Figure 4 also provides a roadmap to shaping enterprise security objectives. These objectives will play a critical role in shaping risks and threat modeling. The balance between greater security and higher availability is achieved through selecting an exposure time that meets enterprise objectives. Lower exposure time for a particular asset results in higher security and huge reduction in losses due to a potential threat, though at a cost of lower throughput. Higher exposure times within the proactive intrusion tolerance approach provides lesser security, but still results in reduced losses and higher throughputs. Thus, proactive intrusion tolerance provides a risk-shaping tool at every level of the enterprise security architecture that is highly adaptive to enterprise objectives and therefore achieves higher security levels and reductions in losses for both single as well as cumulative effects. In Table 5, we study the potential savings achieved by using the intrusion tolerance approach for data centers with between 1 to 50 servers. For example, a data center with 50 servers can achieve a savings of about $1 million (50% savings) by utilizing the intrusion tolerance approach.

The proactive approach has additional benefits. To illustrate this process we consider the data center patch management system. The reactive systems decisions are based on content analysis of the incoming or outgoing packets. This requires the updating of signatures and installation of patches because these are provided by the vendors. The arrival of patches disrupts the planning and scheduling of the work in the data center. On the other hand, the proactive systems are less susceptible to the packet content and the proactive system parameters, especially the exposure time, since they are set at the time of installation. Since the proactive approach gives the senior management better assessment and control of the risk, the proactive approach provides the data center manager more control over the scheduling of the patches.

Conclusions

In this paper we have discussed the current reactive approaches and propose a new proactive risk management model based on exposure time specification that adds a new layer of security, thus creating a robust risk management approach.

In our view, reactive and proactive systems must co-exist. Parameter selection based on a holistic view of the security system can reduce the capital cost as well as the operations cost. We anticipate that the proactive approach will provide an upper bound on the losses and thus the data center manager has more freedom in scheduling unexpected events like patch installation. This freedom will yield lower operation costs.

References

1. Foundations of Intrusion Tolerant Systems, Edited by J. Lala, IEEE Computer Society Press, 2003.
2. G. Brunette, Toward Systemically Secure IT Architectures, http://www.sun.com/blueprints/0206/819-5605.pdf, 2006.
3. SCIT: Self Cleansing Intrusion Tolerance, http://cs.gmu.edu/~asood/scit, last updated 2007.
4. Microsoft Solutions for security and Compliance, Securing Windows 2000 server http://www.microsoft.com/technet/security/prodtech/windows2000/secwin2k/default.mspx, 2006.
5. D. Kinn and K. Timm, Justifying the Expense of IDS, Part One: An Overview of ROIs for IDS, http://www.securityfocus.com/infocus/1608, 2002.
6. K. Timm, Justifying the Expense of IDS, Part Two: Calculating ROI for IDS, http://www.securityfocus.com/infocus/1621, 2002.