Page 394 -
P. 394
14.2 Design for security 377
integrity of information in the system or to guarantee a required level of system
availability.
In designing a system architecture that maintains security, you need to consider
two fundamental issues:
1. Protection—how should the system be organized so that critical assets can be
protected against external attack?
2. Distribution—how should system assets be distributed so that the effects of a
successful attack are minimized?
These issues are potentially conflicting. If you put all your assets in one place,
then you can build layers of protection around them. As you only have to build a
single protection system, you may be able to afford a strong system with several
protection layers. However, if that protection fails, then all your assets are compro-
mised. Adding several layers of protection also affects the usability of a system so
it may mean that it is more difficult to meet system usability and performance
requirements.
On the other hand, if you distribute assets, they are more expensive to protect
because protection systems have to be implemented for each copy. Typically, then,
you cannot afford as many protection layers. The chances are greater that the protec-
tion will be breached. However, if this happens, you don’t suffer a total loss. It may
be possible to duplicate and distribute information assets so that if one copy is cor-
rupted or inaccessible, then the other copy can be used. However, if the information
is confidential, keeping additional copies increases the risk that an intruder will gain
access to this information.
For the patient record system, it is appropriate to use a centralized database archi-
tecture. To provide protection, you use a layered architecture with the critical pro-
tected assets at the lowest level in the system, with various layers of protection
around them. Figure 14.4 illustrates this for the patient record system in which the
critical assets to be protected are the records of individual patients.
In order to access and modify patient records, an attacker has to penetrate three
system layers:
1. Platform-level protection The top level controls access to the platform on which
the patient record system runs. This usually involves a user signing on to a par-
ticular computer. The platform will also normally include support for maintain-
ing the integrity of files on the system, backups, etc.
2. Application-level protection The next protection level is built into the applica-
tion itself. It involves a user accessing the application, being authenticated, and
getting authorization to take actions such as viewing or modifying data.
Application-specific integrity management support may be available.
3. Record-level protection This level is invoked when access to specific records is
required, and involves checking that a user is authorized to carry out the
requested operations on that record. Protection at this level might also involve
