What is a Security Policy?

Computer systems (including networks of computers) can only be said to be “secure” with respect to some defined “information security policy”.

A security policy is a set of laws, rules, and practices that regulate how an enterprise manages, protects, and distributes sensitive information (i.e., "assets"). The sensitivity of information has historically been categorized in terms of three different policy goals:

confidentiality – prevention of the unauthorized disclosure of information
integrity – prevention of the unauthorized modification of information
availability – prevention of the unauthorized withholding of information or resources. (This includes the unauthorized theft of computational resources since it fundamentally results in the withholding of the stolen resources from those who are paying to use them.)

Security policies that protect the confidentiality or the integrity of information are further categorized by the basis for determining sensitivity of the information and the related constraints that should be placed on user access to the information. Three different categories of security policies are:

Mandatory Access Control Policy
Typically a management directive that identifies the sensitivities of information and the constraints placed on people who might have access to the information. Access is not granted based on the discretion of individual users. These "MAC" policies are both global and persistent. Example uses of MAC policies are protection of highly proprietary secrets from potential competitors and ensuring that only authorized accountants can alter specific critical financial data.

Discretionary Access Control Policy
Individual users or groups of users can own or otherwise control the access to information and potentially the dissemination of rights to grant access to other users. Access decisions are based on the discretion of users (often within the context of management mandates intended to constrain a user's decision to grant access based on a "need to know").

Application Security Policy
Policies defined in terms of services or the intend behavior of an application. Examples include the desired behavior of web servers; the desire to detect and strip possibly malicious attachments from e-mail; and the use of firewalls to constrain inbound traffic to web requests

Additionally, "supporting policies" are often defined in conjunction with the above categories of policies. These supporting policies include "identification and authentication" (i.e., allowing the protection mechanisms to know who the user is), and "audit", (i.e., to enable individual accountability).

A given enterprise can have a number of security policies having differing goals (e.g., availability, secrecy and integrity). And some policies can be more precisely defined than others. And, most importantly, the consequences of violating some policies are massively more severe than the consequences of violating other policies.

What is Trusted to Enforce the Policy?

Once the information security policy is understood, it must be transformed into a technical security policy, i.e., rules that can and will be enforced by some set of technology. A central question is “what technologies are we trusting to enforce which information security policies?” Consider the following three kinds of policy enforcement:

1) Policy Enforcement Dependent on All Applications
Enforcement of the policy depends on the correct operation of all software within the system. A program running on behalf of any user can potentially gain access to any information on the system, limited only by the design of the program itself.

2) Policy Enforcement Dependent on Authorized User’s Applications
Enforcement of the policy depends on the proper behavior of the programs running on behalf of users who are authorized to access the information. For example, the authorized user’s application (or a Trojan horse therein) could make an unauthorized copy of information. However, a program running on behalf of an unauthorized user is unable to access specific system resources (e.g., files) regardless of the design of the unauthorized user’s program itself or the actions of the unauthorized user.

3) Policy Enforcement Independent of Applications
Enforcement of the policy does not depend on the behavior of programs running on the behalf of either authorized users or unauthorized users.

Mandatory access control policies generally require the third type of policy enforcement, i.e., it should not depend on the correct operation of applications. Discretionary access control policies leave it to the discretion of the user to decide whether to share information with other users. For example, the user can request an application to send a copy of a document to another user. The user can only hope that the application is faithfully carrying out the user’s intent (e.g., is not surreptitiously providing copies to other users). As a practical matter, it is difficult to separate the granting of access to other users from application programs themselves, and so enforcement of the discretionary policy is at the mercy of the applications run by users who are authorized to access the information. Thus, DAC policies generally require the second type of policy enforcement.