|
7.1
Introduction
Security
measures must be incorporated into computer systems whenever they are
potential targets for malicious or mischievous attacks. This is especially
so for systems that handle financial transactions or confidential, classified
or other information whose secrecy and integrity are critical. In Figure
7.1, we summarize the evolution of security needs in computer systems
since they first arose with the advent of shared data in multi-user timesharing
systems of the 1960s and 70s. Today the advent of wide-area, open distributed
systems has resulted in a wide range of security issues.
Figure 7.1 Historical context: the evolution of security needs
|
1965-75 |
1975-89 |
1990-99 |
Current |
Platforms |
Multi-user timesharing
computers networks |
Distributed
systems based on local network |
The Internet,
wide-area services |
The Internet
+ mobile devices |
Shared
resources |
Memory, files. |
Local services
(e.g. NFS), local networks. |
Email, web sites,
Internet commerce |
Distributed
objects, mobile code |
Security
requirements |
User identification
and authentication |
Protection of
services |
Strong security
for commercial transactions |
Access control
for individual objects, secure mobile code |
Security
management environment |
Single authority,
single authorization database (e.g. /etc/passwd) |
Single authority,
delegation, replicated authorization databases (e.g. NIS) |
Many authorities,
no network-wide authorities |
Per-activity
authorities, groups with shared responsibilities |
The need to protect the integrity and privacy of information
and other resources belonging to individuals and organizations is pervasive
in both the physical and the digital world. It arises from the desire
to share resources. In the physical world, organizations adopt security
policies that provide for the sharing of resources within specified limits.
For example, a company may permit entry to its buildings for its employees
and for accredited visitors. A security policy for documents may specify
groups of employees who can access classes of documents or it may be defined
for individual documents and users.
Security policies are enforced with the help of security mechanisms. For
example, access to a building may be controlled by a reception clerk,
who issues badges to accredited visitors, and enforced by a security guard
or by electronic door locks. Access to paper documents is usually controlled
by concealment and restricted distribution.
In the electronic world, the distinction between security policies and
mechanisms remains important; without it, it would be difficult to determine
whether a particular system was secure. Security policies are independent
of the technology used, just as the provision of a lock on a door does
not ensure the security of a building unless there is a policy for its
use (for example, that the door will be locked whenever nobody is guarding
the entrance). The security mechanisms that we shall describe do not in
themselves ensure the security of a system. In Section 7.1.2, we outline
the requirements for security in various simple electronic commerce scenarios,
illustrating the need for policies in that context. As an initial example,
consider the security of a networked file server whose interface is accessible
to clients. To ensure that access control to files is maintained, there
would need to be a policy that all requests must include an authenticated
user identity.
The provision of mechanisms for the protection of data and other computer-based
resources and for securing networked transactions is the concern of this
chapter. We shall describe the mechanisms that enable security policies
to be enforced in distributed systems. The mechanisms we shall describe
are strong enough to resist the most determined attacks.
The distinction between security policies and security mechanisms is helpful
when designing secure systems, but it is often difficult to be confident
that a given set of security mechanisms fully implements the desired security
policies. In Section 2.3.3, we introduced a security model that is designed
to help in analysing the potential security threats in a distributed system.
TOP
|