|
Security Modes of Operation
Dedicated Security Mode:
If all users have the clearance or authorization and need-to-know to all data processed within the system.
All users have been given formal access approval for all information on the system and have signed nondisclosure agreements pertaining to this information.
The system can handle a single classification level of information.
System-High Security Mode:
All users have a security clearance or authorization to access the information but not necessarily a need-to-know for all the information processed on the system (only some of the data).
Require all users to have the highest level of clearance, but a user is restricted via the access control matrix.
Compartmented Security Mode:
All users have the clearance to access all the information processed by the system, but might not have the need-to-know and formal access approval.
Users are restricted to being able to access some information because they do not need to access it to perform the functions of their jobs and they have not been given formal approval to access this data.
Compartments are security levels with limited number of subjects cleared to access data at each level.
CMW / Compartments - Enable users to process multiple compartments of data at the same time, if they have the necessary clearance.
Multilevel Security Mode:
Permits two or more classification levels of information to be processed at the same time when all the users do not have the clearance of formal approval to access all the information being processed by the system.
Trust and Assurance:
Trust - Tells the customer how much he can expect out of this system, what level of security it will provide.
Assurance - The system will act in a correct and predictable manner in each and every computing situation.
System Evaluation Methods
Examines the security-relevant parts of a system, meaning the TCB, access control mechanisms, reference monitor, kernel, protection mechanisms.
The Orange Book / TCSEC:
TCSEC - Trusted Computer System Evaluation Criteria.
Evaluates products to assess if they contain the security properties they claim and evaluate if the product is appropriate for a specific application or function.
Looks at the functionality, effectiveness and assurance of a system during its evaluation and it uses classes that were devised to address typical patterns of security requirements.
Focuses on the operating system.
|
|
