Software:The Protection of Information in Computer Systems
From HandWiki
Short description: Information security publication (1975)
| The Protection of Information in Computer Systems | |
|---|---|
| Created | 1975 |
| Author(s) |
|
| Subject | Information security |
The Protection of Information in Computer Systems is a 1975 seminal publication by Jerome Saltzer and Michael Schroeder about information security.[1][2] The paper emphasized that the primary concern of security measures should be the information on computers and not the computers itself.[3]
It was published 10 years prior to Trusted Computer System Evaluation Criteria, commonly known as the Orange Book.[4]
Design principles
The following design principles are laid out in the paper:
- Economy of mechanism: Keep the design as simple and small as possible.
- Fail-safe defaults: Base access decisions on permission rather than exclusion.
- Complete mediation: Every access to every object must be checked for authority.
- Open design: The design should not be secret.
- Separation of privilege: Where feasible, a protection mechanism that requires two keys to unlock it is more robust and flexible than one that allows access to the presenter of only a single key.
- Least privilege: Every program and every user of the system should operate using the least set of privileges necessary to complete the job.
- Least common mechanism: Minimize the amount of mechanism common to more than one user and depended on by all users.
- Psychological acceptability: It is essential that the human interface be designed for ease of use, so that users routinely and automatically apply the protection mechanisms correctly.
- Work factor: Compare the cost of circumventing the mechanism with the resources of a potential attacker.
- Compromise recording: It is sometimes suggested that mechanisms that reliably record that a compromise of information has occurred can be used in place of more elaborate mechanisms that completely prevent loss.
See also
References
- ↑ Smith, Richard E. (November 2012). "A Contemporary Look at Saltzer and Schroeder's 1975 Design Principles". IEEE Security & Privacy 10 (6): 20–25. doi:10.1109/MSP.2012.85. ISSN 1540-7993.
- ↑ Seeley, Nicholas. "Seminal Papers in Cybersecurity: A Review (Part 2 of 2)" (in en-us). https://selinc.com/cybersecurity-center/seminal-papers-in-cybersecurity-part-2/.
- ↑ Samonas, Spyridon; Coss, David (2014). "The CIA Strikes Back: Redefining Confidentiality, Integrity and Availability in Security" (in en). Journal of Information Systems Security 10 (3): 21–45. https://www.jissec.org/Contents/V10/N3/V10N3-Samonas.html.
- ↑ Smith, Sean; Marchesini, John (2007). The Craft of System Security. Pearson Education. ISBN 9780132797542.
External links
- Saltzer, Jerome; Schroeder, Michael (April 17, 1975). "The Protection of Information in Computer Systems". Symposium on Operating Systems Principles. http://www.cs.virginia.edu/~evans/cs551/saltzer/.
 |  |
