Tip

Security Models and Architecture

Written by Shon Harris; Published by McGraw-Hill/Osborne Media

This excerpt is from Chapter 5, Security Models and Architecture of CISSP All-in-One Exam Guide, Second Edition, written by Shon Harris and published

    Requires Free Membership to View

by McGraw-Hill/Osborne Media.


Computer and information security covers many areas within an enterprise. Each area has security vulnerabilities and, hopefully, some corresponding countermeasures that raise the security level and provide better protection. Not understanding the different areas and security levels of network devices, operating systems, hardware, protocols and applications can cause security vulnerabilities that can affect the environment as a whole.

Two fundamental concepts in computer and information security are the security model, which outlines how security is to be implemented -- in other words, providing a "blueprint" -- and the architecture of a computer system, which fulfills this blueprint.

A security policy outlines how data is accessed, what level of security is required and what actions should be taken when these requirements are not met. The policy outlines the expectations of a computer system or device. A security model is a statement that outlines the requirements necessary to properly support and implement a certain security policy. If a security policy dictates that all users must be identified, authenticated and authorized before accessing network resources, the security model might lay out an access control matrix that should be constructed so that it fulfills the requirements of the security policy. If a security policy states that no one from a lower security level should be able to view or modify information at a higher security level, the supporting security model will outline the necessary logic and rules that need to be implemented to ensure that under no circumstances can a lower-level subject access a higher-level object in an unauthorized manner. A security model provides a deeper explanation of how a computer operating system should be developed to properly support a specific security policy.

NOTE Individual systems and devices can have their own security policies. We are not talking about organizational security policies that contain management's directives. The systems' security policies and models they use should enforce the higher-level organizational security policy that is in place.

>> Read the rest of Chapter 5, Security Models and Architecture.


This was first published in July 2003

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.