Axioms of security policy
The analysis of the experience of information protection, as well as the main provisions of the subject-object model, allows us to formulate several axioms concerning the construction of security policies.
Axiom 1. In a secure information system, any subject and object must be identified and authenticated at any given time.
This axiom is determined by the very nature and content of the processes of collective user access to resources. Otherwise, subjects have the opportunity to impersonate other subjects or substitute one access object for another.
Axiom 2. The protected system must have an active component (subject, process, etc.) with the corresponding source object that controls access and controls access of subjects to objects, such as a monitor or a security core.
Security monitor is a mechanism for implementing security policy in an information system, a set of hardware, software and special system components that implement protection and security functions (commonly abbreviated as TCB - Trusted Computing Base).
In most information systems, it is possible to allocate a core (OS core, DBMS data machine), which in turn is divided into an information representation component (OS file system, DBMS data model), a data access component (OS I/O system, DBMS query processor) and an add–on (utilities, service, interface components).
An additional component appears in a secure system that provides information security processes, primarily identification/authentication procedures, as well as access control based on a particular security policy (access control).
Taking into account the regulatory requirements for certification of protected systems, the following mandatory requirements are imposed on the implementation of the security monitor:
1. Completeness. The security monitor should be called every time any subject requests access to any object, and there should be no way to bypass it.
2. Isolation. The security monitor must be protected from tracking and interception of work.
3. Verifiability. The security monitor must be verifiable (self-testable or externally testable) in order to perform its functions.
4. Continuity. The safety monitor must function in all situations, including emergency situations.
The security monitor in a secure system is the subject of the implementation of the adopted security policy, implementing appropriate security models through its algorithms.
Axiom 3. In order to implement the adopted security policy, management and control of subjects' access to objects, information and an object containing it are necessary.
Consequence 3.1. In a secure system, there is a special category of active entities that are not initialized and are not controlled by system users - system processes (subjects) that are present in the system initially.
Consequence 3.2. The object associated with the security monitor containing information about the access control system is the most critical information resource in a secure information system from the point of view of security.
Consequence 3.3. In a secure system, there may be a trusted user (system administrator) whose subjects have access to the data object associated with the security monitor to manage the access control policy.
The principles, methods of representation and implementation of objects associated with the security monitor are determined by the type of security policy and the specifics of a particular system.
To date, a large number of different security models have been developed, all of them expressing several initial security policies. At the same time, the criterion of security of subjects' access to objects is important, i.e. the rule of dividing information flows generated by subjects' access to objects into safe and unsafe ones.
The system is safe if and only if the actors do not have the ability to violate (circumvent) the security policy established in the system.
The subject of the security policy is the security monitor. Its presence in the structure of the system is therefore a necessary condition for security. As for the sufficiency conditions, they are contained in the security of the security monitor itself.