As technology has increased in complexity, so too have the approaches for securing it. The Certified Information Systems Security Professional (CISSP) Security Architecture and Design domain is another one of the many domains within the Common Body of Knowledge that has evolved greatly over the years.
In this spotlight article for the Security Architecture and Design domain, I will discuss how security is architected and designed into software and hardware tools and technologies, and then explain how products and methodologies are evaluated, rated and certified.
We will explore the following topics:
- Formal architecture: Conceptually understanding the structure and behavior of a complex entity is required before attempting to secure it. Architectures map a system's components, interactions and interdependencies in one cohesive model.
- System architecture: The structures of hardware and software components of common systems, and how security can be implemented.
- Security models: The symbolic representations of policy that map the objectives of the policy makers to a set of rules that software and systems must follow under various system conditions.
- System evaluation, certification and accreditation: Methods used to examine the security-relevant parts of a system (e.g., reference monitor, access control and kernel protection mechanisms), and how certification and accreditation are confirmed.
Formal architecture development was covered in the Information Security Governance and Risk Management domain in the context of organizational security programs and enterprise security frameworks. In this domain, the same type of approach to architecture is explored but in the context of system architecture.
An architecture is a tool used to conceptually understand the structure and behavior of a complex entity. An architecture description is a formal explanation and representation of a system, the components that make up the system, the interactions and interdependencies between those components, and the relationship to the environment.
About CISSP Essentials
SearchSecurity's CISSP Essentials series of CISSP certification training lessons offers a comprehensive introduction to not only the CISSP exam, but also the knowledge needed to succeed in the information security profession. Each lesson, which contains a spotlight article, one or more video lectures and a practice quiz, corresponds to a specific domain in the CISSP exam's "Common Body of Knowledge" -- the essential elements each CISSP-certified practitioner must know. Click here to learn more about instructor Shon Harris and Logical Security.
Conceptually, an architecture is at the highest level when it comes to the overall process of system development. It is at the architectural level that we are answering questions such as:
- Why are we building this system?
- Who is going to use it and why?
- How is it going to be used?
- What environment will it work within?
- What type of security and protection is required?
- What does it need to be able to communicate with?
The answers to these questions outline the main goals the system must achieve, and they help us construct the system at an abstract level. This abstract architecture provides "big picture" goals, which are used to guide the following design and development phases.
In the system design phase, system requirement specifications are gathered and modeling languages are used to establish how the system will accomplish design goals (e.g., required functionality, compatibility, fault tolerance, extensibility, security, usability and maintainability). The modeling language is commonly graphical to visualize the system from a static structural view and a dynamic behavioral view. This makes it easier to understand what the components within the system need to accomplish individually, as well as how they work together to accomplish larger, established architectural goals. In this phase, security models that help construct the design of the system to meet the architectural goals -- such as Bell-LaPadula, Biba, and Clark-Wilson -- are introduced.
There are evolving standards that outline the specifications of system architectures. First the Institute of Electrical and Electronics Engineers Inc. (IEEE) came up with a standard (1471) that was called IEEE Recommended Practice for Architectural Description of Software-Intensive Systems. This was adopted by the International Organization for Standardization (ISO) and published in 2007 as ISO/IEC 42010:2007. It was later updated and renamed ISO/IEC/IEEE 42011, Systems and software engineering -- Architecture description. The standard continues to evolve and improve; the goal is to internationally standardize how system architecture takes place instead of product developers just "winging it" and coming up with their own proprietary approaches. A disciplined approach to system architecture allows for better quality, interoperability, extensibility, portability and security.
Computer architecture encompasses all the parts of a computer system that are necessary for it to function, including the operating system, memory chips, logic circuits, storage devices, input and output devices, security components, buses and networking interfaces. The interrelationships and internal workings of all these parts can be quite complex; making them work together in a secure fashion requires complicated methods and mechanisms. The more you understand how these different pieces work and process data, the more you will understand how vulnerabilities actually occur and how countermeasures work to impede and hinder these threats from being introduced, found and exploited.
This section of the CISSP domain explores the components that make up computer systems and discusses how they must be handled to provide optimal security policy enforcement regardless of inputs, system run states or conditions. An overview on the basics of a central processing unit (CPU) explains how instructions and data are interpreted and computed. The CPU is the brain of a computer; in the most general description possible, it fetches instructions from memory and executes them. Although a CPU is a piece of hardware, it has its own instruction set that carries out its tasks. Each CPU type has a specific architecture and set of instructions it can carry out. The operating system must be designed to work within this CPU architecture. This is why one operating system may work on a Pentium Pro processor but not on an AMD processor. The operating system needs to know how to "speak the language" of the processor, which is the processor's instruction set.
In this domain, the core security architectures of CPUs are discussed, including protection rings and modes of computation. The architecture of the CPU dictates the ring-based structure that the system will work within. This ring-based approach provides a self-protection mechanism for the operating system software and the system overall. The protection rings provide an intermediate layer between processes and are used for access control (i.e., when one process tries to access another process or interact with system resources).
A specialized register is used as a memory area to store program status words (PSWs) -- these are condition bits used by the CPU. One of the bits indicates whether the CPU should be working in user mode or privileged mode (also called kernel or supervisor mode). If the PSW has a bit value that indicates the instructions must be carried out in privileged mode, it means a trusted process (an operating system process) made the request and can have access to the functionality that is not available in user mode.
The crux of this domain is to explore how an operating system protects itself from applications, software utilities and user activities to provide a stable and safe environment. One of these protection mechanisms is implemented through the use of these different execution modes.
