In 1972, a civilian contractor named James Anderson was commissioned by the USAF to develop a set of universal security standards “…for multi-user open computer systems which process various levels of classified and unclassified information simultaneously through terminals in both secure and unsecure areas.”*
The resulting report, a remarkably forward-looking analysis called the Computer Security Technology Planning Study Vol. II, is the de facto playbook for defensive computing strategies against, in Mr. Anderson’s words, the “malicious user threat” that seeks to exploit “design or implementation flaws that will give [the user] supervisory control of the system.”
Mr. Anderson’s analysis drove much of the security standards codified in the Trusted Computing System Evaluation Criteria (TCSEC)** published jointly by the DoD and NSA in 1983. The TCSEC, in turn, evolved into today’s Common Criteria certification standard that determines whether IT systems and applications are suitable for use on classified government, military, and intelligence community (IC) networks.
In other words, James Anderson first identified the basic tenets required by a security technology to sufficiently detect, deter, and prevent the mishandling of classified information by privileged insiders (and outsiders masquerading as insiders by using stolen credentials) that are still in use today.
His timeless insight boils down to the three essential elements that an insider threat security technology must possess (italics are mine):
- An adequate system access control mechanism
i.e. – something that, independent of all other controls, governs the authorized functions a user (or account) may utilize or alter within an operating system. - An authorization mechanism
i.e. – something that, independent of all other controls, allows a user (or account), an application or the system itself to execute a given task. - Controlled execution of a user’s program or any program being executed on a user’s behalf…[including] the operating system service functions
i.e. – something that, independent of all other controls, determines whether an authorized task is being executed as intended.
Mr. Anderson coined the term “reference monitor” to describe the then-hypothetical mechanism that encompasses all three requirements simultaneously. The genius of the reference monitor is not only its timeless qualities, but that those qualities spawn secondary requirements that cannot be easily mimicked by other, less robust architectures. Among these secondary attributes are:
- Tamper resistance/Non-repudiation
- Continuous operation
- Event context & correlation
- Audit and remediation
So before I go on, I want to offer full disclosure – I’m a sales guy at Digital Guardian. I’ve been at the company for over 7 years and I am unabashedly proud of the technology we’ve built. I’ve been fascinated with James Anderson since I was a computer science student at MIT and I find it amazing that I landed at this company, where more than 40 years since his groundbreaking report was published, we stand as the only commercially-available product proven to have demonstrated all primary and secondary reference monitor characteristics in a single endpoint agent.
But, Digital Guardian didn’t rest on its laurels as the world’s only reference monitor-based security solution. It incorporates Mr. Anderson’s ideals and then did one better by extending his definition to include the data itself.
In essence, Digital Guardian employs the reference monitor concept to ensure that sensitive content is afforded the same auditability, control and integrity assurance that is essential for trusted computing. Thus, by unifying intelligent and actionable control over systems and data simultaneously within a reference-monitor framework, Digital Guardian is the only solution that provides continuous, root-level situational awareness, operational control, and chain-of-custody proof to protect sensitive data against malicious insiders and outsiders. To achieve this capability otherwise would require an inefficient, Rube Goldberg-type*** architecture to independently verify and splice the narrow output of multiple non-integrated mechanisms.
Not surprisingly, many of the most valuable companies in the world rely on Digital Guardian to protect their most sensitive data from both insider and outsider threats (not to mention their garden-variety compliance requirements):
- 7 of the top 10 US patent holders
- 5 of the top 10 global auto makers
- 20+ deployments greater than 20,000 users
- Monitors over 140,000 insiders across a secure government agency
So, thank you, Mr. Anderson, for you are the world’s first security change agent and the intellectual benefactor to the world’s only manifestation of your reference monitor: Digital Guardian. In a time when the fastest computers had less power than a potato clock, you were a true visionary who gave us the definitive guide for insider and outsider threat defense that had to wait four decades to be fully appreciated.
Want to learn more about James P. Anderson and the rest of the 2014 Security Change Agents?
- Check out Dan Geer's nomination of James P. Anderson for additional commentary on the reference monitor concept as well as some of James' other contributions to information security.
- View the full lineup of the 2014 Security Change Agents.
*In DoD vernacular ”multi-user open systems” describes computing environments with the most stringent security requirements.
**The TCSEC (aka “Orange Book”) is the first of 39 colorful volumes comprising the DoD’s Rainbow Series of computer security and guidelines published between 1983 - 1995.
***Click here to see some Rube Goldberg contraptions
