Report - Guardian

More documents

Recommendations

Info

188 The LSE Identity Project <strong>Report</strong>: June 2005- The system will have to accept and respond to hundreds or even thousands ofidentity enrolment and verification requests each minute; enrolment requestswill involve a large processing load and a proportion will require costly and timeconsuming manual intervention;- All personnel involved with the system will need to be security vetted to preventcriminal infiltration of NIR operations or ‘insider’ attacks.Most experienced systems designers will immediately recognise that this combinationof requirements poses an extreme challenge even without the security requirements.Even if the security requirements are undertaken the system becomes infeasible unlesssubstantial pruning and simplification is undertaken.The following sections will consider security and safety aspects of the proposal andsome of the dilemmas that will be faced if a system of this scale and complexity ispursued.Secure Information SystemsSince many governments have recognised the need for secure computer systems,internationally recognised criteria have been created to describe the ‘security quality’achieved by computer systems. In the UK, the Communications Electronic SecurityGroup (CESG) administers the UK's contribution to this field. 462The basic principle used is that if a computer system faces higher security risks, it willneed to be of higher security quality in order to counter them (the technical term used todescribe security quality is ‘security assurance’). Typical factors that increase the risks,and hence the security assurance needed, are:1. the scale and the complexity of the system2. the number of users3. the security sensitivity of data held on the system4. whether it has connections to other computer systems, especially untrusted ones5. whether it is connected to the Internet6. whether it is likely to be an attractive target for attackThe security assurance levels used for assessing computer systems range from EAL 0,which is ‘inadequate assurance’, to EAL 7, which is the highest assurance that isconsidered to be practical (which can only be achieved in small, simple systems). 463Systems of the character of the National Identity Register are large, complex systemsthat hold considerable quantities of sensitive data. Such systems also face high levels ofsecurity risk because of their connections to other computers, and even to the Internet.The general view is that such systems require the highest levels of security assurance atEAL 6 or higher, but there are no systems of this character on the market that are higherthan EAL 4. For example, the UK certified products list 464 contains no operatingsystems and no databases with security qualities above EAL 4, which is two or more462 http://www.cesg.gov.uk/site/iacs/463 http://www.cesg.gov.uk/site/iacs/index.cfm?menuSelected=1&displayPage=13464 http://www.cesg.gov.uk/site/iacs/index.cfm?menuSelected=1&displayPage=151
The LSE Identity Project <strong>Report</strong>: June 2005 189quality levels below that needed to implement the NIR. This is the case even for special“secure” versions of software, such as the Open INGRES/Enhanced Security databaseand the Sun Solaris 2.6SE operating system.The NIR is an example of a class of computer systems requiring ‘Mandatory AccessControl’, which means that the security policy cannot be overridden by the users. Themost common systems of this type are described as ‘multi-level secure’. These aresystems that defence and intelligence agencies have been seeking to build for more thantwo decades. Although they are technically feasible on a small scale, experience showsthat their development is extremely costly, their performance is very often disappointingand their maintenance and support costs are prohibitively high.The problem is well summarised by Dr Rick Smith, a US computer security expert, whosays:“Multilevel security (MLS) has posed a challenge to the computersecurity community since the 1960s. MLS sounds like a mundaneproblem in access control: allow information to flow freely betweenrecipients in a computing system who have appropriate securityclearances while preventing leaks to unauthorized recipients.However, MLS systems incorporate two essential features: first, thesystem must enforce these restrictions regardless of the actions ofsystem users or administrators, and second, MLS systems strive toenforce these restrictions with incredibly high reliability. This has leddevelopers to implement specialized security mechanisms and toapply sophisticated techniques to review, analyze, and test thosemechanisms for correct and reliable behaviour.“Despite this, MLS systems have rarely provided the degree ofsecurity desired by their most demanding customers in the militaryservices, intelligence organizations, and related agencies. The highcosts associated with developing MLS products, combined with thelimited size of the user community, have also prevented MLScapabilities from appearing in commercial products.” 465Since the National Identity Register will require a mandatory access control system, thescale, complexity and assurance of which is a long way beyond anything everpreviously contemplated, the programme is certain to face technical problems of a kindthat are known to lead to development difficulties, and very often to uncontrolled costgrowth during development.There is thus very good evidence to suggest that it will not be feasible to build acomputer system capable of operating the National Identity Register with effectivesecurity provisions. An attempt to build such a system is likely to be extremelyexpensive and at high risk of failure.465 http://www.cs.stthomas.edu/faculty/resmith/r/mls/index.html
Page 1:
The Identity Projectan assessment o
Page 5 and 6:
The LSE Identity Project Report: Ju
Page 7:
Page 11 and 12:
Page 13 and 14:
Page 15:
Page 19:
Page 23 and 24:
Page 25 and 26:
Page 27 and 28:
Page 29 and 30:
Page 31 and 32:
Page 33:
Page 36 and 37:
22 The LSE Identity Project Report:
Page 38 and 39:
Page 40 and 41:
Page 42 and 43:
Page 44 and 45:
Page 46 and 47:
Page 48 and 49:
Page 50 and 51:
Page 52 and 53:
Page 54 and 55:
Page 56 and 57:
Page 58 and 59:
Page 60 and 61:
Page 62 and 63:
Page 64 and 65:
Page 66 and 67:
Page 68 and 69:
Page 70 and 71:
Page 72 and 73:
Page 74 and 75:
Page 76 and 77:
Page 78 and 79:
Page 80 and 81:
Page 82 and 83:
Page 84 and 85:
Page 86 and 87:
Page 88 and 89:
Page 90 and 91:
Page 92 and 93:
Page 94 and 95:
Page 96 and 97:
Page 98 and 99:
Page 100 and 101:
Page 102 and 103:
Page 104 and 105:
Page 106 and 107:
Page 108 and 109:
Page 110 and 111:
Page 112 and 113:
Page 114 and 115:
100 The LSE Identity Project Report
Page 116 and 117:
Page 118 and 119:
Page 120 and 121:
Page 122 and 123:
Page 124 and 125:
Page 127 and 128:
Page 129 and 130:
Page 131 and 132:
Page 133 and 134:
Page 135 and 136:
Page 137 and 138:
Page 139 and 140:
Page 141 and 142:
Page 143 and 144:
Page 145 and 146:
Page 147 and 148:
Page 149 and 150:
Page 151 and 152: The LSE Identity Project Report: Ju
Page 157: The LSE Identity Project Report: Ju
Page 160 and 161: 146 The LSE Identity Project Report
Page 199: The LSE Identity Project Report: Ju
Page 253 and 254:
Page 255 and 256:
Page 257 and 258:
Page 259:
Page 262 and 263:
Page 264 and 265:
Page 266 and 267:
Page 268 and 269:
Page 270 and 271:
Page 272 and 273:
Page 274 and 275:
Page 276 and 277:
Page 278 and 279:
Page 280 and 281:
Page 282 and 283:
Page 284 and 285:
Page 286 and 287:
Page 288 and 289:
Page 290 and 291:
Page 292 and 293:
Page 294 and 295:
Page 296 and 297:
Page 299 and 300:
Page 301 and 302:
Page 303 and 304:
Page 305 and 306:
Page 307 and 308:
Page 309 and 310:
Page 311 and 312:
Page 313 and 314:
Page 315 and 316:
Page 317:
show all

Report - Guardian

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?