I am charged with moving our Web based HR self-service to the Internet. HP has an OS version of HPUX called Virtual Vault that we have been examining. It is supposedly rated B1(+) using orange book ratings. Does any other vendor like Sun, IBM, etc., market a hardened OS for their platforms that is rated above C2?


    Requires Free Membership to View

    Login

Yes, there are. Nearly every vendor has their own high-security version of some operating system or other. Other operating systems have add-on packages that provide enhanced security. There are even high-security versions of Linux.

While it is nice to have an operating system that's been through orange-book ratings, keep in mind that there's no such thing as an orange-book rated Web server. The orange-book ratings all assume there is no network attached to the computer. I know I'm being a stickler when I say this, but the minute you put that ethernet cable into the jack, you're no longer B1.

All these systems give what are called "mandatory controls," as opposed to "discretionary controls." Discretionary controls are ones that the users (and sysadmins) can set up the way they want. Mandatory controls are protections that the operating system enforces, ones that can't be changed for love or money.

The government systems use mandatory controls to enforce (for example) rules that state that an unclassified user can create but cannot read a classified document, a classified user cannot create an unclassified document, but can read one. These sort of controls may, or may not, help you set up an HR Web server.

Systems that have mandatory controls are more secure than systems with discretionary controls. They're also harder to set up and more annoying to use. If you set it up with the wrong policy, then you may end up with a mandatorily-enforced insecure system. I don't know anyone who's ever set one up without muttering a stream of choice Anglo-Saxon terms in the process.

Think of it this way -- suppose you hired a guard for your house who made sure that everyone who goes in and out has their bags searched and gets patted down, no exceptions. It would make you far safer, but you're also going to get irritated when you get patted down before and after stepping out in your bathrobe and slippers just to get the Sunday paper. It may be worth it, it may not. I can't make that decision, only you can. An HR Web server that has access to sensitive employee data sounds to me like a fine candidate for an ultra-secure server. The HP system is a good one. If you already use HP-UX, it may do you good. If you're open to other options, look around.


This was first published in October 2001

Join the conversationComment

Share
Comments

    Results

    Contribute to the conversation

    All fields are required. Comments will appear at the bottom of the article.
    Back to top