Security Architecture and Design/Systems Security Architecture
Systems Security Architecture
[edit | edit source]The security architecture is one component of a product’s overall architecture and is developed to provide guidance during the design of the product. It outlines the level of assurance that is required and potential impacts that this level of security could have during the development stages and on the product overall.
Security Design Principles
[edit | edit source]Security is a system requirement just like performance, capability, cost, etc.Therefore, it may be necessary to trade off certain security requirements to gain others.
Principles of Secure Design
- Design security in from the start
- Allow for future security enhancements
- Minimize and isolate security controls
- Employ least privilege
- Structure the security relevant features
- Make security friendly
- Don’t depend on secrecy for security
Principles for Software Security
- Secure the weakest link
- Practice defense in depth
- Fail securely- If your software has to fail, make sure it does it securely
- Follow the principle of least privilege
- Compartmentalize- Minimize the amount of damage that can be done by breaking the system into units
- Keep it simple- Complex design is never easy to understand
- Promote privacy- Try not to do anything that compromises the privacy of the user
- Remember that hiding secrets is hard
- Be reluctant to trust- Instead of making assumptions that need to hold true, you should be reluctant to extend trust
- Use your community resources- Public scrutiny promotes trust
Design Principles for Protection Mechanisms
- Least privilege- Should only have the rights necessary to complete your task.
- Economy of mechanism- Should be sufficiently small and as simple as to be verified and implemented – e.g., security kernel. Complex mechanisms should be correctly Understood, Modeled, Configured, Implemented and Used
- Complete mediation- Every access to every object must be checked
- Open design- Let the design be open. Security through obscurity is a bad idea
- Should be open for scrutiny by the community- Better to have a friend/colleague find an error than a foe
- Separation of privilege- Access to objects should depend on more than one condition being satisfied
- Least common mechanism- Minimize the amount of mechanism common to more than one user and depended on by all users
- Psychological acceptability- User interface must be easy to use, so that users routinely and automatically apply the mechanisms correctly. Otherwise, they will be bypassed
- Fail-safe defaults. Should be lack of access
Trusted Computing Base
[edit | edit source]Overview
- A Trusted Computing Base (TCB) is the whole combination of protection mechanisms within a computer system.
- The TCB addresses all the security components of the hardware, software, and firmware within the system.
- It does not address the level of security that a system provides, but rather the level of trust that a system provides as because no computer system can be totally secure
- If the TCB is enabled, then the system has a trusted path, a trusted shell, and system integrity–checking capabilities
- A trusted path is a communication channel between the user, or program, and the kernel. The TCB provides protection resources to ensure that this channel cannot be compromised in any way
- A trusted shell means that someone who is working in that shell cannot “bust out of it” and other processes cannot “bust into” it.
- The TCB contains components that directly enforce the security policy (is a set of rules and practices that dictates how sensitive information and resources are managed, protected, and distributed.)
Basic Functions of a TCB
- Process Activation- deals with the activities that have to take place when a process is going to have its instructions and data processed by the CPU.
- Execution Domain Switching- takes place when a process needs to call upon a process in a higher protection ring.
- Memory protection and
- I/O operations
Evaluating the TCB
- Evaluating the trust level of a system includes identifying the architecture, security services, and assurance mechanisms that make up the TCB.
- During the evaluation process, the tests must show how the TCB is protected from accidental or intentional tampering and compromising activity.
- For systems to achieve a higher trust level rating, they must meet well-defined TCB requirements,and the details of their operational states, developing stages, testing procedures, and documentation will be reviewed with more granularity than systems that are attempting to achieve a lower trust rating.
Reference Monitor and Security Kernel
- The reference monitor is an abstract machine that mediates all access subjects have to objects, both to ensure that the subjects have the necessary access rights and to protect the objects from unauthorized access and destructive modification.
- The security kernel is made up of hardware, software, and firmware components that fall within the TCB and implements and enforces the reference monitor concept.
- The security kernel mediates all access and functions between subjects and objects. The security kernel is the core of the TCB and is the most commonly used approach to building trusted computing systems. There are three main requirements of the security kernel:
- It must provide isolation for the processes carrying out the reference monitor concept, and the processes must be tamper-proof.
- It must be invoked for every access attempt and must be impossible to circumvent. Thus, the security kernel must be implemented in a complete and foolproof way.
- It must be small enough to be able to be tested and verified in a complete and comprehensive manner.
Security Perimeter
- A security perimeter is a boundary that divides the trusted from the untrusted.
- For the system to stay in a secure and trusted state, precise communication standards must be developed to ensure that when a component within the TCB needs to communicate with a component outside the TCB, the communication cannot expose the system to unexpected security compromises. This type of communication is handled and controlled through interfaces.
The Relation
- The reference monitor is a concept in which an abstract machine mediates all access to objects by subjects.
- The security kernel is the hardware, firmware, and software of a TCB that implements this concept.
- The TCB is the totality of protection mechanisms within a computer system that work together to enforce a security policy. The TCB contains the security kernel and all other security protection mechanisms
Security Modes of Operation
[edit | edit source]Overview
- A system can operate in different modes depending on the sensitivity of the data being processed, the clearance level of the users, and what those users are authorized to do.
- The mode of operation describes the security conditions under which the system actually functions.
- Trust vs Assurance
- A trust is a level of confidence or belief that tells the customer how much protection he can expect out of the system.
- In a trusted system, all protection mechanisms work together to process sensitive data for many types of uses, and will provide the necessary level of protection per classification level
- Assurance is an higher level of confidence that looks at the same issue but in more depth and detail where the system is thoroughly inspected.
Dedicated Security Mode All users must have…
- Proper clearance for all information on the system
- Formal access approval for all information on the system
- Signed NDA for all information on the system
- Valid need to know for all information on the system
All users can access all data.
System High-Security Mode All users must have…
- Proper clearance for all information on the system
- Formal access approval for all information on the system
- Signed NDA for all information on the system
- Valid need to know for some information on the system
All users can access some data, based on their need to know.
Compartmented Security Mode All users must have…
- Proper clearance for the highest level of data classification on the system
- Formal access approval for all information they will access on the system
- Signed NDA for all information they will access on the system
- Valid need to know for some of the information on the system
All users can access some data, based on their need to know and formal access approval.
Multilevel Security Mode All users must have…
- Proper clearance for all information they will access on the system
- Formal access approval for all information they will access on the system
- Signed NDA for all information they will access on the system
- Valid need to know for some of the information on the system
All users can access some data, based on their need to know, clearance, and formal access approval.