of assets.
  1. After the first two phases are completed, a substantial set of technical, procedural, and personnel measures should be implemented to provide proper protection.
  2. After appropriate protective measures have been instituted, the third and ongoing phase of activity will begin. In this phase, protection will be maintained and updated to reflect changes in environment, technology, and organizational priorities.

Case Study 4: A Military System

This study analyzes protection for a military system that is currently being fielded. In order to understand the issues at play, it is important to understand that in military endeavors, the stakes are peoples' lives, and in extreme cases, the lives of nations. In a war, the enemy may send bullets, bombs, missiles, mortars, and/or martyrs in the normal course of events. When pressed, any biological, chemical, nuclear, or other sort of weapon might be used. In providing defenses, the military must also consider cost. For example, a system that will have a useful lifecycle of only 10 to 20 years (a long time by modern information system standards) may never see a substantial combat role. If it never encounters a nuclear threat, it is unlikely that the protection from electromagnetic pulses (EMP) will be significant. On the other hand, if everything is designed to ignore the nuclear threat just because it hasn't been used in 50 years, the entire force may be wiped out by a single nuclear device blown up 25 Km above the battlefield.

When it comes to language, the military is in a world of its own. A multilevel secure (MLS) operating system may be used to implement a trusted Guard application which extracts Unclassified (U) information from a top secret (TS) database using government off-the-shelf (GOTS) hardware and commercial off-the-shelf (COTS) software. The military also has a myriad of standard operating procedures (SOPs) that specify everything from when Tempest (emanations) protection is required to how to do risk analysis. This particular system (called Alma in this book) is also required to connect to other military systems. In keeping with this long tradition, this report also makes up a series of words of its own to identify threats and countermeasures for the purposes of making charts and performing analysis.

This particular report was one small part of a larger report provided to the designers of Alma so that they could evaluate how to modify Alma for use in the field. It may be that in the fielded version, none of the identified protective measures are taken. For example, many of the threats considered in this write-up are threats not generally addressed by military protection systems, and Alma is competitive with other projects throughout the DoD. Since price is a critical issue in the military (after all, we can buy a lot of bullets for this much money), the designers of Alma may decide that providing this protection will price Alma in a range where other less able systems will be chosen instead. It may be a better strategy to simply provide Alma as is, wait until a hundred of them are fielded, and then tell all the users that additional precautions are appropriate.

Only the executive summary of this report is included here. Much of the rest of this report is included in Appendix B.

Introduction and Executive Summary:

We did an informal review of policies, procedures, and technical safeguards for Alma. During that visit and since that time, protection techniques to cover those threats cost effectively have been considered. This introduction and executive summary outlines the methods applied, the overall concerns that remain, and the conclusions of this analysis. The second part of this study details the identified vulnerabilities, available techniques that could be used to protect Alma and the approximate costs associated with those protection techniques. The third part of this report details the method used to analyze Alma, and results of the analysis.


Alma is a prototype system being deployed. As a prototype, the system demonstrates proper functional capabilities and a reasonable degree of protection, but in a deployed situation, far more care and consideration is warranted in the information protection area. Specifically, the following problem areas were identified and should be addressed:


How Findings Were Analyzed

The findings were analyzed by creating and analyzing a covering chart which lists vulnerabilities along one dimension and defenses that cover those vulnerabilities along another dimension. Costs of defenses are approximated, and an efficient search of all single covers is performed to find the most cost-effective defense that would cover all of the threats at least once. The result is provided below.

Because of the interdependence of protection techniques and their synergistic effects, this analysis was performed for each of two distinct architectures. One architecture considers the existing Alma environment with enhancements performed on a step-wise basis. The other architecture considers the effect of moving to a multilevel secure implementation wherein Alma internals are redesigned to provide for protection enhancements. These two alternatives were chosen because they represent two key alternatives for future Alma systems.

