In 1972, a civilian contractor named James Anderson was commissioned by the USAF to develop a set of universal security standards “…for multi-user open computer systems which process various levels of classified and unclassified information simultaneously through terminals in both secure and unsecure areas.”*
The resulting report, a remarkably forward-looking analysis called the Computer Security Technology Planning Study Vol. II, is the de facto playbook for defensive computing strategies against, in Anderson’s words, the “malicious user threat” that seeks to exploit “design or implementation flaws that will give [the user] supervisory control of the system.”
Anderson’s analysis drove much of the security standards codified in the Trusted Computing System Evaluation Criteria (TCSEC)** published jointly by the DoD and NSA in 1983. The TCSEC, in turn, evolved into today’s Common Criteria certification standard that determines whether IT systems and applications are suitable for use on classified government, military, and intelligence community (IC) networks.
In other words, James Anderson first identified the basic tenets required by a security technology to sufficiently detect, deter, and prevent the mishandling of classified information by privileged insiders (and outsiders masquerading as insiders by using stolen credentials) that are still in use today.
His timeless insight boils down to the three essential elements that an insider threat security technology must possess (italics are mine):
- An adequate system access control mechanism
Something that, independent of all other controls, governs the authorized functions a user (or account) may utilize or alter within an operating system. - An authorization mechanism
Something that, independent of all other controls, allows a user (or account), an application or the system itself to execute a given task. - Controlled execution of a user’s program or any program being executed on a user’s behalf…[including] the operating system service functions
Something that, independent of all other controls, determines whether an authorized task is being executed as intended.
Anderson coined the term “reference monitor” to describe the then-hypothetical mechanism that encompasses all three requirements simultaneously. The genius of the reference monitor is not only its timeless qualities, but that those qualities spawn secondary requirements that cannot be easily mimicked by other, less robust architectures. Among these secondary attributes are:
- Tamper resistance/Non-repudiation
- Continuous operation
- Event context & correlation
- Audit and remediation
So, before I go on, I want to offer full disclosure – I’m a sales guy. I’ve been fascinated with James Anderson since I was a computer science student at MIT and I find it amazing that I landed at this company, where more than 40 years since his groundbreaking report was published, we stand as the only commercially-available product proven to have demonstrated all primary and secondary reference monitor characteristics in a single endpoint agent.
But Fortra Data Classification didn’t rest on its laurels as the world’s only reference monitor-based security solution. It incorporates Mr. Anderson’s ideals and then did one better by extending his definition to include the data itself.
In essence, Fortra Data Classification employs the reference monitor concept to ensure that sensitive content is afforded the same auditability, control and integrity assurance that is essential for trusted computing. Thus, by unifying intelligent and actionable control over systems and data simultaneously within a reference-monitor framework, Digital Guardian is the only solution that provides continuous, root-level situational awareness, operational control, and chain-of-custody proof to protect sensitive data against malicious insiders and outsiders. To achieve this capability otherwise would require an inefficient, Rube Goldberg-type*** architecture to independently verify and splice the narrow output of multiple non-integrated mechanisms.
So, thank you, Mr. Anderson, for you are the world’s first security change agent. In a time when the fastest computers had less power than a potato clock, you were a true visionary who gave us the definitive guide for insider and outsider threat defense that had to wait four decades to be fully appreciated.
*In DoD vernacular ”multi-user open systems” describes computing environments with the most stringent security requirements.
**The TCSEC (aka “Orange Book”) is the first of 39 colorful volumes comprising the DoD’s Rainbow Series of computer security and guidelines published between 1983 - 1995.
***Click here to see some Rube Goldberg contraptions
