Today, the cyber security requirements of government and the private sector are rapidly converging. On the one hand, traditional methods of cyber defence are failing in corporate environments, given the ever-evolving threat landscape. While on the other, governments are increasingly needing to reduce their reliance on government-bespoke approaches to security, in order to deliver the operational benefits, flexibility and cost advantages of emerging technologies – from cloud to mobile and IoT.
High Assurance products and services seek to bridge this gap, allowing organisations to undertake informed risk management, defending against the more advanced targeted attacks, and highest impact risks, while enabling effective use of commercial "off the shelf" technologies.
What is High Assurance?
Definitions vary, but a typical starting point for a High Assurance system is a claim or set of claims that are made about a system’s behaviour, and an argument or evidence that a system will function as described (HAUK definition).
The approach to achieving this may be a selection of formal software verification methods, third-party expert evaluation, security testing and analysis, depending on the system characteristics and market needs. Formal verification itself is a rapidly evolving field driven in part by large platform vendors such as Amazon, who have a tremendous amount at stake regarding the correctness of their software platforms - we all do! (see provable security).
Given the complexity of most software platforms, and their often-infinite number of possible states, systems that seek to achieve high levels of assurance often look to integrate with hardware components that expose functionality on which to base security claims. Behaviour of hardware is typically more constrained (see for example HardSec blog), and any existing security analysis or evaluations can be inherited by the software that makes use of it. This principle is driving increased availability and use of hardware-based security functionality, from TPM chips, to Intel and Arm processor security extensions, as well as dedicated and evaluated hardware security platforms.
High Assurance systems may still have vulnerabilities, including those found within hardware, but the combination of explicit claims with constrained or verified security functionality means that associated risks can be both mitigated and quantified more effectively.
What High Assurance is not?
Of course, most cyber security products today would not be categorised as High Assurance, either because exaggerated marketing claims replace evidence-based security claims, or because of the probabilistic nature of technologies such as signature-based malware detection and AI-based anomaly detection. That is not to say we should not include the use of such technologies, but we should recognise the different type of contribution they can make to informed risk management. If I want to reduce the occurrence of malware within a network, then I will run the latest anomaly detection. If I want a high degree of confidence that I have removed the risk of malware, then my controls will include something like a High Assurance gateway that provides network isolation, which in turn can increase the effectiveness of my anomaly detection software.
Why should we care?
If you’ve made it to this part of the article, you will probably have some differing perspectives on parts of the above, and areas you may improve, I would be interested in your feedback. But too many consumers of cyber security products and services do not yet adequately distinguish between well implemented and well marketed security products, and others. In fact, they often do not have the resources, time and expertise to do so. Economists refer to this market dynamic as ‘Information Asymmetry’ and point out that it is one of the key drivers of market failure (often leading to further regulation).
In some sectors and for some categories of security product or service, third-party evaluations or accreditation schemes can address Information Asymmetry, but it is unrealistic to assume these can scale to address even a minority of the market’s needs.
Within the UK, the direction of travel from government seems to be towards placing more focus and then trust on the vendor’s standards and practices. If part of this leads to the encouraging of more formal security claims, and a closer relationship between these and marketing claims, the industry will make a significant step forward in addressing Information Asymmetry and supporting more informed risk management.