Inherent in this analysis is the assumption that several Alma systems are to be implemented. In the cost analysis, it is assumed that 50 Alma systems are to be deployed over time, and that factor is used to amortize initial costs as opposed to unit costs. If fewer systems are to be implemented, the tradeoffs favor less redesign effort, while for larger numbers of systems, redesign has less effect on overall costs. Effects of inflation and the time value of money were not computed in this analysis, but the results are sufficiently clear that this will not substantially alter the end result.

The Two Architectures

The two architectures under consideration are pictured here:

An MLS Secure Alma Architecture

In the multi-level secure (MLS) version of Alma, a redesign centralizes all database access to the 3 redundant Alma database servers, thus eliminating a multiplicity of Oracle licenses, and saving several thousand dollars per license eliminated. These servers run under multilevel security, and have two partitioned databases for secret and unclassified data respectively. The secret and unclassified sides of each MLS are linked to 2 of the 3 redundant LANs at each of the two security levels, providing a secure and reliable bridge between the security levels without any additional hardware. An automated guard on the MLS systems automatically declassifies the appropriate portions of secret database transactions so that unclassified databases are automatically and rapidly updated, while unclassified entries are automatically available for secret access by the normal operation of the MLS system. Thus, all redundant data entry is eliminated and security becomes completely transparent to the Alma users. Physical security need only be applied to the secret side of this system and the MLS secure systems containing the database, thus dramatically reducing the need for tempest coverage and other expensive protection requirements for nodes processing only unclassified data.

A nonMLS Alma Architecture

In the non-MLS version of Alma, the basic Alma system is left running system high, and external devices and software are added to allow for declassification, incorporation of unclassified data, and so on. This has the advantage of requiring less effort in the redesign of Alma because only performance and stylistic changes are required, and the security enhancement of the database is easier. Database access is centralized so as to reduce Oracle license costs, but more systems are secured with physical protection. There is a single MLS system of smaller size and lower performance for the automated guard application, and unclassified Alma components are kept at system high. Similar reliability and redundancy are attained, and a lot of automated guard downgrading of information is used to reduce redundant data entry.

The basic difference in these architectures is the tradeoff between (1) the cost of physical security and custom protection implementations for the non-MLS version, and (2) the cost of designing to operate in an MLS environment and the added costs of MLS systems in the MLS design. Many components of this architecture can be changed without altering this basic difference, and these are not intended as final designs, but rather as the two most obvious alternatives from a cursory examination of the Alma design and function.

What the Analysis Showed

The following table summarizes the recommended protection and approximate costs associated with implementing this protection. It should be noted that several of these recommendations are badly needed for the wide-scale deployment of Alma for reasons not solely related to security (i.e., reliability, reduced life cycle costs, and so on).


At quantity 50, the cost difference between an unshielded non-MLS version of Alma and a shielded MLS version of Alma is only $3,000, which is far less than the added life-cycle cost of maintaining a system-high classified information processing environment without shielding. Since an MLS environment with shielding costs less at this quantity level than an equivalent environment without shielding and a shielded environment is more effective, the MLS shielded version of Alma is the clear choice.

Further savings can be afforded by only protecting half of the Alma implementations (those deployed outside of the continental United States) with shielding. In this case, we don't have to design a special nonshielded version for the continental United States, but rather use the standard version without shielding.

In other words, (and per regulations) we can protect the Alma installations outside the continental US with shielding, not provide an alternative to shielding for Alma systems in the continental United States, and get the best of both worlds. This then is our recommendation:

Implement the MLS Alma design shown earlier, placing Tempest protection (shielding) only in systems deployed outside the continental United States, and design for the following protection techniques (detailed descriptions are provided later in this report):


The total cost for a program of 50 Alma systems comes to $116,800 per Alma.


All of the items listed above should be implemented before Alma is deployed into widespread use.

Case Study 5: The DoD and the Nation as a Whole

System designers can only do so much on their own. Obtaining information protection for the entire nation will require resources and hard work on a national scale. It will not come about as a serendipitous feature of the development of an information infrastructure based on open systems. The longer this matter sits on the back burner or is treated as a matter of academic interest, the greater the eventual costs will be to add resiliency to the infrastructure. Ultimately, neglect of this matter could result in major economic loss, the loss of military capability, and military defeat.

