Thursday, 16 May 2013

Recognised Security Tomes and Resultant Concepts

Recognised security tomes include:

Bruce Shneier's Applied Cryptography

and "The Rainbow Series" which include requirements for systems that process sensitive information:

The Orange Book - nickname for the TCSEC (Trusted Computer System Evaluation Criteria), mandates a Security Policy to be defined for the computer system. The security policy must be "explicit, well-defined and enforced".

An interesting concept that the Orange Book refers to is the distinction between Mandatory and Discretionary Access Control. Mandatory Access Control impose limitations on "subjects and objects" whereas Discretionary Access Control is more focused on individual user access needs (and access control based on the "groups" to which they belong). The Orange Book doesn't discuss specific implementation abstractions of these concepts though.

The Rainbow Books came out of a recommendation by a Task Force set up in 1967 to analyse computer security safeguards to protect sensitive information. These concerns relate not just to building secure systems, but evaluating and auditing them as well. The Orange Book addresses these dual concerns.

There is also a set of Compact Disc format specifications also known as "The Rainbow Books" (including the 1988 CD-ROM format specification, 1993 VCD Specification).

No comments: