The Control Architecture

The enterprise operates protection through the creation, operation, and adaptation of a control architecture. The control architecture includes structural mechanisms that obtain security objectives through access control, functional units, perimeters, authorization, change control, and lower surety non-architectural units. [Drill-down]

  • Protection Objectives: Integrity, availability, and confidentiality have long been considered keystones of information protection, and in recent years, use control, accountability, and transparency have joined the ranks of critical information protection objectives. The acronym CIA (for confidentiality, integrity, availability) were historically used because of the military emphasis on confidentiality and the historical basis of information security in the cryptographic roots of confidentiality. But for most businesses, integrity is more important than anything else because wrong answers often produce higher consequences than no answers or leaked answers. Use control, accountability, transparency, and custody are also often protection objectives but have been largely ignored in most of the literature.

    • Integrity: With the increased use of computers for control over machines, integrity is critical to preventing loss of life and similar consequences while secrecy holds only financial losses and possible fines which are rarely levied in cases of accidental or maliciously induced releases. Integrity generally includes proper association of source to content and purported source to actual source, freedom from inappropriate changes to content, and that the content is reflective of the desired reality to within the known parameters. Integrity is the certainty that content is suitable to its purpose.

    • Availability: Outages increasingly cause serious losses to businesses as they become more dependent on information technology for operational needs and as just-in-time systems become more critical to business success. Availability generally includes fault intolerance (hardening and increased reliability) and redundancy aspects. Availability is the certainty that content's utility can be gained when desired.

    • Confidentiality: Confidentiality is still of great import, but keeping secrets for long time periods is a rare exception today and not the norm. Therefore the time limits of secrecy combined with the general availability of information to those willing to search for it reduce the emphasis on this issue. While regulatory requirements in certain cases can be very substantial and consequences very serious it is typically considered third to integrity and availability today in most business contexts. Confidentiality typically involves limits on access and utility of exposed representations of content. Confidentiality is the certainty that content is comprehensible or not as appropriate to the context.

    • Use control: Use control becomes more of an issue as the utility of control functions and similar mechanisms leads to higher consequences of misuse. For example the ability to use an enterprise identity management system control plane implies the potential for massive damage because of the high risk aggregation caused by the dependency on this system by the rest of the enterprise that has integrated identity management. Use control typically involves identity, authentication levels, and authorities for use. Use control reflects the certainty that content is usable for the intended purposes and for no others.

    • Accountability: Accountability is fundamental to the ability to attribute actions to actors for attributing financial and other responsibility. Legal and regulatory drivers also increasingly force accountability. Accountability typically includes attribution of actions to actors, situational information relating to time, context, and so forth, and the activity performed. Accountability is the certainty of being able to attribute actions to actors with regard to content.

    • Transparency: Transparency is essentially the ability for others to see how processes work. It is often used as a basis for evaluating trust, is fundamental to open government, is required by law in many situations, and is increasingly demanded by partners and customers. It typically includes identification of process elements and how they are implemented along with records of the history of who did what, how, when, and why.

    • Custody: Custody is about physical and logical control of content and media. It is often used as a basis to assert integrity and authenticity, and is required in many cases for use in legal settings. The implementation typically involves documenting the source, chain of possession (or custody), and status relative to original writing. It is closely linked to integrity, but is sometimes identified as a unique property.

  • Change Control: Change control is an identified set of architectural requirements and implementation mechanisms that separate research and development, testing and approval, and operations from each other, and provide the means for assuring proper control and approval processes over changes.

  • Access facilitation: Authorization for use is a process in which a subject is identified, an adequate level of authentication of that identity is provided for the contextual use, authorization for that use is granted or denied based on that use and the authenticated identity, and use proceeds or doesn't.

  • Trust: Trust is the extent to which you are willing to sustain harm from another. Trust tends to be transitive in that when you trust someone or some thing, you trust what they trust, and they trust what the next person or thing trusts, and so forth. This chain of trust and the extent to which trust is extended defines and limits the harm that these trusts can create.

  • Perimeters: The perimeter architecture provides for physical and logical separations of zones with different and possibly sequential protection mechanisms to limit access and activities passing those barriers.

  • Functional Units: These are classes of mechanisms that are used to partition information and systems in different ways so that separation of classification levels and need to know areas are based on a set of control mechanisms and an architectural level mechanism for control and audit, separation of control and audit from data, separation of duties, and similar separation mechanisms.

  • Control Scheme: Access controls in the control architecture sense, have to do with the overall model used for determining validity of access of subjects (people, programs, etc.) to objects (things, data, files, systems, etc.). The typical model uses (1) clearance levels for people and other subjects, (2) classifications for data and other objects, (3) a rule for matching clearances to classifications to determine access restrictions, (4) a notion of need-to-know that allows separation of projects and other elements based on risk aggregation and similar requirements, (5) separation requirements for assuring the proper division of content and infrastructure, and (6) surrounding controls that assure that the access control is implemented.

In combination, these form the architectural elements of the control architecture, independent of implementation specifics.

For more details and in-depth coverage of these issues, download and read "Enterprise Information Protection"