OfficialGuide_C02.pdf

79 Chapter 2 Security Architecture and Models The Security Architecture and Models Domain contains the concepts,prin-ciples,structures,and standards used to design,implement,monitor,andsecure operating systems,equipment,networks,applications,and thosecontrols used to enforce various levels of availability,integrity,and confi-dentiality.One of the key aspects of being an information system security profes-sional is to design and build a security infrastructure that meets currentand future business needs.This chapter explains the key principles andconcepts central to the security architecture of any organization.Whencoupled with the concepts covered in the other chapters(with particularemphasis on the telecommunications,cryptography,and access controlmodules),this chapter gives the CISSP the necessary breadth to addressthe challenges of developing a security architecture and the insight to eval-uate the existing or legacy architecture of an organization.The CISSP candidate should be able to:Identify the security issues and controls associated with architec-tures and designs.Describe the principles of common computer and network organi-zation,architectures,and designs.Define security models in terms of confidentiality,integrity,andinformation flow.This chapter is divided into five topic areas.The first section begins bydefining the concept of a secure architecture.The Information ProtectionEnvironment section identifies the system architecture environment andoutlines some of the factors associated with designing a secure architec-ture.The third section,Security Technology and Tools,provides an expla-nation of the types of controls available to designers developing a securearchitecture.In addition,the concepts of security models are introducedto provide an overview of various security theories for designing a securesystem.The final topics outline what organizations can do to ensure that AU1707_C02.fm Page 79 Tuesday,November 4,2003 1:16 PM 80 OFFICIAL(ISC)2 GUIDE TO THE CISSP EXAMsecurity is a part of the architectural design and several management con-trols are mentioned.Introduction Defining Security Architecture Building an information system requires a balance among variousrequirements,such as capability,flexibility,performance,ease of use,cost,business requirements,and security.Security should be considered arequirement from the beginning it is simply another feature that needsto be included.Attempting to retrofit the required and desired securitycontrols after the fact can lead to user frustration,a lowered security pos-ture,and significantly increased implementation costs.Based on theimportance of each requirement,various trade-offs may be necessary dur-ing the design of the system.Thus,it is important to identify what securityfeatures must be included.Then if a performance or flexibility requirementmeans downgrading or not including a security feature,the architecturedesigners can keep the primary goals of the system in check and makecompromises on the nonessential points.Security architecture is simply a view of an overall system architecturefrom a security perspective.It provides some insight into the security ser-vices,mechanisms,technologies,and features that can be used to satisfysystem security requirements.It provides recommendations on where,within the context of the overall system architecture,security mechanismsshould be placed.The security view of a system architecture focuses onthe system security services and high-level mechanisms,allocation ofsecurity-related functionality,and identified interdependencies amongsecurity related components,services,mechanisms,and technologies,and at the same time reconciling any conflict among them.The securityarchitecture is only one aspect of the enterprise or system architecture,which may also include network architecture or physical connectivityarchitecture.Security architecture describes how the system is put together to sat-isfy the security requirements.It is not a description of the functions of thesystem;it is more of a design overview,describing at an abstract level therelationships between key elements of the hardware,operating systems,applications,network,and other required components to protect the orga-nizations interests.It should also describe how the functions in the systemdevelopment process follow the security requirements.For example,if thesecurity requirements specify that the system must have a given level ofassurance as to the correctness of the security controls,the security archi-tecture must prescribe these specifications in the development process.Security requirements are not added steps to the development process;instead,the specifications or guidelines of the security architecture AU1707_C02.fm Page 80 Tuesday,November 4,2003 1:16 PM 81 Security Architecture and Models provide an influence during all development processes.During the begin-ning stages,the security architecture should outline high-level securityissues,such as the system security policy,the level of assurance required,and any potential impacts security could have on the design process.Asthe system is developed,the security architecture should evolve in paral-lel,and may even need to be slightly ahead of the development process sothat the security requirements will guide the development process.2.1Information Protection Requirements The A-I-C Triad The security architecture is designed so that the A-I-C goals of informa-tion security can meet the business and security needs of the organization.The goal is to think about security in the beginning stages and how it willaffect the availability,integrity,and confidentiality requirements.The secu-rity architecture can guide the early decisions and avoid needing to corrector retrofit the system after development has been completed.Adding secu-rity after a system has been developed can significantly increase the costs,making it an essential part of the system functionality.Thus,if security isto be included in the system,it should be considered in the beginning.2.2Information Protection Environment It is important to think of the security architecture as including severalunderlying architectures.For example,there is the platform architecture ofthe computer hardware,and the software architecture that defines how anoperating system will interact with the hardware components.Exhibit 1represents the computer system layers.It begins with the end user at thetop.The user interacts with data and the network resources through appli-cations.The applications sit on top of the utilities and operating system.The operating system provides management of the computer hardwareresources.This section is divided according to these underlying architectures andprovides a brief overview of how these individual architectures operateand how security can be affected by these elements.While the impact ofthe network is discussed in this chapter as it relates to the security archi-tecture,the chapter on Telecommunications,Network,and Internet Secu-rity(Chapter 8)covers the elements related to controls and specificnetwork threats.The approach in all the sections,except Security Models,is based on practical terms.Because the Security Models section explainsthe theory of some of the most common security models,the approach AU1707_C02.fm Page 81 Tuesday,November 4,2003 1:16 PM 82 OFFICIAL(ISC)2 GUIDE TO THE CISSP EXAMused is more formal.The underlying architectures explained in this