Security Frames

Rudy Ruiz — Tue, 03 Mar 2009 18:02:56 +0000

The classic CIA Triad (Confidentiality, Integrity and Availability) as it is affectionately called has been used for decades as a means to coarsely outline certain security/assurance expectations of a system. It has lasted this long because who can forget a TLA? Sadly, it is too general to be used effectively in most application security endeavors. There have been many who have attempted to elaborate on the triad to make it more useful. Microsoft’s Security Frame was a great effort. It identified the important and relevant categories that were hidden away within the triad. However, going from a TLA to a set of ten concepts or IAACSSCEA isn’t exactly easy to recall. Yes, I know, this should be documented as part of a defined process chock full of cheat sheets, tips and lists. Well, in an effort to align these concepts with my view of security functions and properties I created a set of six concepts that are derived from CIA, but that add more precision. You’ll probably recognize some of these labels. Yes, some of them made sense to retain from Microsoft’s Frame, others were useful labels gathered from the Common Criteria (oh no! not that!?). So, I managed to trim a few items by merging them with a more common categrory. Let’s see if an uninformed reader can make sense of these:

Accountability and Event Reconstruction
Data Protection
Identity and Access Management
Exception Management and Availability
Management and Configuration
Survivability

Identity and Access Management is perhaps the most intuitive category. In encompasses authentication, authorization and other concepts related to access control. Accountability is also fairly straight forward. What is your take on the others?

Epistemological Relativism » Application Security

Security Frames