Introduction to IT security
A set of hardware, firmware or software components that are critical to computer security can be termed as trusted computing base. These set of hardware and firmware are suitable in the sense that vulnerabilities occurring inside the system can jeopardize the functioning of the system. The security policy determines the security standard of the systems. All parts of the computers outside the trusted computing base must to at any cost be able to function in a way that would probably leak any more privileges than as specified in the policy specification
In each security mechanism, there is a need for implementation of a system trusted computing base; it is paramount in this case. Though it is desirable to have a trusted computing base, most modern operating system strive to reduce the size of the TCB in order for an exhaustive examination of its code base . Trusted computing base is characterized by many factors. One of the characteristics of the same is the predication upon the security policy. Trust and trusted computing base is required to make progress in the security of computer systems. What makes it trusted is the fact that bugs can be identified and fixed at all times. Mathematical proof techniques can be applied for showing the presence or absence of bugs in a system. TCB is therefore is trusted by the fact that its code is examined at all times making the determination of vulnerabilities feasible and realistic.
The relativity of the TCB is exemplified at all times by the concept of target of evaluation in the ring of trust model. It falls in a place whereby the trustworthiness of the model can be subjected to evaluation in order to realize the security standards of the system
Trusted Computer Security Evaluation Criteria
The United States department of defense came up with the standard that is used for effectively setting the standards of a computer security. The standard is referred to as trusted computer system/security evaluation criteria (TCSEC). The standard determines the effectiveness of computer system control evaluation. Its main purpose is to evaluate, classify and select computer systems being considered for the processing, storage and retrieval of sensitive classified information . The criteria used in the evaluation of this standard are described in the sections that follow.
Policy
At all times there is need to ensure a policy that is well defined, explicit and well enforced in order to ensure the safety and the security of computer systems.
Accountability
Accountability based on individual consideration as well as collective consideration must be enforced at all times. This is with or without respect to the policy in place. A well qualified agent should be authorized to access and assess the accountability of information within a reasonable amount of time without due difficulties.
Assurance
Independence of software and hardware resources is desirable. Independent evaluation of the same should be done in order to provide assurance of their effectiveness. Assurance therefore includes elements such as guaranteeing that a certain portion of the system work as intended.
The importance of the criteria applied cannot be overlooked. They allow for the establishment and the documentation of the correct state of the system with regard to its capabilities and security feature. It helps in understanding the degree of the reliability of the system as well as availability.
Reference
Arbaugh, W., & Farber, D. &. (1997). A Secure and Reliable Bootstrap Architecture. aegi papers , 67-72.
Lampson, B., Abadi, M., & Burrows, W. &. (1992). Authentication in Distributed Systems: Theory and Practice, . ACM Transactions on Computer Systems , 6.
Rushby, J. (1981). Design and Verification of Secure Systems. 8th ACM Symposium on Operating System Principles , 12-21.