System Security Architecture Concepts

System security architecture deals specifically with those mechanisms within a system that ensure information is not tampered with while it is being processed or used. Memory is protected from leakage. Processes are protected from one another so that they do not interfere with each other. Different levels of information are labeled and classified based upon their sensitivity

Hardware Segmentation

Within a system, memory allocations are broken up into segments that are completely separate from one another. The kernel within the operating system controls how the memory is allocated to each process and gives just enough memory for the process to load the application and the process data associated with it. Each process has its own allocated memory and each segment is protected from one another. One user process on a system cannot intentionally or unintentionally interfere with another process on the system.

Reference Monitor

The reference monitor is a virtual machine within a system that controls access to every object on the system, every time access is requested. Objects in the system are identified as any physical components, files, devices, or memory. It will allow access to an object only if it determines that the subject (individual, process, and so on) trying to access the object is allowed.

Reference monitors must perform this function every single time a request is made and the reference monitor itself must be secure. The reference monitor can only be deemed truly secure if it is small enough to allow for analysis and testing. Larger programs increase complexity, which in turn introduces many more unknown variables into the system. A small reference monitor model means that it can be tested and analyzed and that the results of those tests will likely be more precise.

High Security Mode

This mode of operation provides for the processing of various levels of sensitive information on the system. Information within the system is granted on a "need to know" basis. The system and all attached components, including printers, external drives, other computers, and memory, must all be secured to operate at the security level required for the highest sensitivity of data stored and processed in the system.

From a user perspective, all users must carry a security clearance suitable for the highest classification of information on the system. Aside from the clearances, the users must also have authorization from the information owner to use the system and the information in the system. All output given to users must be labeled with the highest security classification on the system.

Data Protection Mechanisms

Within the realm of data protection mechanisms, there are typically three common criteria:

  • Layered design

  • Data abstraction

  • Data hiding

Layered design is intended to protect operations that are performed within the kernel. Sensitive processes and operations are performed in the innermost circles around the kernel where they are more protected. Operations like changing the authentication data on the system lies at the innermost circles of the diagram because those operations need the most protection. Processes such as the one generating the user interface on the machine are on the outermost layers of the model.

Each process is designated to run at a particular level within the model. The majority, if not all, trusted processes run at the center of the model nearest the kernel. Segmenting processes in this manner means that untrusted user processes running in the outer layer will not be able to corrupt the core system processes needed to keep the system operational. Refer to Figure 3.4 for more information.

click to expand
Figure 3.4: Process Layers Diagram

Data abstraction is the precise process of defining of what an object is, what values it is allowed to have, and the operations that are allowed against the object. By removing everything that should not be allowed access, the definition is broken down to its most essential form and allow only those things required for the system to operate. It is sort of like removing the wheat from the chaff—getting rid of everything that is not important to make the system less complicated, remove potential security issues, and concentrate only on what the system is supposed to be doing.

Data hiding is the process of hiding information available to one process level in the layered model from processes in other layers of the model. For instance, the information that is available to the system core processes running at the innermost layers of a system are not allowed to be used by processes running the Graphical User Interface (GUI) for the user. Data hiding is a protection mechanism meant to keep the core system processes safe from tampering or corruption.

Data Classification

Data classification is part of the MAC model. The goal is to identify sensitive information within a system and ensure that it is protected through control mechanisms and security implementations. Classifications are normally specific to the industry they are utilized in. The classifications used most today are:

  • Top Secret   Top Secret is the classification given to the information that is most sensitive to an organization. This type of information is typically intended only to be used by the organization itself. Unauthorized access to information at this classification level would have devastating effects on the organization. Information of this nature could adversely impact the organization, its customers, partners, or stockholders. The DOD in the United States uses this classification for information that could cause a serious security threat to the country if it was ever released into the wrong hands.

  • Secret   The Secret classification is used for less sensitive information within an organization but is still not intended to be used outside of agency boundaries. Unauthorized access to this information could seriously impact the organization, its customers, partners, and stockholders. The impact of such a compromise would be very serious to the organization, but not to the catastrophic levels that information in the Top Secret classification category would.

  • Confidential   Confidential information is usually of a personal nature and intended for use strictly within the organization or agency. Human Resource records are good examples of this. Unauthorized access to this type of information could adversely affect both the company and the employees, but not anywhere near the extent of the previous two classification levels.

  • Unclassified   The Unclassified category consists of all the information within an organization that does not neatly fit into the other categories. If this type of information is inadvertently disclosed to unauthorized individuals, it is not expected to carry the same serious consequences of the other levels. The impact of such a disclosure will not seriously impact the company or the individuals working there.

  • Public   Public information within an organization is information that is considered safe for disclosure to the general public. Loss or inadvertent disclosure of this information will not have a negative impact on the organization.

Once a piece of information is assigned a classification by the owner of the information, the level of security required to protect that information can be determined. Storage of the information on removable media results in the media being labeled to show the level of classification. Computer systems are designated at the highest level of classification of the information it stores, transmits, or processes. Physical storage of the information and any removable media must be proportional to the classification level they receive. Protection of the information must also extend to users of the system. Only those users that carry the proper clearance level for that information will be allowed to access the information.

Exam Warning 

Data classification labels are commonly used in the government sector, but not nearly as much in the commercial sector. The previously presented labels are common labels, but do not get caught up in the actual words used to denote each level (for example, Top Secret). Instead, understand that each level of classification simply tells the user how sensitive the information is to the organization and how dire the impact to the organization would be if that information fell into the wrong hands. You could just as easily use terms such as Urgent, Warning, Note, and Public.



SSCP Systems Security Certified Practitioner Study Guide
SSCP Study Guide and DVD Training System
ISBN: 1931836809
EAN: 2147483647
Year: 2003
Pages: 135

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net