I was recently involved in planning a massive Internet infrastructure upgrade. The goal: To make a nationwide network more reliable and secure for both consumers and service providers. The security piece involves massively flexible authentication methods served up in client and cloud-based form with heaping doses of WS-Trust, WS-Federation, and WS-Policy. It's a beautiful, ready-to-deliver solution. If you've read solution no. 2 of my "Fix the Internet" whitepaper, you already know the key ideas.
When we shared the proposal with one of the key stakeholders, the person asked how well the security would hold up if the attacker got inside the cloud or became one of the trusted authentication providers. I think our answer surprised him.
[ IT is a risky business. How do you avoid common catastrophes and increase your chances of success? See "The IT worst case scenario survival guide." ]
We replied that our security model assumes that all attackers are trusted insiders, fully authenticated with elevated levels of access control and privileges. In any large security system, especially one that covers a large enterprise or coast-to-coast implementation, it's absolutely true.
Administrator's dilemma
Administrators of smaller entities normally know all of the other privileged administrators. But in a massive system, the centralized administrators don't have a clue about the trustworthiness of the various sub-admins. They don't know their names, their motivations, or whether the have passed a background check. It's a common scenario that haunts many senior administrators today. They have to give the keys to the kingdom to people who could go off on a malicious tangent at any moment. I've been involved with many cases in which a disgruntled IT employee caused millions of dollars in damage and thought nothing of trading their future career and even freedom to extract their demented revenge.
If your computer security defense is to withstand the real test of legitimacy, it should be built with the assumption that all attackers are trusted and highly privileged insiders acting within the system. That means not relying on perimeter defenses that are bound to fail (e.g. MS-Blaster, Conficker, etc.) and assuming that every asset in your internal network is directly exposed to the Internet. The idea of external networks isolated from soft, chewy centers by perimeter defenses died in August 2003 with the appearance of MS-Blaster.
