Information and network security 4 osi architecture
- 1. Information and Network Security: 4 OSI Security Architecture Prof Neeraj Bhargava Vaibhav Khanna Department of Computer Science School of Engineering and Systems Sciences Maharshi Dayanand Saraswati University Ajmer
- 2. OSI Security Architecture • ITU-T X.800 “Security Architecture for OSI” • defines a systematic way of defining and providing security requirements • for us it provides a useful, if abstract, overview of concepts we will study
- 3. OSI Security Architecture • To assess effectively the security needs of an organization and to evaluate and choose various security products and policies, the manager responsible for security needs some systematic way of defining the requirements for security and characterizing the approaches to satisfying those requirements. This is difficult enough in a centralized data processing environment; with the use of local and wide area networks the problems are compounded. ITU-T Recommendation X.800, Security Architecture for OSI, defines such a systematic approach. The OSI security architecture is useful to managers as a way of organizing the task of providing security.
- 4. Levels of Impact We can define three levels of impact on organizations or individuals should there be a breach of security (i.e., a loss of confidentiality, integrity, or availability). These levels are defined in FIPS PUB 199: 3 levels of impact from a security breach Low Moderate High
- 5. Levels of Impact • • Low: The loss could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals. A limited adverse effect means that, for example, the loss of confidentiality, integrity, or availability might • (i) cause a degradation in mission capability to an extent and duration that the organization is able to perform its primary functions, but the effectiveness of the functions is noticeably reduced; • (ii) result in minor damage to organizational assets; • (iii) result in minor financial loss; or • (iv) result in minor harm to individuals.
- 6. Levels of Impact • • Moderate: The loss could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals. A serious adverse effect means that, for example, the loss might • (i) cause a significant degradation in mission capability to an extent and duration that the organization is able to perform its primary functions, but the effectiveness of the functions is significantly reduced; • (ii) result in significant damage to organizational assets; • (iii) result in significant financial loss; or • (iv) result in significant harm to individuals that does not involve loss of life or serious, life-threatening injuries.
- 7. Levels of Impact • • High: The loss could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals. A severe or catastrophic adverse effect means that, for example, the loss might • (i) cause a severe degradation in or loss of mission capability to an extent and duration that the organization is not able to perform one or more of its primary functions; • (ii) result in major damage to organizational assets; • (iii) result in major financial loss; or • (iv) result in severe or catastrophic harm to individuals involving loss of life or serious life threatening injuries.
- 8. Examples of Security Requirements • confidentiality – student grades • integrity – patient information • availability – authentication service
- 9. Examples of Security Requirements • We now provide some examples of applications that illustrate the requirements just enumerated. • • Confidentiality - Student grade information is an asset whose confidentiality is considered to be highly important by students. Grade information should only be available to students, their parents, and employees that require the information to do their job. • Student enrollment information may have a moderate confidentiality rating. While still coveredby FERPA, this information is seen by more people on a daily basis, is less likely to be targeted than grade information, and results in less damage if disclosed. • Directory information, such as lists of students or faculty or departmental lists, may be assigned a low confidentiality rating or indeed no rating. This information is typically freely available to the public and published on a school's Web site.
- 10. Examples of Security Requirements • • Integrity – Consider a hospital patient's allergy information stored in a database. The doctor should be able to trust that the information is correct and current. • Now suppose that an employee (e.g., a nurse) who is authorized to view and update this information deliberately falsifies the data to cause harm to the hospital. • The database needs to be restored to a trusted basis quickly, and it should be possible to trace the error back to the person responsible. • Patient allergy information is an example of an asset with a high requirement for integrity. • Inaccurate information could result in serious harm or death to a patient and expose the hospital to massive liability.
- 11. Examples of Security Requirements • • Availability - The more critical a component or service, the higher is the level of availability required. • Consider a system that provides authentication services for critical systems, applications, and devices. • An interruption of service results in the inability for customers to access computing resources and staff to access the resources they need to perform critical tasks. • The loss of the service translates into a large financial loss in lost employee productivity and potential customer loss.
- 12. • Discuss levels of impact from a security breach • Explain using an example the confidentiality integrity and availability concepts in information security