Architecture for IT Security
The Open Security Architecture organization outlines IT security planning as "the design methods that describe how the security controls are deployed effectively, and how they blend with the overall information technology architecture. These controls serve the purpose to maintain the system's quality elements: confidentiality, integrity, availability, accountability and assurance services.
Key attributes of security architecture:
- The relationship of different computer & networked components and how they rely on each other.
- The determination of controls based on risk assessment, good practice, contingency plans, finances, and legal protections
- The standardization of controls.
Hardware protection mechanisms
While hardware may be a source of insecurity, such as with microchip weaknesses maliciously hosted during the manufacturing process itself, hardware-based or assisted computer security also offers a substitute to software-only computer security. Using devices & security measures such as dongles, disabling USB ports, trusted platform modules, intrusion-aware cases, drive locks, and mobile-enabled access may be considered more secure due to the physical access needed to be compromised. Each of these is described in more detail below.
USB donglesare typically used in software licensing schemes to unlock software capabilities, but they can also be seen as a way to prevent unauthorized access to a computer. The dongle, or key, essentially creates a secure encrypted tunnel between the software application and the key itself. The principle is of an encryption scheme on the dongle; such as Advanced Encryption Standard (AES) provides a stronger measure of security, since it is harder to hack and replicate the dongle than to simply copy the native software to another machine to use it. Another security application for dongles is to use them for accessing web-based content such as cloud software or Virtual Private Networks. Also, a USB dongle can be configured to lock or unlock a computer system.
Trusted platform modules (TPMs)secure devices by integrating cryptographic capabilities onto access devices, through the use of microprocessors, or so-called computers-on-a-chip. TPMs used in conjunction with server-side software offer a way to detect and authenticate hardware devices, preventing unauthorized network and data access.
Computer case intrusion detectionrefers to a push-button switch which is triggered when a computer case is opened. The firmware or BIOS is programmed to show an alert to the operator when the computer is booted up the next time.
Drive locksare essentially software tools to encrypt hard drives, making them inaccessible to thieves. Tools exist specifically for encrypting external drives as well.
Disabling USB portsis a good security option for avoiding unauthorized and malicious access to any secure computer. Infected USB dongles connected to a network from a computer inside the firewall are considered by Network World as the most common hardware threat facing computer networks.
Mobile-enabled access devicesare growing in popularity due to the global nature of cell phones. Built-in capabilities such as Bluetooth, the newer Bluetooth low energy (LE), Near field communication (NFC) on non-iOS devices and biometric validation such as thumb print readers, as well as QR code reader software designed for mobile devices, offer new, secure ways for mobile phones to connect to access control systems. These control systems provide computer security and can also be used for controlling access to secure buildings.
Secure operating systems
Ultra-strong secure operating systems are based on operating system kernel technology that can guarantee that certain security policies are absolutely enforced in an operating environment. Such strategy is based on a coupling of special microprocessor hardware features, often involving the memory management unit, to a special correctly implemented operating system kernel. This forms the foundation for a secure operating system which, if certain critical parts are designed and implemented appropriately, can confirm the absolute impossibility of penetration by hostile elements. This capability is enabled because the configuration not only imposes a security policy, but in theory completely protects itself from corruption. Ordinary operating systems, on the other hand, lack the features that assure this maximal level of security. The design methodology to produce such secure systems is precise, deterministic and logical.Secure operating systems designed this way are used mostly to protect national security information, military secrets, and the data of international financial institutions. These are very powerful security tools and very few secure operating systems have been certified at the highest level, to operate over the range of "Top Secret" to "unclassified". The assurance of security depends not only on the reliability of the design policy, but also on the assurance of correctness of the implementation, and therefore there are degrees of security strength defined for COMPUSEC. The Common Criteria quantifies security strength of products in terms of two components, security functionality and assurance level (such as EAL levels), and these are specified in a Protection Profile for requirements and a Security Target for product descriptions. None of these ultra-high assurances secure general purpose operating systems have been produced for decades or certified under Common Criteria.
Secure coding
If the operating environment is not based on a secure operating system capable of maintaining a domain for its own execution, and capable of protecting application code from malicious subversion, and capable of protecting the system from subverted code, then high degrees of security are understandably not possible. While such secure operating systems are possible and have been implemented, most commercial systems fall in a 'low security' category because they trust on features not supported by secure operating systems. In low security operating environs, applications must be trusted on to participate in their own shield. There are 'best effort' secure coding practices that can be followed to make an application more resistant to malicious subversion.
In commercial environments, the majority of software subversion weaknesses result from a few known kinds of coding defects. Common software defects include buffer overflows, format string vulnerabilities, integer overflow, and code/command injection. These defects can be used to cause the target system to execute putative data. However, the "data" contain executable instructions, allowing the attacker to gain control of the processor.
Some common languages such as C and C++ are vulnerable to all of these. Other languages, such as Java, are more resistant to some of these defects, but are still prone to code/command injection and other software defects which facilitate subversion.
Another bad coding practice occurs when an object is deleted during normal operation yet the program neglects to update any of the associated memory pointers, potentially causing system variability when that location is referenced again. This is called dangling.
Capabilities and access control lists
Within computer systems, two of many security models capable of enforcing privilege separation are access control lists (ACLs) and capability-based security. Using ACLs to confine programs has been proven to be uncertain in many circumstances, such as if the host computer can be tricked into ultimately allowing restricted file access, an issue known as the confused deputy problem. It has also been shown that the promise of ACLs of giving access to an object to only one person can never be guaranteed in practice. Both of these problems are resolved by capabilities. This does not mean practical flaws exist in all ACL-based systems, but only that the designers of certain utilities must take responsibility to ensure that they do not present flaws.
Capabilities have been mostly restricted to research operating systems, while commercial OSs still uses ACLs. Capabilities can, however, also be implemented at the language level, leading to a style of programming that is essentially a refinement of standard object-oriented design.
The most secure computers are those not connected to the Internet and shielded from any intrusion. In the real world, the most secure systems are operating systems where security is not an add-on.