Advanced System Security Dr Wayne Summers Department of

  • Slides: 7
Download presentation
Advanced System Security Dr. Wayne Summers Department of Computer Science Columbus State University Summers_wayne@colstate.

Advanced System Security Dr. Wayne Summers Department of Computer Science Columbus State University Summers_wayne@colstate. edu http: //csc. colstate. edu/summers

Chapter 4: Security Policies ¨ A security policy is a statement that partitions the

Chapter 4: Security Policies ¨ A security policy is a statement that partitions the states of a system into a set of authorized, or secure, states and a set of unauthorized or nonsecure, states. ¨ A secure system is a system that starts in an authorized state and cannot enter an unauthorized state. ¨ A breach of security occurs when a system enters an unauthorized state. ¨ Information is confidential with respect to a set of entities if none of the entities can obtain any of the information. ¨ Information has the property of integrity with respect to a set of entities if all of the entities trust the information. 2

Security Policies ¨ Information has the property of availability with respect to a set

Security Policies ¨ Information has the property of availability with respect to a set of entities if all of the entities can access the information. ¨ A security mechanism is an entity or procedures that enforces some part of the security policy. ¨ A security model is a model that represents a particular policy or set of policies. 3

4. 2 Types of Security Policies ¨ A military security policy (governmental security policy)

4. 2 Types of Security Policies ¨ A military security policy (governmental security policy) is a security policy developed primarily to provide confidentiality. ¨ A commercial security policy is a security policy developed primarily to provide integrity. [transactionoriented integrity security policy] ¨ A confidentiality policy deals only with confidentiality. ¨ An integrity policy deals only with integrity. 4

4. 3 The Role of Trust ¨ “When someone understands the assumptions her security

4. 3 The Role of Trust ¨ “When someone understands the assumptions her security policies, mechanisms, and procedures rest on, she will have a good understanding of how effective those policies, mechanisms, and procedures are. ” ¨ Example: what really happens when you install a “security” patch? 5

4. 4 Types of Access Control ¨ Discretionary access control (DAC) [identity-based access control

4. 4 Types of Access Control ¨ Discretionary access control (DAC) [identity-based access control (IBAC)] – user can set an access control mechanism to allow or deny access to an object ¨ Mandatory access control (MAC) [rule-based access control] – system mechanism controls access to an object and an individual cannot alter that access. ¨ An originator controlled access control (ORCON, ORGCON) bases access on the creator of an object (or the information it contains). 6

4. 5 Example: Academic Computer Security Policy ¨ General University Policy (Acceptable Use Policy

4. 5 Example: Academic Computer Security Policy ¨ General University Policy (Acceptable Use Policy (AUP) ¨ Electronic Mail Policy – Summary – Full Policy – Implementation ¨ See Chapter 35 7

MAKE THIS SUMMERS STAFF Into next summers leadershipMAKE THIS SUMMERS STAFF Into next summers leadership
Lola Summers Lola Summers SHE HE IT WELola Summers Lola Summers SHE HE IT WE
Ch 12 Authentication Dr Wayne Summers Department ofCh 12 Authentication Dr Wayne Summers Department of
Integrity Policies Dr Wayne Summers Department of ComputerIntegrity Policies Dr Wayne Summers Department of Computer
Chapter 23 Vulnerability Analysis Dr Wayne Summers DepartmentChapter 23 Vulnerability Analysis Dr Wayne Summers Department
Chapter 21 Evaluating Systems Dr Wayne Summers DepartmentChapter 21 Evaluating Systems Dr Wayne Summers Department