Information Security

Abstract

Security in information systems is a complex problem. Single solutions to complex problems don't exist, and matching the appropriate solution (or more accurately, a set of solutions) to a requirement is necessary. This paper provides a list of definitions of information security-related terms; reviews ISO 7498-2, the security architecture reference model; presents an organizing matrix; discusses application layer security, enclave protection, link protection, and the Department of Defense's most recent (March 2002) "Overarching Wireless Policy"; and presents examples of problems that can occur (e.g., credit card transactions over the internet and the Walker insider attack against the Navy' worldwide communications system). The author concludes that the higher up the matrix one can solve a security problem, the better. In particular, if one can solve confidentiality problems at the application layer, one can use the general purpose network. None of the solutions are mutually exclusive. It's entirely possible to solve the confidentiality problem with end-to-end secure e-mail, communicate entirely within a closed enclave (carefully firewalled or air-gapped to keep out outsiders), and use link encryption to frustrate traffic analysis by eavesdroppers. When one considers acquiring information systems, one wants to express the lower layer requirements to the "plumbers" -- those who build and provision the network -- and the top-layer requirements to the application designers. Mixing these signals (graphically visualized as crossing the matrix diagonally) results in asking the right requirements, but of the wrong providers. Most importantly, the specific security requirements must be properly matched with a solution that directly targets the requirement. In the matrix presented, this is visually illustrated by horizontal lines between problem and solution; diagonal traces indicate a mismatch.

Open PDF

Document Details

Document Type
Technical Report
Publication Date
Apr 01, 2002
Accession Number
ADA461312

Entities

People

  • Rex Buddenberg

Organizations

  • Naval Postgraduate School

Tags

Communities of Interest

  • Energy and Power Technologies
  • Space

DTIC Thesaurus Topics

  • Abstracts
  • Command And Control
  • Computer Access Control
  • Computers
  • Cryptography
  • Data Links
  • Denial Of Service Attack
  • Department Of Defense
  • Electrical Industry
  • Electronic Mail
  • Information Operations
  • Information Security
  • Information Systems
  • Networks
  • Reliability
  • Security
  • Standards

Fields of Study

  • Computer science

Readers

  • Cybersecurity.
  • Linear Algebra
  • Systems Analysis and Design