Security is, perhaps, the most important and necessary assurance requirement to consider when deploying a system. Because computing systems assume more and more widespread business and mission-critical functionality each day, the cost associated with a breach of security is also increasing. Furthermore, because security problems are human-induced problems, the range of possible problems is as limitless as the human mind. Security, thus, becomes a crucial problem to solve.
The Basic Security Model
The Basic Security Model
Figure Security depicts the basic security model that results from security problems and assurance-provisioning mechanisms. At the top of the diagram, a resource provider is shown offering some security-critical data or application resources. Such resources are security-critical because a malicious being, such as the hacker depicted at the bottom of the diagram, can corrupt, reference (that is, access), replace, delay access to, or deny access to such resources.
Figure Security : The basic security model.
A security service provider depicted on the left side of the diagram attempts to protect such resources from attack by providing protection services such as integrity, confidentiality, authorization and access, identity, authenticity, availability, non repudiation, and auditing-protection services. Such services attempt to thwart the hacker's best efforts.
The right side of the diagram shows the beneficiary of the security services. These services include the following:
§ Integrity Verification: The beneficiary has some verification that the data or application is accurate.
§ Confidentiality Preservation: The beneficiary has some assurance that confidentiality of the data or application has been preserved.
§ Authorization/Access Permission: Properly authorized permission to access security-critical data, application, or other resource has been provided.
§ Identity Verification: The beneficiary has some verification that the identity associated with the data or application source is who they say they are.
§ Authenticity Permission: Properly authenticated permission to access some data, application, or other resource has been provided.
§ Availability of Service: The beneficiary has access to the data, application, or other resource when it expects to have access.
§ Nonrepudiation Evidence: The beneficiary has some evidence regarding from whom the data or application comes or has some evidence that an intended receiver actually received data sent to it.
§ Auditing Evidence: The beneficiary has some evidence of security-critical operations that take place in the system.
Java and Security
Java is a language for the Web and is used to design Web pages. The first Web pages created using Java contained just images and text. However, this was an advancement from the traditional way of presenting information. You had access to a large repository of data that could be accessed through the hyperlinks on a page. The only drawback was that for executable programs, you had to refer to the server. The Web interface was so designed that you filled up data in a page and the data was transmitted to the server where it was acted on by an executable program. There were animations or puzzles that made a Web page more exciting; however, they could not be successful if they were placed on the server for execution. Moreover, if the concerned program was placed on the server, there was a long time interval between the submission of a customer query and the result of the query being displayed on the Web page. Wouldn't it be much easier and require less overhead if executable programs could be placed on the Web page itself? However, here comes the security factor. If programs are placed on Web pages, there is a risk of viruses being downloaded when you load the specified Web page in the browser or execute the program on your computer. Second, if the program was created using a specific platform that is not supported by your system, the main benefit of the Web being platform-independent whereby you can run programs on any client is lost.
A security service provider depicted on the left side of the diagram attempts to protect such resources from attack by providing protection services such as integrity, confidentiality, authorization and access, identity, authenticity, availability, non repudiation, and auditing-protection services. Such services attempt to thwart the hacker's best efforts.
The right side of the diagram shows the beneficiary of the security services. These services include the following:
§ Integrity Verification: The beneficiary has some verification that the data or application is accurate.
§ Confidentiality Preservation: The beneficiary has some assurance that confidentiality of the data or application has been preserved.
§ Authorization/Access Permission: Properly authorized permission to access security-critical data, application, or other resource has been provided.
§ Identity Verification: The beneficiary has some verification that the identity associated with the data or application source is who they say they are.
§ Authenticity Permission: Properly authenticated permission to access some data, application, or other resource has been provided.
§ Availability of Service: The beneficiary has access to the data, application, or other resource when it expects to have access.
§ Nonrepudiation Evidence: The beneficiary has some evidence regarding from whom the data or application comes or has some evidence that an intended receiver actually received data sent to it.
§ Auditing Evidence: The beneficiary has some evidence of security-critical operations that take place in the system.
Java and Security
Java is a language for the Web and is used to design Web pages. The first Web pages created using Java contained just images and text. However, this was an advancement from the traditional way of presenting information. You had access to a large repository of data that could be accessed through the hyperlinks on a page. The only drawback was that for executable programs, you had to refer to the server. The Web interface was so designed that you filled up data in a page and the data was transmitted to the server where it was acted on by an executable program. There were animations or puzzles that made a Web page more exciting; however, they could not be successful if they were placed on the server for execution. Moreover, if the concerned program was placed on the server, there was a long time interval between the submission of a customer query and the result of the query being displayed on the Web page. Wouldn't it be much easier and require less overhead if executable programs could be placed on the Web page itself? However, here comes the security factor. If programs are placed on Web pages, there is a risk of viruses being downloaded when you load the specified Web page in the browser or execute the program on your computer. Second, if the program was created using a specific platform that is not supported by your system, the main benefit of the Web being platform-independent whereby you can run programs on any client is lost.
No comments:
Post a Comment