Zusammenfassung der Ressource
U4. Security Models & Policy
- Policy
- Policy= captures the requirements and describes
the steps to be taken to achieve security
- Organisatonal
Security Policy
- Rules that regulate how an
organisation manages security
- Must be well defined
- Automated
Security Policy
- Restrictions & properties that specify how a computing
system prevents violations of the organisational security
policy
- Models
- Models = an 'idealised' implementation of an
organisation’s security policy.
- Models enforce the Access Control
Structure policy and ensure "need to know"
- Models allow formal validation of your implementation
against the security policy. Benchmarking
- Can be used to illustrate the
Fundamental Design Principles
- State Machine Model (automaton)
- an abstract model that records relevant features of a
system (IE: its security) at a particular point in tim
- A state may change to another state at some later point in
time, triggered possibly by a clock or some input event
- movement from one state to another is known as a transition
- the more states you try capture, the more complicated
the model will become (more difficult to analyse).
- Basic Security Theorem
- If we can do these 3 things then we know that
'security' is preserved by all transitions and so
the system will always be secure
- 1. Define the State Set so that it captures some aspect of 'security
- 2. Check that every state transition that begins
in a 'secure' state ends in a 'secure' state
- 3. Check that the initial state of the system is 'secure'.
- Ensure you define what "secure" is!