Security Principles

ND545 C1 L1 09 Security Principles

ND545 C1 L1 10 Security Principles Part 2

Security Principles

This video explains a set of security principles that are the framework for all security programs. These basic ideas are not specific to cybersecurity or IT and are used to structure how we protect our technologies.

Saltzer and Schroeder’s Design Principles published in their paper “The Protection of Information in Computer Systems” in 1975:

Economy of mechanism
Fail-safe defaults
Complete mediation
Open design
Separation of privilege
Least privilege
Least common mechanism
User-friendly interface

(Source: http://web.mit.edu/Saltzer/www/publications/protection/index.html)

Economy of Mechanism means to keep things small and simple.

Bigger is not better. It just means there’s more to protect. And complexity is an enemy of security.
Complex systems are harder to defend because you need to understand all of the ways to access it and how processes can be broken to allow unauthorized activities.

To fail safe means to anticipate how things can go wrong and to ensure when it does, things are in a safe state. This safe state should be the default, not an exception. To do this, you need to know how something may fail and plan for that failure, which is failing smart.

Least Privilege is a concept dealing with Access Control. It means having the minimum privileges or permissions needed to do a job. Nothing more, nothing less. Too much and you could be blamed if there are problems.

For choke points and defense in depth

Choke Point - only one way in or out
Defense in Depth - layers of security

The CIA of security is Confidentiality, Integrity, and Availability.

Security Principles

QUIZ QUESTION::

Match the example with the security concept.

ANSWER CHOICES:

Security Principle	Example
Economy of Mechanism
Fail Safe
Least Privilege
Chokepoint
Confidentiality

SOLUTION:

Security Principle	Example
Chokepoint
Confidentiality
Fail Safe
Economy of Mechanism
Least Privilege