Evaluating Design2 for Security

Design 2 for reference

Design 2 for reference

What can we say about the structural security of the system? whether it has improved, reduced or just the same?

The rule of structural security says "If the end user of the system can access or know about the internal structural components of the system, then the system is considered to be structurally in secure."

In the current design, can an end user access or know about the structural components of this system?

I hope the answer is NO.. because of which we can say that the structural security has improved by a great factor as compared to the previous design.

Evaluation wrt Behaviorial Security

What can we say about the behavioral security of the system? whether it has improved, reduced or just the same?

The rule of behavioral security says "If the end user of the system can access or know about the behaviors of the system which he is not supposed to know about or access, then the system is considered to be behaviorally in secure."

In this design as you can see, there is nothing before the control entities to stop a user from accessing the control entities of the system, behavioral security continues to be a problem in this design.

Detailed Understanding of Security

Lets understand another very fundamental rule of a systems.

"Security of the system can also be increased by increasing the level of indirections within your system. More the level of indirections, the more secure your system but every level of indirection will keep reducing the performance of the system by the same factor."

There are numerous real world examples to understand the same.

Lets say you have a precious jewelry box that you need to safe guard..

One option is to put it behind multiple doors... every door is a level of indirection increasing the security of the system.. but every door will also reduce the performance by the same factor.

OR

Put multiple locks on a single door.. again every lock is a level of indirection increasing the security but reducing the performance of the system.

The firewalls of the software systems are again examples of levels of indirection to increase the security of the system.

In your companies, more the number of access controlled doors, more the security but less is the performance of the system.

We can also say "Security is inversely proportional to performance". It is technically not possible to have systems which are highly secure and gives high performance as well.

We can summarize it by saying:

"A level of indirection increases the usability, reduces the complexity, increases the usability and flexibility but reduces the performance of the system".

The level of indirection is the fundamental technical rule to increase the Usability, Flexibility and Security of the system.

Hence we can say that structural security has been taken care of in this design, while the behavioral security continues to be problem.

 
Hemant Jha
Founder - VPlanSolutions
Researcher, Trainer

www.VPlanSolutions.co.in