The Rule of Separation states that to secure something, it must be separated from the dangers and threats of the world around it. In accordance with the Rule of Least Privilege, we should only bestow access to our treasure room on those who really require such access. Consider, however, if we also had a library in the middle of our treasure room, and had to allow students to come in to study. We don't want the students to have access to the gold, but we can't deny them access to the books! Often, our treasure rooms are not so cut and dried as to say, "The gold is inside and the thieves are outside," just as the protective barriers we build do not always exist at the perimeter of our networks. Many times, it is important to separate different internal objects to avoid introducing unnecessary exposure. ConceptIt is commonly known that the more "tasks" a device must perform, the more issues it is likely to have. It is ill-advised for any company to have 10 applications running on one system due to the likely chance that these applications have not been designed or tested to share the hosting server with other applications. It is also commonly known that the more subjects that have access to an object, the higher the chance that the object will have an exposure. By not practicing the Rule of Separation, an organization multiplies its exposures and, at the same time, reduces the overall level of security for each object. Multiplying ExposuresThe strengths and weaknesses of any particular object can usually be related to the tasks that object performs. The more something does, the more complicated it has to be, and thus, the more potential security weaknesses it will have. Every service running on a device has some degree of programming errors, incompatibilities, and vulnerabilities. Running multiple services on a single device not only combines existing vulnerabilities, but can also introduce new ones. Thus, if an email service has three vulnerabilities and a Web service has two, running them both together may even surpass five vulnerabilities. When services are combined, each service adopts the weaknesses of the other services running with it. Some services are less stable than others, and some have more vulnerabilities than others. When we combine services, we compound these negative attributes. Reducing the Level of SecurityEach service also has its own unique sensitivity considerations. One service may not be important to our organization, while another service may be vital. Similarly, some services deal with meaningless data, while others store and process sensitive transactions. By combining services together on a single server, we are essentially combining the different levels of sensitivity along with the different levels of security. An FTP service may not be vital to an organization, and thus the application may not include a great deal of security. The email server, however, may be vital to the organization and its applications may be highly secured. By combining these two applications on a single system, they are essentially placing the weak security controls of the FTP services into an otherwise secure, critical email server. Example of Reduced Security Through Shared ServicesAs seen in Table 4.2, System X runs three applications: email, Web, and FTP. Each service has its own level of security and its own vulnerabilities. Each also hosts a different set of data with different levels of sensitivity. Thinking back to our Rule of the Weakest Link, imagine what we have done to the security of this system. We have combined the worst of the vulnerabilities with the most sensitive of data! If any one of these applications is compromised, all data from all applications could easily be exposed.
Practicing SeparationThe application of this rule does not require us to place every single service on its own bulletproof device, locked in an airtight chamber. If we follow these guidelines, we should be able to make practical and secure decisions without great expense:
Six Sample Considerations to Determine if a Service Should Be IsolatedTable 4.3 is an example scoring system to show the thought process one might go through when deciding to share services. Take a specific object and review each consideration on the left. Select the best answer on the right and add the points together. Then, compare the score to the recommendation at the bottom of the chart. |