Draft Proposed GNU Enterprise Security Framework

Stanley A. Klein

Version 0.2.7
Table of Contents
1. Introduction and Overview
1.1. An overview of security
1.2. Outline of the document
2. Security categories
2.1. Category A: Very small company, all users fully trusted for all functions, no legal or contractual constraints
2.2. Category B: Very small company, all users fully trusted for all functions; legal or contractual constraints
2.3. Category C: Small/medium company, legal and contractual requirements, no external network connection
2.4. Category D: Small/medium company, legal and contractual requirements, external network connection
2.5. Category E: Medium to Large company with special concerns
3. Discussion of Security Policy Drivers
3.1. Legal trustworthiness requirements
3.2. Critical Infrastructure Protection requirements
3.3. Other legal requirements
3.4. Separation-of-duty business policies
4. RBAC
5. Security Environment
5.1. The operating system
5.1.1. Linux/BSD
5.1.2. Windows
5.1.3. Macintosh
5.2. The Database Management System
5.2.1. Postgresql
5.2.2. MySQL
5.2.3. SAPdb- SQL
5.2.4. Others
5.3. The Middleware
5.4. The GNUe system functions and architectures
5.5. Physical protections and manual/paperwork procedures
6. Examples of approaches to supporting security policies
6.1. Legal trustworthiness requirements
6.2. Critical Infrastructure Protection requirements
6.3. RBAC
7. Implications for GNUe
7.1. Pass-through functionality
7.2. Locations in GNUe where access can be controlled
7.3. Virtually combined data structures with separate access to components
7.4. Actions that include security calls
8. Specific guidelines
9. References
10. Appendix

1. Introduction and Overview

This document is intended as a framework for GNU Enterprise security. The document is based on the following principles:

  1. There are two major purposes of GNUe security:

    1. To ensure that GNUe provides the requisite security functionality to enable its users to satisfy their the legal obligations regarding issues such as trustworthiness of data, auditability of financial records, and protection of personal privacy, and

    2. To enable GNUe users to implement such policies as they may reasonably adopt for protecting the confidentiality, integrity, and availability of their valuable data and business processes.

  2. GNUe is intended to work with a variety of supporting environments. These environments include security features and functions provided by

    1. The operating system and associated security-related tools

    2. The database management system (DBMS) or other data management function

    3. The middleware, or other support for interoperability and distributed processing

    4. The functions provided by GNUe itself, and

    5. Physical protections and manual/paperwork procedures.

  3. GNUe is intended to operate in a variety of architectures, ranging from two-tier (client-server) architectures implemented on a single-user machine to multi-tier architectures implemented on distributed processing networks, possibly including Internet connectivity.

  4. To the maximum extent feasible, GNUe will provide its security functions by facilitating use of the security services and security policy implementation capabilities provided by the operating system, DBMS, and middleware standards. If a potential user security policy is identified that can not be met using these features, it will be recommended that the policy, if adopted, be met using paperwork and manual procedures.

  5. The security functionality of GNUe will be focused on support for Role Based Access Control (RBAC), which essentially implements the traditional methods used in business for protecting the confidentiality, integrity, and availability of valuable data and business processes, and is compatible with the leading trends in information security.

  6. The approach used for GNUe security will be to provide the appropriate infrastructure, together with user guidelines, necessary to enable users to meet legal obligations and to implement reasonable security policies under a range of anticipated environments. The detailed security requirements will be determined by the enterprises that use GNUe. The guidelines will be organized into a set of security levels, appropriate to the anticipated needs of various categories of users.

1.1. An overview of security

The underlying concept of GNUe security is that the user has the basic responsibility for security and that GNUe can only provide appropriate tools within its scope to support the user in implementing security.

The basic goals of information security are to protect information from disclosure to unauthorized recipients (confidentiality), to ensure that only authorized sources make changes to information (integrity), to ensure that the legitimate users of a system can receive its services when required (availability), to ensure that actions of an individual can be uniquely traced to that individual (accountability) and to ensure that agreements made electronically can be proven to have been made (non-repudiation).

Information security is always a tradeoff. Perfect security does not exist in the real world. Any real world system can be successfully attacked if the attacker is willing to spend enough time and money. The defender's objective is to make the time and cost of a successful attack much greater than either the useful life or value of the information in the system. There is also a tradeoff among the potential losses to the owner if information is successfully attacked, the costs of protection, and the inconvenience to legitimate users caused by the protective measures.

Within the scope of security the tasks include providing protection, detecting intrusions, and recovering from intrusions. In some cases, there is a tradeoff between preventing an access and allowing the access but logging its activity. In such cases improper activity is detected by evaluating the logs.

In general, an enterprise should identify and inventory the data it expects to manage using GNUe, perform the relevant tradeoffs, and establish security policies and associated protections for each category of data it identifies. It should then configure its implementation of GNUe to satisfy the policies it adopts.

Recovery from an intrusion involves treating the computer system as a crime scene. Just as with a physical crime scene, the system must be secured against disturbance and evidence must be collected in a manner that is appropriate under applicable law. System recovery can be started only after the evidence has been collected and secured.

1.2. Outline of the document

The remainder of this document presents the details in the areas of assumed environments, RBAC, and the range of security policies that will be supported.

  Next
  Security categories