Controls We introduced the concept of security controls in Chapter 1, “Accountability and Access Con- trol.” To ensure the security of a system, you need to allow subjects to access only authorized objects. A control uses access rules to limit the access by a subject to an object. Access rules state which objects are valid for each subject. Further, an object might be valid for one type of access and be invalid for another type of access. One common control is for file access. A file can be protected from modification by making it read-only for most users but read-write for a small set of users who have the authority to modify it. Recall from Chapter 1 that there are both mandatory and discretionary access controls, often called MAC and DAC, respectively. With mandatory controls, static attributes of the subject and the object are considered to determine the permissibility of an access. Each subject possesses attributes that define its clearance, or authority to access resources. Each object possesses attributes that define its classification. Different types of security methods classify resources in different ways. For exam- ple, subject A is granted access to object B if the security system can find a rule that allows a subject with subject A’s clearance to access an object with object B’s classification. This is called rule-based access control. The predefined rules state which subjects can access which objects. Discretionary controls differ from mandatory controls in that the subject has some ability to define the objects to access. Within limits, discretionary access controls allow the subject to define a list of objects to access as needed. This access control list often called an ACL serves as a dynamic access rule set that the subject can modify. The constraints imposed on the modifica- tions often relate to the subject’s identity. Based on the identity, the subject may be allowed to add or modify the rules that define access to objects. Both mandatory and discretionary access controls limit the access to objects by subjects. The primary goals of controls are to ensure the confidentiality and integrity of data by disallowing unauthorized access by authorized or unauthorized subjects. Trust and Assurance Proper security concepts, controls, and mechanisms must be integrated before and during the design and architectural period in order to produce a reliably secure product. Security issues should not be added on as an afterthought; this causes oversights, increased costs, and less reli- ability. Once security is integrated into the design, it must be engineered, implemented, tested, audited, evaluated, certified, and finally accredited. A trusted system is one in which all protection mechanisms work together to process sensi- tive data for many types of users while maintaining a stable and secure computing environment. Assurance is simply defined as the degree of confidence in satisfaction of security needs. Assur- ance must be continually maintained, updated, and reverified. This is true whether the trusted system experiences a known change or a significant amount of time has passed. In either case, change has occurred at some level. Change is often the antithesis of security; it often diminishes security. So, whenever change occurs, the system needs to be reevaluated to verify that the level of security it provided previously is still intact. Assurance varies from one system to another and must be established on individual systems. However, there are grades or levels of assurance that can be placed across numerous systems of the same type, systems that support the same services, or systems that are deployed in the same geographic location. Understanding System Security Evaluation Those who purchase information systems for certain kinds of applications—think, for example, about national security agencies where sensitive information may be extremely valuable or dan- gerous in the wrong hands or central banks or securities traders where certain data may be worth billions of dollars—often want to understand their security strengths and weaknesses. Such buyers are often willing to consider only systems that have been subjected to formal evaluation processes in advance and received some kind of security rating so that they know what they’re buying and, usually, also what steps they must take to keep such systems as secure as possible. When formal evaluations are undertaken, systems are usually subjected to a two-step pro- cess. In the first step, a system is tested and a technical evaluation is performed to make sure that the system’s security capabilities meet criteria laid out for its intended use. In the second step, the system is subjected to a formal comparison of its design and security criteria and its actual capa- bilities and performance, and individuals responsible for the security and veracity of such sys- tems must decide whether to adopt them, reject them, or make some changes to their criteria and try again. Very often, in fact, trusted third parties such as TruSecure Corporation, well known for its security testing laboratories are hired to perform such evaluations; the most important result from such testing is their “seal of approval” that the system meets all essential criteria. Whether or not the evaluations are conducted inside an organization or out of house, the adopting organization must decide to accept or reject the proposed systems. An organiza- tion’s management must take formal responsibility if and when systems are adopted and be will- ing to accept any risks associated with its deployment and use. Rainbow Series Since the 1980s, governments, agencies, institutions, and business organizations of all kinds have had to face the risks involved in adopting and using information systems. This led to a his- torical series of information security standards that attempted to specify minimum acceptable security criteria for various categories of use. Such categories were important as purchasers attempted to obtain and deploy systems that would protect and preserve their contents or that would meet various mandated security requirements such as those that contractors must rou- tinely meet to conduct business with the government. The first such set of standards resulted in the creation of the Trusted Computer System Evaluation Criteria in the 1980s, as the U.S. Department of Defense DoD worked to develop and impose security standards for the systems it purchased and used. In turn, this led to a whole series of such publications through the mid- 1990s. Since these publications were routinely identified by the color of their covers, they are known collectively as the “rainbow series.” Following in the DoD’s footsteps, other governments or standards bodies created computer security standards that built and improved on the rainbow series elements. Significant standards in this group include a European model called the Information Technology Security Evaluation Criteria ITSEC which was developed in 1999 and used through 1998. They also include the so- called Common Criteria, adopted by the U.S., Canada, France, Germany, and the U.K. in 1998, but more formally known as the “Arrangement on the Recognition of Common Criteria Certifi- cates in the Field of IT Security.” Both of these standards will be discussed in later sections as well.