Data Protection and Security

I

Introduction to Information Security

I.IV

Principles of Security

7. Finally: we repeat here the list of principles, Gollmann gave on computer security.

1. “In a given application, should the protection mechanisms in a computer system focus on data, operations or users?”
2. “In which layer of the computer system should a security mechanism be placed?”
Applications
Services
Operating System
OS Kernel
Hardware
3. “Do you prefer simplicity – and higher assurance – to a feature rich security environment?”
4. “Should the tasks of defining and enforcing security be given to a central entity or should they be left to individual components in a system?”
5. “How can you prevent an attacker from getting access to a layer below the protection mechanism?”

We would like to elaborate more on this last principle. Unlike the one we provide, Golmann’s list is rather a technical one up to this point however the final principle demonstrates the need to incorporate the physical and organizational security measures into technical ones (see the figure below).

As an example, consider the case when your computer is physically not protected. Then, no matter how sophisticated your authentication mechanisms are, an attacker can simply obtain the confidential information located in your computer’s hard disk by physically accessing the hard disk and read and restore the file structure with some recovery tools.

Figure I.IV-II

Figure depicts the need to incorporate the physical and organizational security measures into technical ones.
[click to enlarge]

I.IV.Q