Which of the following is not one of the well-known overarching strategies that may be applied in the development of trustworthy secure systems?
B. Defense in Depth
C. Modularity and layering
D. Reference Monitor Concept
Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.
My suggested answer is C. Modularity and layering.
This question is designed as a clue and introduction of NIST SP 800-160 Volume 1 for those who are interested in security engineering. There are three categories of security design principles and three secure development strategies.
The Principles of Modularity and Layering
The following is an excerpt about the security design principles of modularity and layering from NIST SP 800-160 V1:
- Modularity and layering derived from functional decomposition are effective in managing system complexity, by making it possible to comprehend the structure of the system.
- Modularity serves to isolate functions and related data structures into well-defined logical units.
- Layering allows the relationships of these units to be better understood, so that dependencies are clear and undesired complexity can be avoided.
- The security design principle of modularity extends functional modularity to include considerations based on trust, trustworthiness, privilege, and security policy.
- Security-informed modular decomposition includes the following: allocation of policies to systems in a network; allocation of system policies to layers; separation of system applications into processes with distinct address spaces; and separation of processes into subjects with distinct privileges based on hardware-supported privilege domains.
- The security design principles of modularity and layering are not the same as the concept of defense in depth, which is discussed in Section F.4.
Approaches to Trustworthy Secure System Development
NIST SP 800-160 V1 introduces three approaches (overarching strategies) to trustworthy secure system development. These approaches may be used individually or in combination:
- Reference Monitor Concept
- Defense in Depth
The following is an excerpt about the three approaches from NIST SP 800-160 V1:
Reference Monitor Concept
The reference monitor concept provides an abstract security model of the necessary and sufficient properties that must be achieved by any system mechanism claiming to securely enforce access controls.
The reference monitor concept does not refer to any particular policy to be enforced by a system, nor does it address any particular implementation. Instead, the intent of this concept is to help practitioners avoid ad hoc approaches to the development of security mechanisms intended to enforce critical policies and can also be used to provide assurance that the system has not been corrupted by an insider.
The abstract instantiation of the reference monitor concept is an “ideal mechanism” characterized by three properties:
1. the mechanism is tamper-proof (i.e., it is protected from modification so that it always is capable of enforcing the intended access control policy);
2. the mechanism is always invoked (i.e., it cannot be bypassed so that every access to the resources it protects is mediated); and
3. the mechanism can be subjected to analysis and testing to assure that it is correct (i.e., it is possible to validate that the mechanism faithfully enforces the intended security policy and that it is correctly implemented).
Defense in Depth
Defense in depth describes security architectures constructed through the application of multiple mechanisms to create a series of barriers to prevent, delay, or deter an attack by an adversary. The application of some security components in a defense in depth strategy may increase assurance, but there is no theoretical basis to assume that defense in depth alone could achieve a level of trustworthiness greater than that of the individual security components used. That is, a defense in depth strategy is not a substitute for or equivalent to a sound security architecture and design that leverages a balanced application of security concepts and design principles.
Two forms of isolation are available to system security engineers: logical isolation and physical isolation.
The former (logical isolation) requires the use of underlying trustworthy mechanisms to create isolated processing environments. 1) These can be constructed so that resource sharing among environments is minimized. Their utility can be realized in situations in which virtualized environments are sufficient to satisfy computing requirements. 2) In other situations, the isolation mechanism can be constructed to permit sharing of resources, but under the control and mediation of the underlying security mechanisms, thus avoiding blatant violations of security policy.
Physical isolation involves separation of components, systems, and networks by hosting them on separate hardware. It may also include the use of specialized computing facilities and operational procedures to allow access to systems only by authorized personnel.
In many situations, isolation objectives may be achieved by a combination of logical and physical isolation. Security architects and operational users must be cognizant of the co-dependencies between the logical and physical mechanisms and must ensure that their combination satisfies security and assurance objectives. A full discussion of isolation is beyond the scope of this appendix.
- Open Reference Architecture for Security and Privacy
- The Principles of Network Security Design
- Security by Design Principles according to OWASP
- Principles of Secure Network Design
A BLUEPRINT FOR YOUR SUCCESS IN CISSP
My new book, The Effective CISSP: Security and Risk Management, helps CISSP aspirants build a solid conceptual security model. It is not only a tutorial for information security but also a study guide for the CISSP exam and an informative reference for security professionals.
- It is available on Amazon.
- Readers from countries or regions not supported by Amazon can get your copy from the author’s web site.
B. 深度防禦(Defense in Depth)
C. 模塊化和分層(Modularity and layering)
D. 參考監控器概念(Reference Monitor Concept)