System engineering is an important technology discipline where practitioners are charged with taking many different and complex technical components and assembling them into a functional system that meets business objectives and security requirements at the same time. In this video, learn general security engineering principles, including incorporating security in the design process, the subject-object model, failure modes, isolation, and segmentation.
- [Narrator] System engineering is an important technology discipline where practitioners are charged with taking many different and complex technical components and assembling them into a functional system that meets business objectives and security requirements at the same time. We'll be exploring many different aspects of security engineering throughout this course, including many of the technologies used to build secure systems. But let's begin with a look at some general security engineering principles, including incorporating security into the design process, the subject/object model, failure modes, isolation, and segmentation.
Security must be treated as a key component of the design process. If you look back at major security failures over the past decade, many shared a common theme. Some aspect of security was either entirely overlooked or treated as an afterthought after the system design was complete. In this approach, known as bolt-on security, security engineers attempt to retrofit an existing system with security features designed to protect the confidentiality, integrity, and availability of the data handled by that system.
While this approach could be successful, it is much less effective and much more expensive than simply including security in the design from the start. One of the core security models underlying many system designs is the subject/object model of computer security. In this approach, every access request is seen as having two different components, a subject who is requesting some type of access and an object, which is the resource being requested.
For example, if a user requests access to a file, the user is the subject of the request and the file is the object of the request. Similarly, a process might request access to a memory location. In that example, the process is the subject of the request and the memory contents are the object of the request. When designing a system, it is often helpful to describe access requests in these terms, making the identity of the subject and object explicitly clear for each request.
Working in this way allows the design of access control systems with easily defined and implemented rules. Another important security decision is how a system should behave in the event of a failure. There are two possible failure modes. In a fail open system, if the security controls fail, they are automatically bypassed. This approach favors continued business operation but may pose an unacceptable security risk.
In a fail secure system, on the other hand, if a security control fails, the system locks itself down to a state where no access is granted. An easy way to understand this is by imagining a firewall at the perimeter of a network. If the firewall fails and is configured in a fail open state, the network will continue operating after the failure without the benefit of firewall protection. This probably isn't a good idea, and firewalls are usually configured in a fail secure state that blocks traffic flow in the event of a failure.
As a counter example, an intrusion detection system may play a less critical role in information security programs. While it may be highly desirable to inspect traffic for signs of malicious activity, administrators might decide that even in the event of an IDS failure, the cost of disrupting network activity doesn't warrant putting the system into a fail secure mode. Another core principle that you'll find throughout discussions of security engineering are the concepts of isolation and segmentation.
In many cases engineers design secure systems so that different components can't communicate with each other unless absolutely necessary. Let's look at a few examples. In the case of network segmentation, an organization's accounting department, executive team, and sales team might reside on different network segments to protect their computers from each other. This way, an intruder gaining access to one network segment would still have some work to do before compromising another network segment.
Inside a computing system, process isolation ensures that different applications don't have access to each other. This isolates software so that one malicious program has a harder time affecting other processes running on the system. Along those same lines, systems also perform memory segmentation to prevent different processes from accessing memory assigned to other processes. Finally, in the world of virtualization, the hypervisor is responsible for virtual machine isolation, ensuring that different virtual machines don't have access to each other's resources.
Find the companion study books at the Sybex test prep site and review the complete CISSP Body of Knowledge at https://www.isc2.org/cissp-domains/default.aspx. You can also join Mike's free study group at certmike.com.
Note: This course is part of a series releasing throughout 2018. A completed Learning Path of the series will be available once all the courses are released.
- Understanding security design principles and models
- Cloud computing and virtualization
- Hardware security
- Client and server vulnerabilities
- Web security vulnerabilities
- Securing mobile devices and smart devices
- Understanding encryption
- Symmetric and asymmetric cryptography
- Key management and public key infrastructure
- Physical security