Previous | Table of Contents | Next |
Security products you deploy in your network also rely on a security model. You must know the purposes and scope of each security model in use at your site. To understand why, think about what happens when you add a database management system to an operating system. The operating system and the database manager have different notions of user. No requirement states that the names used to identify users in the operating system and users in the database manager should be identical. In fact, the user names could be derived from completely different alphabets or characters. Different entities are defined in these two products. The operating system works with entities such as files and directories, but the database manager introduces the notions of record, field, and schema. The scope or span of control exercised by the operating system and the database manager differ, too. The operating system controls whether a user is even allowed to install the database manager, but the database manager makes all of the decisions about which parts of each database a user can access.
The database manager and the operating system also participate in a trust relationship. The operating system provides device drivers that the database manager uses to write data to disk. If the device drivers are compromised by a hacker, the integrity of the database might be affected. The database manager trusts that the operating system has adequate controls in place to prevent this type of attack. A trust boundary occurs at the operating systems interface for calling the device driver. If a hacker can replace the device driver program on disk or if a hacker can intercept the database managers request to use the device driver and temporarily substitute a bogus device driver, then security is not guaranteed.
The dependencies that security products and the operating system have on each other are often overlooked or taken for granted. Someone might assume that the database software integrity can be maintained by monitoring the executables and configuration files for tampering. If someone tries to replace one of the binaries making up the database manager itself, a warning could be signaled. However, this warning alone is not sufficient for a secure environment. Each piece of the environment must be secure. As noted, if components of the operating system can be replaced, the database manager can lose its integrity. The only way to understand how products interact is by looking at the security models they introduce.
Understanding the security model upon which a product is based will help in the following ways:
Product boundaries are important because they present opportunities for attack. Interaction at a boundary involves passing information from one security model to another, where the information can be either data values or a task to perform. The login security product you might add interfaces with the operating system when it reports success or failure depending on the outcome of the login process. You might ask several questions about a product like this:
In order to answer these questions, you must start with the basic building blocks and construct a security model.
To show that a computer system can maintain confidentiality and integrity, an underlying security model is needed. At the lowest level of the model is an entity that is best thought of as a noun representing something of interest in your universe. Entities are further classified as either subjects or objects. Not surprisingly, this structure is similar to most spoken languages. Indeed, the next concept in the model is the verb access.
Subjects access objects. Upon this simple notion rests the foundation for all computer security products. When you purchase a security product, start by thinking of it in terms of these atomic definitions. What are the subjects? What are the objects? What kinds of access control can be specified between subjects and objects? You will have plenty of other questions to ask, but always start with these.
Previous | Table of Contents | Next |