Security Architecture and Design using CISSP guidelines, hardware and software security, kernel, virtualization, security models, ring model, security domains, BellLaPadula model, Biba model, Reading up and Writing down, Reading down and Writing up
2. Security architecture is a unified security design that addresses the necessities and
potential risks involved in a certain scenario or environment. It also specifies when and
where to apply security controls.
As described in the CISSP Study Guide, Security Architecture and Design describes
fundamental logical hardware, operating system, and software security components,
and how to use those components to design, architect, and evaluate secure computer
systems.
It is further divided into 3 domains and each of them cover:
1. The hardware and software requirements to have a secure computer system.
2. The logical models required to keep the system secure
3. The evaluation models that quantify how secure the system really is.
2
3. How can businesses benefit by having a
strong Security Architecture?
Fewer Breaches of Your Systems Architecture
Compliance with Key Data Security Standards
Being a Strong Security Architecture Example Helps to Earn Trust
Preventing a Loss of Business
3
4. How to design a Secure System?
4
Security
Domains
Layering Abstraction
The Ring
Model
5. 1. Layering
Layering separates hardware and software functionality into modular
tiers.
A generic list of security architecture layers is as follows:
1. Hardware
2. Kernel and device drivers
3. Operating System
4. Applications
5
6. 2. Abstraction
Abstraction hides unnecessary details from the user.
Complexity is the enemy of security. That said, computers are
tremendously complex machines and Abstraction provides a way to
manage that complexity.
6
7. 3. Security Domains
A security domain is the list of objects a subject is allowed to access.
More broadly defined, domains are groups of subjects and objects
with similar security requirements.
7
8. 4. The Ring Model
The ring model is a form of CPU
hardware layering that
separates and protects
domains (such as kernel mode
and user mode) from each
other.
8
10. SECURE HARDWARE ARCHITECTURE
10
Secure Hardware Architecture focuses on the physical computer
hardware required to have a secure system. The hardware must
provide confidentiality, integrity, and availability for processes, data,
and users.
It is further divided into the following components:
The System Unit and Motherboard
The Computer Bus
Northbridge and southbridge
12. SECURE OPERATING SYSTEM AND
SOFTWARE ARCHITECTURE
12
Secure Operating System and Software Architecture builds upon the
secure hardware described in the previous slide, providing a secure
interface between hardware and the applications (and users) which
access the hardware. Operating systems provide memory, resource,
and process management.
The most sensitive components in which security is required are:
The Kernel
Virtualization
13. The Kernel
13
The Kernel is the heart of the Operating
System and they run closest to the hardware
in ring 0, which makes them more vulnerable.
There are two basic Kernel designs:
Monolithic and Microkernel.
A monolithic kernel is compiled into one
static executable and the entire kernel runs in
supervisor mode. All functionality required by
a monolithic kernel must be precompiled in.
Microkernels are modular kernels. A
microkernel is usually smaller and has less
native functionality than a typical monolithic
kernel (hence the term “micro”), but can add
functionality via loadable kernel modules.
14. Virtualization
14
Virtualization adds a software layer between an operating system and the underlying
computer hardware. This allows multiple operating systems to run simultaneously on
one physical computer.
Example: VMware
There are two basic virtualization types: Transparent virtualization (sometimes
called full virtualization) and Paravirtualization.
Transparent virtualization runs stock operating systems, such as Windows 7 or
Ubuntu Linux 9.10, as virtual guests. No changes to the guest OS are required.
Paravirtualization runs specially modified operating systems, with modified kernel
system calls.
20. Bell-LaPadula Model
20
This model was developed by David Elliott Bell and Leonard J. LaPadula on behalf
of the MITRE Corporation for the US’ Department of Defense.
It follows the Reading down and Writing up method.
It is focused on maintaining the confidentiality of objects.
It is no longer used because the model does not maintain integrity in any way.
A low-clearance operative can submit false data which moves up to high clearance
levels. Nothing to prevent unauthorized alteration of data.
22. Biba Model
22
This model was developed by Kenneth Biba at the MITRE Corporation.
It follows the Reading up and Writing down method.
While many governments are primarily concerned with confidentiality, most
businesses desire to ensure that the integrity of the information is protected at
the highest level. Biba is the model of choice when integrity protection is vital.
If a high-ranking subject issues data, everyone can trust that data. If a low-
ranking subject issues some sort of data, no one above that subject has
permission to trust it.
25. Evaluation methods
25
Evaluation criteria provide a standard for qualifying the security of a
computer system or network.
The Trusted Computer System Evaluation Criteria (TCSEC).
The Trusted Network Interpretation (TNI).
The European Information Technology Security Evaluation
Criteria (ITSEC).
The Common Criteria.