NAVAL POSTGRADUATE SCHOOL MONTEREY CA DEPT OF INFORMATIONAL SCIENCES
Pagination or Media Count:
Security in information systems is a complex problem. Single solutions to complex problems dont exist, and matching the appropriate solution or more accurately, a set of solutions to a requirement is necessary. This paper provides a list of definitions of information security-related terms reviews ISO 7498-2, the security architecture reference model presents an organizing matrix discusses application layer security, enclave protection, link protection, and the Department of Defenses most recent March 2002 Overarching Wireless Policy and presents examples of problems that can occur e.g., credit card transactions over the internet and the Walker insider attack against the Navy worldwide communications system. The author concludes that the higher up the matrix one can solve a security problem, the better. In particular, if one can solve confidentiality problems at the application layer, one can use the general purpose network. None of the solutions are mutually exclusive. Its entirely possible to solve the confidentiality problem with end-to-end secure e-mail, communicate entirely within a closed enclave carefully firewalled or air-gapped to keep out outsiders, and use link encryption to frustrate traffic analysis by eavesdroppers. When one considers acquiring information systems, one wants to express the lower layer requirements to the plumbers -- those who build and provision the network -- and the top-layer requirements to the application designers. Mixing these signals graphically visualized as crossing the matrix diagonally results in asking the right requirements, but of the wrong providers. Most importantly, the specific security requirements must be properly matched with a solution that directly targets the requirement. In the matrix presented, this is visually illustrated by horizontal lines between problem and solution diagonal traces indicate a mismatch.
- Information Science
- Computer Systems
- Computer Systems Management and Standards