sectioninclude:Platform ArchitectureNetwork EnvironmentEnterprise ArchitectureSecurity ModelsProtection MechanismsBefore discussing the elements of the architecture,it is essential topoint out how the architecture is related to overall organization securitypolicy.At the point of developing the components in the architecture orthe specific elements within a given system,the overall security policy pro-vides the framework the architecture will implement.Without an existingsecurity policy,it is virtually impossible for personnel to address the orga-nizations specific security goals.Consequently,if there is no organiza-tional security policy,the system will not achieve the organizational secu-rity goals.Platform Architecture The platform topic encompasses the computer and how it manages var-ious system resources or system utilities.To explain this,the platformarchitecture section is separated into:Operating System Software and UtilitiesCentral Processing Unit(CPU)StatesMemory Management OverviewInput/Output DevicesStorage Devices Exhibit 1.Layered Approach Security Policy A security policy is a high-level statement of enterprise beliefs,goals,andobjectives and the general means for their attainment for a specified subjectarea.Application ProgramsUtilitiesOperating SystemNetworkComputer HardwareEndUserOSKernelEndUser AU1707_C02.fm Page 82 Tuesday,November 4,2003 1:16 PM 83 Security Architecture and Models Operating System Software and Utilities The operating system(OS)software is the heart and soul of any comput-ing platform.It is initially loaded into the computer by a boot program,which is the process of loading the operating system into the computersmain memory or random access memory(RAM).Note that on larger com-puter systems,such as mainframes,the boot sequence is referred to as theInitial Program Load(IPL).During the boot sequence,a small program isloaded into the memory that can,in turn,control the loading of the fulloperating system.Once the operating system is loaded,it controls varioussubsystems,such as software utilities,software applications,file systems,and access controls for users or other subsystems.There are two primary objectives of the operating system;the first is tocontrol the use of the systems resources.The operating system must sharethe computers resources among a number of simultaneous users,or if thecomputer only has one user,it must share resources between multiple tasks.The second is to provide a convenient and easy-to-understand view or inter-face of the computer to its users(whether the users are people or pro-grams),which is usually done through a graphical user interface(GUI).The fundamental components of the computer operate based on theinstalled software.The first layer of software is the operating system(OS).The applications run on top of the OS software.The concept of layering isnot unique to secure operating systems.Layering promotes a structureddesign assisting in the achievement of some assurance goals.A layered OShas an internal structure resembling a stack of systems,each having aninterface for use by the layers above and below.Layers are hierarchical in nature.That is,the lower layers provide prim-itive functions while the higher layers use the primitive functions to pro-vide more complex functions.The software and data in each layer knowonly their own data and the set of functions available for them to use.Lay-ering constrains the functions in each layer,preventing any single layerfrom providing sufficient capabilities to be an operating system in itself.Having a single security layer is difficult because each layer has its ownset of objects requiring secure management.For security purposes,eachlayer should provide security features or implement access to a commonset of security functions.Additionally,the security primitives should beplaced in one of the lower levels,with additional security elements imple-mented at all layers.For example,if unauthorized users were able to gain system privileges inthe operating system layer they might be able to change programs or filescontaining the control data for security mechanisms in the services andapplications layers.Thus,when evaluating the security of the system,it isnecessary to verify that the security mechanisms in any layer cannot be AU1707_C02.fm Page 83 Tuesday,November 4,2003 1:16 PM 84 OFFICIAL(ISC)2 GUIDE TO THE CISSP EXAMbypassed.The more complex the system becomes,the more difficult it isto perform the security check.A clear understanding of the securityrequirements at each level during the design phases assists in the develop-ment of tests to evaluate the resulting implementation.Ideally,the inner core of the system is structured reasonably simple asto allow for a complete check that the security mechanisms cannot be cir-cumvented.Another reason for putting security mechanisms in a lowerlayer is to increase the performance of the system.The performance isincreased by putting the execution of the security elements lower in theoperating system,with lower overhead within the operating system.Three security technologies used by operating systems are the referencemonitor,the security kernel,and the trusted computing base.More informa-tion on these tools is given in the Security Technology and Tools section.Operating system services include items such as program creation,pro-gram execution,access to input/output devices,controlled access to files,system access,error detection and response,and accounting.As shown inExhibit 2,the hardware resources controlled by the operating system Exhibit 2.Operating SystemMemoryOperatingSystemSoftwareProgramsand DataProcessorI/O ControllerProcessorI/O ControllerI/O ControllerStorageOSProgramsData AU1707_C02.fm Page 84 Tuesday,November 4,2003 1:16 PM 85 Security Architecture and Models include the CPU,memory,input/output(I/O)requests/devices,and stor-age devices.In the early days,software programmers had to include information onhow the hardware resources would handle resource usage requests.Thisleft the resources in an idle state while waiting for the next input.Toenhance the computers capabilities,programmers began to write routinesfor handling the hardware and spooling systems for buffering input andoutput to the processor(via memory).A development of this is the concept of multitasking several pro-grams can coexist within the computer,each taking turns to use the pro-cessor.Because I/O devices are relatively slow,the requests can bestacked,which provides a more efficient use of the processor.As part of the spooling system,input requests waiting for the processorare stored in some type of memory storage,usually Random Access Mem-ory(RAM).RAM is considered volatile.That is,all data stored in RAM is notpermanently stored and is gone when the computer is turned off.The con-tents of RAM are necessary for the computer to process any data.The CPUreceives instructions from RAM,uses the data in RAM for processing,andtemporarily keeps the results of processing in RAM until they are neededagain.Exhibit 3 provides an example.The earliest programming system made available to the general user wasthe UNIVAC generalized programming(GP)for the UNIVAC I and UNIVAC IIcomputers.It was an assembly language and in its early development itserved as a pseudo operating system.Exhibit 3.Memory Example1.Request(System Call),such as accessing a document from the hard disk.3.Request(System Call),such as printing a file.2.Document is retrieved from storage device and stored in RAM.Memor