next up previous contents
Next: 3.1.4.5 Non-repudiation and trusted Up: 3.1.4 Provision of security Previous: 3.1.4.3 Access control

3.1.4.4 Confidentiality and integrity

The central security management system is supposed to deal with confidentiality or integrity issues because these are at the heart of every security policy. The adaptive system has to prevent outsiders to get access to sensitive information and modify or delete data or render systems unusable. There can however be a need for separate confidentiality or integrity services.

Using cryptography is often a computationally intensive task. When a lot of data is to be transmitted or received the process of encrypting, decrypting, hashing or calculating checksums can become a heavy burden for multi-purpose machines that have not been designed to cope with complex mathematical computations. A dedicated machine with special hardware can be used to provide a confidentiality and integrity service and perform these cryptographic operations more efficiently3.2. The security management service can control the access to these services such that not every machine on the network has to be equipped with special dedicated hardware to enjoy confidentiality and integrity of exchanged messages. Clearly, the data still has to pass between the client and the encryption server. Communication with the server may however happen using a lower grade but faster cipher system, while the data that is passed back to the client is enciphered using high quality algorithms with large keys and therefore safer to be sent across a public network like the Internet, where the more sophisticated crackers may be intercepting messages. Alternatively the encryption server could be a link encryptor that sends the data straight to the recipient using a dedicated secure channel.

Sophisticated virus scanners could also be implemented as a dedicated security service. They could be used to check e-mail messages or other network communications or mount remote filesystems and look for viruses on remote computer systems. Because it is a separate dedicated service, the antivirus software could do intensive checks and implement computationally intensive heuristic methods to find various types of Trojan horses, viruses, logic bombs etc. Centrally administering virus checks simplifies the management of signature files for known viruses and checksum files for well-known and often used applications.



Footnotes

... efficiently3.2
Following ISO terminology, encryption is a security mechanism that can be used to provide e.g. a confidentiality service. The mechanisms are the enablers of the services. A service can be provided using different mechanisms, and a mechanism can be used by various services.

next up previous contents
Next: 3.1.4.5 Non-repudiation and trusted Up: 3.1.4 Provision of security Previous: 3.1.4.3 Access control
(c) 1998, Filip Schepers