My American Express card received a bunch of bogus charges last week.  Black Friday is now evil for more reasons than just crowded shopping centers!  The bogus charges were easily fixed.  American Express made them disappear before they even showed up on my WWW logon.  So all is happy at the home front, but this does get me going on a security thread.

Losing one credit card number is easy.  Losing a million requires a computer!

In this case, only the credit card number was stolen and only from ONE credit card and I still had the card in my possession.

Who stole the number?

The likely answer is that I was part of a large bulk operation and my card number was stolen quite some time ago at a place that I’ll not know, ever.  It’s impossible to know where things were stolen and trying to figure it out just fuels the paranoia.

My brain suspects things were lifted from my computer – or has me woried that things could be lifted from the computer.   This brings up BULK DATA LOSS and that’s a much larger concern.

Let’s assume that I’m a holder of trusted data.  Millions of things…

How can secret data be protected from easy access by unauthorized apps?

In computer science for the past 40 years – access to files on disk is based upon the USER.  We have historically authenticated users to the machine and then enabled USERS to get to their own data while preventing any user from getting to the data of any other user.

Is this enough?  If you trust the programs that your users are running, then this is fine.  If you live in the modern world, this is insufficient.

In the modern world, we need data access protected on an application basis.  I would like Very Secret application to get to the Very Secret data – but everyone else should be rejected, except maybe the backup program.  Administrator or not, I don’t care – nobody gets in unless you are the specific application that is permitted to access this specific data.

I have a tool …

XenVault will allow or deny access to “corporate data” based on applications being “corporate apps”.  All I have to do is label Very Secret app a corporate app and all my web browsers and other low trust things will be blocked from from seeing the Very Secret data.

There are ways past this – for example evil doer could get me to run some other “corporate app” that is compromised and use that app to get into the vault.  This is a never ending circle.

Data access model

The key point in this post is that the data access model, where permission is based upon the USER, is incomplete.  We should be allowing or denying access to things based on a combination of the user account and the application.

Just because I’m “Joe” doesn’t mean that the application trying to open secrets.bin should be allowed to open secrets.bin.  XenVault helps plug this hole – though rather broadly on a corporate/personal wall of trust.  Is that enough?  How many walls are needed?  Does it need to be one wall per application?  What about having applications share data?

With XenVault, we bring a pretty big hammer to this problem space.   The access control is granular to corporate / not corporate, but this is a large step in the right direction.  I am interested in your feedback on how granular the application based access control needs to be and at what point does data protection interfere with data sharing and where should that wall be placed.

Joe Nord

Product Architect – Citrix Systems XenApp Product Group

App Streaming, Profile Manager, XenVault