The study from which these results were extracted was done for the Defense Information Systems Agency (DISA) to address the question of information assurance in the Defense Information Infrastructure (DII). [DISAdoc] The full study is not included in the appendices because of its substantial length and because everything covered in that study is reflected elsewhere in this book. Rather, the executive summary is provided here, and a more extensive summary is included in the appendices.

The DII is more than 90 percent comprised of the NII, so DII requirements are key to the NII design and operation. Information assurance in this context refers to the availability and integrity issues discussed earlier.

The DoD has put a lot of effort into secrecy systems, but with the exception of a few very expensive special purpose systems, almost no effort has been put into availability and integrity of information systems under malicious attack.

Executive Summary

The United States depends on information as a key part of its competitive advantage. Operation Desert Storm was an object lesson in the critical importance of information in warfare, in that it demonstrated the DoD's ability to obtain and use information effectively while preventing Iraq from obtaining and using comparable information. This object lesson was observed and understood by other nations and organizations, but they also observed that the U.S. did not protect the massive information infrastructure it mobilized for the Gulf War against disruption. If the U.S. is to maintain a competitive advantage in future conflicts, then the National Information Infrastructure (NII) upon which the U.S. depends must be protected commensurate with its criticality. This analysis shows that:

If the Department of Defense is to maintain operational readiness and fulfill its national security responsibilities, the information infrastructure upon which it depends for information services must be strengthened against accidental and intentional events that lead to disruption (corruption of information or denial of services). If the U.S. as a nation is to compete economically, the NII must be protected.

In order to sustain U.S. capabilities, the following information assurance (availability of services and integrity of information) considerations must be given priority attention.

Information assurance for the NII must also be cost effective. This analysis shows that the costs associated with these tasks will increase dramatically over time if we do not act now. Furthermore, the efforts made to protect the NII will provide widespread benefits to U.S. commercial industries.

By the timely reinvestment of a small portion of the savings that will be gained from the current consolidation and migration to standard information and communication systems, the U.S. will avoid enormous future expenses, mitigate possibly catastrophic military consequences, and enhance its national competitive edge for years to come.

Is Information Assurance an Unsolvable Problem?

NO! We can not make people immortal, but that does not mean we should abandon medicine. Nobody can provide perfect information assurance, but that does not mean that we should ignore a problem that may result in catastrophic consequences.

The issues that must be considered for proper information assurance in the NII span a wide range and a wide range of solutions exist to address these issues. There are some challenges in information assurance that are now and will likely remain imperfectly addressed for some time to come, but the vast majority of the challenges today can be adequately addressed with a reasonable amount of well-directed effort.

Perhaps a more enlightening view of this issue is the question of how much it will cost to address information assurance, and how much the United States will save as a result of wisely spending that money. In this limited report, we cannot even begin to address the specific issues for specific solutions in specific systems, but we advocate financial and military analysis before undertaking costly action. We also believe that early investment will pay enormous dividends in both the short-term and the long-term:

The information assurance challenge is not only one that can be met, but one that must be met, if the United States is to attain and retain a competitive edge in both the DoD and national information arenas.

What Are the Top Priorities?

Based on our study, we believe that the following three items are the most vital things the nation can do in order to provide a NII with adequate information assurance.

  1. Design the NII for automated detection, differentiation, warning, response, and recovery from disruptions. It is absolutely vital that these capabilities be designed in from the start and that they be sufficiently automatic that they are effective without human intervention. Without these capabilities, the NII will not be able to sustain operation during substantial disruption attack.
  2. Design the data centers, network components, and network control centers for repairability. Without the ability to recover from disruption of these facilities, under attack, the NII and the nation will grind to a halt and will not be able to reconstitute capabilities in any meaningful time frame.
  3. Train today's information workers to become defensive information warriors capable of defending the NII against information attack. Without trained information warriors, the nation will not be able to sustain the NII no matter how automatically the NII reacts or how well it is designed.

fred at