Domain Based Security

Domain Based Security is being used more and more for the identification, analysis and documentation of security issues in enterprise communication & information systems projects particularly in the military domain and for the Asp.net software companies in india. The procedure incorporates numerous security related activities in the early stages of the systems lifecycle to support in the specification of high-level, technology independent security functionality solutions.

The article focuses on: 

• Ranking risks according to an correct value system 
• Modeling business connections in an extensible manner

The DBSy Model(Domain based security)

The DBSy approach uses simple models to characterize the requirements for security in an organization using two different but related viewpoints: the InfoSec Business Model signifies the security aspects of the business, while the InfoSec Infrastructure Model signifies the logical provision of strong boundaries that enforce separation. When combined, they create an InfoSec Architecture Model. This model forms the basis for showing a systematic and rigorous risk assessment.

The InfoSec business model defines security domains for Asp.net software company india and the networks between them. The model specifies the limits of what info can be processed and replaced between security domains to form the set of security requirements for the business. In particular, connections that are not explicitly demonstrated are not permitted and are required not to occur. A security domain is characterized by a set of information assets, which may be valued to the organization, as well as the people that work with the information and the applications and services that perform on their behalf. Connections between domains are categorized by the nature of the interaction that is required (such as interpersonal messages, or shared access to a database) and the sensitivity and integrity requirements of the information exchange. The model can also signify the kinds of physical environment from which a domain can be accessed.

The InfoSec infrastructure model defines computing infrastructure that are essential to be logically separatefor Asp.net software companies india , so that statistics cannot be replaced between them except at recognizable and manageable points of connection, referred to as causeways. An island is characterized by the strength of separation between it and any other islands and by the people who achieve its computing infrastructure.

An InfoSec architecture model combines the business and infrastructure views, by showing which security domains are reinforced by which islands of infrastructure. Where there are links between securities domains that are hosted on different islands, the connections must be reinforced by an appropriate causeway.

Risk Assessment Method

The DBSy method uses a rational risk framework for linking the risks to which information assets are exposed.Assets are collected together as a focus of interest, and the risk assessment process for C#.net software companies in india is applied to each focus of interest in turn.

The key factors defining the risk to a particular focus of interest are:

• Business Impacts confidentiality, integrity or availability of the focus of interest.
• Sets of people who might demand to impose damage (threat sources) and their motivation for doing so.
• People with different opportunities to impose damage (threat actors) and their capability to do damage, who may also be threat sources or could be influenced by others.
• The means by which each threat performer might cause damage (causes of compromise).

Conclusion

Domain Based Security", abbreviated to "DBSy", is a model-based approach to help examine information security risks in a business context and provide a clear and direct mapping between the risks and the security controls desired to manage them.

References

• http://eprints.soton.ac.uk/262276/1/BAE_paper1.pdf
• https://en.wikipedia.org/wiki/Domain_Based_Security

Access Control Domain

Access control Domain encompasses :

• Discretionary, Mandatory, and Non-Discretionary models 
• Identification methods, Authentication methods
• Accountability, monitoring, and auditing practices 
• Intrusion detection systems/Intrusion Prevention Systems 
• Likely threats to access control practices and technologies 
• A Framework that dictates how Subjects access Objects

The types of Access Control are :

• DAC
• MAC
• RBAC 

Discretionary Access Control – DAC

A system that uses discretionary access control (DAC) allows the holder of the resource to specify which subjects can access specific resources. This model is called discretionary as the control of access is based on the discretion of the owner.

For example, a manager for a definite department in the Custom software development company might be made the holder of the files and resources within his/her domain.

The most common application of DAC is through ACLs, which are spoken and fixed by the owners and enforced by the operating system.

• DAC permits the privileges i.e. granting and revoking of access control to be left to the discretion of the individual users
• It is highly flexible 
• Not appropriate for –
  -- High assurance systems, e.g. a military system 
  -- Many complex commercial security requirements 
• It is Identity-based 

Mandatory Access Control –MAC

In a mandatory access control (MAC) model, users and data owners do not have asmuch liberty to determine who can access files. The operating system makes the final conclusion and can outweigh the users’ wishes.

This model is much more structured and strict and is based on a security label system. Users are provided a security clearance (secret, top secret, confidential, and undefined), and data is classified in the same way. The clearance and grouped data is stored in the security labels, which are bound to the specific subjects and objects.

A given IT infrastructure in software development company can implement MAC systems in many places and at different levels. OS uses MAC to guard files and directories.

Database management systems apply MAC to regulate access to tables and views. Best commercially available application systems apply MAC, often independent of the operating systems and/or DBMSs on which they are installed.

OS constrains the ability of a subject or initiator to access or perform some operation on the object. Subject is usually a process thread and objects are constructs like files, tcp/udp ports, shared memory segments etc.

Whenever Subject tries to access Object, an authorization rule enforced by the operating system kernel inspects the security attributes and chooses whether access can take place.

Information classification is necessary, label-based

• Well suited to the requirements of government and industry organizations that process classified and sensitive information 
• Such environments usually require the ability to control actions of individuals beyond just an individual's capability to access information permitting to how that information is labeled based on its sensitivity 

RBAC 

• In RBAC model, a role is well-defined in terms of the tasks and operations that the role will need to carry out, whereas a DAC sketches which subjects can access what objects. 
• RBAC uses a centrally administrated set of controls to determine how subjects and objects act together. This type of model allows access to resources to be based on the role the user holds within the company example Software Development Company. 
• A role can be thought of as a set of transactions that a user or set of users can perform within the context of an organization i.e. a collection of permissions.
• A transaction can be thought of as a transformation procedure plus a set of associated data items 
• Roles are group oriented; created for job functions 
• Roles are plotted on the principle of least privilege 
• Role-based access control policy bases access control decisions on the functions a user is permitted to perform within an organization 
• RBAC provides a means of naming and describing many-to-many relationships between individuals and rights 
• A user has access to an object based on the assigned role. 
• Roles are defined based on job functions. 
• Permissions are defined based on job authority and responsibilities within a job function. 
• Operations on an object are invocated based on the permissions. 
• The object is concerned with the user’s role and not the user. 

Conclusion: 

Thus, the Custom Software Development Company should carry out structured ways for Access Control and assigning roles to the employees based on the privileges. This leads to secure access and intact security in the company or a firm which restrict the entities from using unauthorised information.