840 likes | 850 Views
Dr. Bhavani Thuraisingham The University of Texas at Dallas (UTD) June 2011. Security Architecture and Design. Domain Agenda. System and Components Security Architectural Security Concepts and Models Information Systems Evaluation Models. Domain Agenda. System and Components Security
E N D
Dr. Bhavani ThuraisinghamThe University of Texas at Dallas (UTD)June 2011 Security Architecture and Design
Domain Agenda • System and Components Security • Architectural Security Concepts and Models • Information Systems Evaluation Models
Domain Agenda • System and Components Security • Architectural Concepts and Definitions • Architectural Security Concepts and Models • Information Systems Evaluation Models
Common Security Architecture Terms • Information Security Management System • Information Security Architecture • Best Practice • Architecture • Blueprint • Framework • Infrastructure
Objectives of EnterpriseSecurity Architecture • Guidance • Strategically aligned business and security decisions • Provide security-related guidance • Apply security best practices • Define security zones
Benefits of an EnterpriseSecurity Architecture • Consistently manage risk • Reduce the costs of managing risk • Accurate security-related decisions • Promote interoperability, integration and ease-of-access • Provide a frame of reference
Characteristics of a GoodSecurity Architecture • Strategic • Holistic • Multiple implementations
Effects of Poor Architectural Planning • Inability to efficiently support new business services • Unidentified security vulnerabilities • Increased frequency and visibility of security breaches • Poorly understood or coordinated compliance requirements • Poor understanding of security goals and objectives
Enterprise SecurityArchitecture Components • Common Architecture Language • Architecture Model • Zachman Framework
Zachman Framework • Complete overview of IT business alignment • Two-dimensional • Intent • Scope • Principles
SABSA • What are the business requirements? • Contextual • Conceptual • Logical • Physical • Component
ISO 7498-2 • OSI second part • About secure communications • NOT an implementation
ISO/IEC 4010:2007 • Systems and software engineering • Practice for architectural description of software-intensive systems
The Open GroupArchitecture Framework • Governance • Business • Application • Data • Technology
Department of DefenseArchitecture Framework • OMB A-130 requirement • All view • Operational view • Systems view • Technical standards view
Which Framework is Right? • Starting place • Culture • Template
System and Component Security • Components that provide basic security services • Hardware components • Software components
CPU and Processor Privilege States • Supervisor state • Problem state
CPU Process States • Running • Ready • Blocked • Masked/interruptible
Common ComputerArchitecture Layers • Application programs • Utilities • Operating system • Computer hardware
Common Computer Architecture • Program execution • Access to input/output devices • Controlled access to files and data • Error detection and response • Accounting and tracking • Access for maintenance and troubleshooting
Hardware: Computers • Mainframe • Minicomputer • Desktop / server • Laptop / notebook • Embedded
Hardware: Communication Devices • Modem • Network Interface Card (NIC)
Hardware: Printers • Network-aware • More than output device • Full operating systems
Hardware: Wireless • Network interface card • Access point • Ethernet bridge • Router • Range extender
Input/Output (I/O) Devices • I/O Controller • Managing memory • Hardware • Operating system
Firmware: Pre-programmed Chips • ROMs (Read-only memory) • PROMs (Programmable read-only memory) • EPROMs (Erasable, programmable, read-only memory) • EEPROMs (Electrically erasable, programmable, read-only memory • Field Programmable Gate Arrays (FPGAs) • Flash chips
Software: Operating System • Hardware control • Hardware abstraction • Resource manager
CPU and OS Support for Applications • Applications were originally self-contained • OS capable of accommodating more than one application at a time
CPU and OS Support for Applications - Today • Today’s applications are portable • Execute multiple process threads • Threads
Operating Systems Support for Applications • Multi-tasking • Multi-programming • Multi-processing • Multi-processor • Multi-core
Software: Vendor • Commercial off the shelf (COTS) • Function first • Evaluation
Software: Custom • Minimal scripting • Business application • System life cycle
Software: Customer-relationship Management Systems • Business to customer interactions • Tracking habits
Systems Architecture Approaches • Open • Closed • Dedicated • Single level • Multi-level • Embedded
Architectures: Middleware • Interoperability • Post implementation • Distributed
Types of System Memory Resources • CPU registers • Cache • Main memory • Swap space • Disk storage
Requirements forMemory Management • Relocation • Protection • Sharing
Three Types of Memory Addressing • Logical • Relative • Physical
Memory Protection Benefits • Memory reference • Different data classes • Users can share access • Users cannot generate addresses
Virtual Memory • Extends apparent memory • Paging includes • Splitting physical memory • Splitting programs (processes) • Allocating the required number page frames • Swapping
Virtual Machines • Mimic the architecture of the actual system • Provided by the operating system
Domain Agenda • System and Components Security • Architectural Security Concepts and Models • Information Systems Evaluation Models
Ring Protection 0. O/S Kernel • I/O • Utilities • User Apps
Layering and Data Hiding • Layering • Data Hiding
Privilege Levels • Identifying, authenticating and authorizing subjects • Subjects of higher trust • Subjects with lower trust
Process Isolation • Object’s integrity • Prevents interaction • Independent states • Process isolation method
Security Architecture • Security critical components of the system • Trusted Computing Base • Reference Monitor and Security Kernel • Security Perimeter • Security Policy • Least Privilege
Trusted Computing Base (TCB) • Trusted Computing Base • Hardware • Firmware • Software • Processes • Inter-process communications • Simple and Testable
Trusted Computing Base (TCB) • Enforces security policy • Monitors four basic functions • Process activation • Execution domain switching • Memory protection • Input/output operations