Using Security Principles we should considering the applicability of security controls, realize not every control is appropriate for every situation. You must also consider that some security principles directly conflict with others, making the appropriate choice of the principle to follow a matter of careful consideration and judgment.
For example, Saltzer and Schroeder’s principle of least common mechanism indirectly conflicts with ISO 19249’s principles of centralized parameter validation and of centralized general security services. Does this mean one or the other of those principles is wrong? Certainly not. There is a time and a place for each.
Related Product : EC-Council Certified Incident Handler | ECIH v2
Saltzer and Schroeder’s principle is meant to minimize a single dependency among potential threats, while the ISO 19249 proposes to invest due diligence into building a secure, single dependency rather than depend upon multiple, disparate dependencies where vulnerabilities could also multiply.
To provide a concrete example, Amazon Web Services (AWS) relies upon the security of the hypervisors they use to virtualize servers. A compromise of their hypervisor could lead to a significant breach that affects many of their customers. They put a lot of work into ensuring their hypervisor software is as secure as they can make it. That said, they do not run the exact same hypervisor on every server in every one of their roughly 100 data centers around the world. By having something akin to generic diversity, should a security flaw be discovered in one of their hypervisors, the impact, while potentially large, might still be limited to those data centers using that specific version of the hypervisor.
For more on the concern, and what Amazon did about it, see the following resources:
- Issue with Xen hypervisor: https://arstechnica.com/information- technology/2014/10/security-bug-in-xen-may-have-exposed-amazon-other- cloud-services/
- Amazon develops its own KVM-based hypervisor: https://www.theregister.co.uk/2017/11/07/aws_writes_new_kvm_based _hypervisor_to_make_its_cloud_go_faster/
Follow Us
https://www.facebook.com/INF0SAVVY
https://www.linkedin.com/company/14639279/admin/
