Computer Security I: Understanding Security Policies - Prof. David M. Nicol, Study notes of Electrical and Electronics Engineering

A part of the computer security i course (cs461/ece422) provided by the university of illinois. It covers the concept of security policies, their motivation, types, languages, mechanisms, and examples. The document also includes reading materials and examples of privacy policies and acceptable use policies.

Typology: Study notes

Pre 2010

Uploaded on 02/24/2010

koofers-user-5g2
koofers-user-5g2 🇺🇸

10 documents

1 / 39

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
-1
Security Policies
CS461/ECE422
Computer Security I
pf3
pf4
pf5
pf8
pf9
pfa
pfd
pfe
pff
pf12
pf13
pf14
pf15
pf16
pf17
pf18
pf19
pf1a
pf1b
pf1c
pf1d
pf1e
pf1f
pf20
pf21
pf22
pf23
pf24
pf25
pf26
pf27

Partial preview of the text

Download Computer Security I: Understanding Security Policies - Prof. David M. Nicol and more Study notes Electrical and Electronics Engineering in PDF only on Docsity!

Security Policies

CS461/ECE

Computer Security I

Overview

  • Natural language policies
    • Example policies
  • Implementation policies
    • High level
    • Low level

Motivation

  • Security Policies guides implementation
    • Reflects what one can assume about an organization
    • Who has access to which resources in what manner
    • Confidentiality, integrity, availability
  • Policy occurs at multiple levels
    • Policy-driven management

Security Policy

  • Policy partitions system states into:
    • Authorized (secure)
      • These are states the system can enter
    • Unauthorized (nonsecure)
      • If the system enters any of these states, it’s a security violation
    • Same state may be secure in one organization and nonsecure in another
  • Secure system
    • Starts in authorized state, and never enters unauthorized state

Question

  • Policy disallows cheating
    • Includes copying homework, with or without permission
  • CS class has students do homework on computer
  • Anne forgets to read-protect her homework file
  • Bill copies it
  • Who cheated?
    • Anne, Bill, or both?

Answer Part 1

  • Bill cheated
    • Policy forbids copying homework assignment
    • Bill did it
    • System entered unauthorized state (Bill having a copy of Anne’s assignment)
  • If not explicit in computer security policy, certainly implicit - Not credible that a unit of the university allows something that the university as a whole forbids, unless the unit explicitly says so

Mechanisms/Controls

  • Entity or procedure that enforces some part

of the security policy

  • Access controls (like bits to prevent someone from reading a homework file)
  • Disallowing people from bringing CDs and floppy disks into a computer facility to control what is placed on systems

Hierarchy of Policies

Organizational Policy Departmental Policy Department Standards CSIL-Linux SE Linux Policy Linux Lab Umask settings

Natural Language Security Policies

  • Targeting Humans
    • Written at different levels
      • To inform end users
      • To inform lawyers
      • To inform technicians
      • Users, owners, beneficiaries (customers)
  • As with all policies, should define purpose not mechanism
    • May have additional documents that define how policy maps to mechanism
  • Should be enduring
    • Don't want to update with each change to technology
  • Shows due diligence on part of the organization

How to Write a Policy

  • Understand your environment
    • Risk Analysis (see next lecture)
  • Understand your industry
    • Look for “standards” from similar companies
    • Leverage others wisdom
    • Already proven with auditors/regulators
  • Gather the right set of people
    • Technical experts, person ultimately responsible, person who can make it happen
    • Not just the security policy “expert”

University of Illinois Information

Security Policies

  • University of Illinois Information Security Policies
    • System wide policy; Identifies what, not how
    • http://www.obfs.uillinois.edu/manual/central_p/ sec19-5.html
  • CITES UIUC standards and guidelines
    • DNS - http://www.cites.uiuc.edu/dns/standards.html
    • FERPA - http://www.cites.uiuc.edu/edtech/development_aids/ ferpa/index.html
  • CS Department policies
    • https://agora.cs.uiuc.edu/display/tsg/Policies

Example Privacy policies

  • Busey Bank - http://busey.com/
    • Financial Privacy Policy
      • Targets handling of personal non-public data
      • Clarifies what data is protected
      • Who the data is shared with

Policy Models

  • Abstract description of a policy or class of policies
  • Types of policies
    • Military (governmental) security policy
      • Policy primarily protecting confidentiality
    • Commercial security policy
      • Policy primarily protecting integrity
    • Confidentiality policy
      • Policy protecting only confidentiality
    • Integrity policy
      • Policy protecting only integrity
    • Service Level Agreements
      • Availability agreements

Policy Languages

  • Express security policies in a precise way
  • A continuum of policy languages
    • English Policies
      • May be legally precise. Used as basis for legal action.
      • May be written imprecisely just to give real users a sense of the policy
    • High-level languages
      • Policy constraints expressed abstractly
    • Low-level languages
      • Policy constraints expressed in terms of program options, input, or specific characteristics of entities on system