In the video that follows this article, the challenges of securing complex multitasking operating systems are explored, along with the common architectures operating systems are built upon. Execution domains and the relationships between processes and threads are reviewed in the context of information security.
Whereas the previous domains covered in our CISSP Essentials series focus on the physical and logical machine, this section explores how confidentiality, integrity and availability controls can be applied to the machine, and explains which components deserve the most attention. CISSP candidates must gain a clear understanding of the tradeoffs between levels of trust and assurance. Security mechanisms placed at the hardware, kernel, operating, services or the program layers are explored, along with the security of open (distributed) and closed (proprietary) systems.
This section also covers the concept of the trusted computing base or TCB, which is a collection of all the hardware, software and firmware components within a system that provide some type of security and enforce the system's security policy. These components can affect the system in a negative or positive manner, and each has a responsibility to support and enforce the security policy of that particular system. Concepts such as the security perimeter, reference monitor and its requirements, the security kernel, object domains, process isolation and data hiding are covered. These concepts are presented as a means by which security structures can be understood and therefore responsibly developed, implemented and maintained.
An important concept in the design and analysis of secure systems is the security model as it incorporates the security policy to be enforced in the system. A model is a symbolic representation of a policy; it maps the desires of the policymakers into a set of rules that a computer system must follow by specifying explicit data structures and techniques necessary to enforce the security policy. A security model is usually represented in mathematical and analytical ideas, which are then mapped to system specifications and developed by programmers through programming code.
This section of the domain explores different types of security models and the attributes and capabilities that distinguish them. The Basic Security Theorem -- which states if a system initializes in a secure state and all state transitions are secure, then every subsequent state will be secure no matter what inputs occur -- is covered, as well as four models that each have a unique focus and lends to being used in certain systems for specific requirements:
- The Bell-LaPadula model is the first mathematical model of a multilevel security policy that defines the concept of a secure state and necessary modes of access. It ensures that information flows in a manner that does not violate the system policy and is confidentiality focused.
- The Biba model is a formal state transition model that describes a set of access control rules designed to ensure data integrity.
- The Clark-Wilson model is a model implemented to protect the integrity of data and ensure that properly formatted transactions take place.
- The Non-Interference model is a formal multilevel security model which states that commands and activities performed at one security level should not be seen by or affect subjects or objects at a different security level.
Security modes, meanwhile, describe the security conditions under which a system functions. Systems can support one or more security modes, thus servicing one or more user security classification groups. This domain explores four modes and also introduces the concept of trust assurance. The level of trust is based on the performance of the TCB. The concepts of trust and assurance are contrasted, and the detrimental effects of complexity on assurance are also noted.
System evaluation methods
An assurance evaluation examines the security-relevant parts of a system, including the trusted computing base, access control mechanisms, reference monitor, kernel, and protection mechanisms. The relationships and interactions between these components are also evaluated. There are a couple of different methods of evaluating and assigning assurance levels to systems:
- The Trusted Computer System Evaluation Criteria (TCSEC), also referred to as the U.S. Orange Book, describes the specific criteria for several evaluation areas (security policy, identification, labels, documentation, accountability, lifecycle assurance and continuous protection), and the formal process of evaluation executed by the National Computer Security Center, which yield an evaluated product.
- The European community launched the Information Technology Security Evaluation Criteria (ITSEC). ITSEC looks primarily at functionality and assurance as two broad category areas with subheadings. The key difference between the U.S. and European approaches has to do with their rating schema. The European ITSEC applies a separate rating system for security functionality and for assurance whereas the U.S. TCSEC uses a single-rating system. The confusing relationship between the two is explored in depth.
- The Common Criteria global evaluation standard has its origins in independent global efforts, one based on U.S. standards and the other representing pan-European standards. The standard, which was established in 1990, is the global compromise standard that supersedes both TCSEC and ITSEC. It introduces the concept of protection profiles, which outline specific real-world needs in the industry.
The benefit of having a globally recognized and accepted set of criteria is that it helps consumers by reducing the complexity of the ratings and eliminating the need to understand the definitions and meanings of different ratings within various evaluation schemes. It also helps vendors because now they can build to one specific set of requirements to sell their products internationally instead of having to meet several different ratings.
For the CISSP exam, students will need to understand the different components of the Common Criteria and the evaluation process and assurance levels. Security evaluation yields proof (or lack thereof) of security operational readiness. Confusing terminology -- such as the difference between certification (expected vs. achieved readiness level) and accreditation (authorization to operate) -- are also contrasted.
The architecture of a computer system is important and comprises many topics. The system has to:
- Ensure that memory is properly segregated and protected,
- Ensure that only authorized subjects access objects,
- Ensure that untrusted processes cannot perform activities that would put other processes at risk,
- Control the flow of information, and
- Define a domain of resources for each subject.
A system must also ensure that if the computer experiences any type of disruption, it will not result in an insecure state. Many of these issues are dealt with in the system's security policy, and the security model is built to support the requirements of this policy. Once the security policy, model and architecture have been developed, the computer operating system or product must be built, tested, evaluated and rated.
While often overlooked in day-to-day enterprise security management, computer system architecture is a critical aspect to overall system security, and equally important to know for the CISSP exam.
CISSP® is a registered certification mark of the International Information Systems Security Certification Consortium, Inc., also known as (ISC)2.
NEXT: Continue learning about the Security Architecture and Design domain with an exclusive multimedia presentation by Shon Harris.
RETURN to the main page of SearchSecurity's CISSP Essentials Security School.