Security models help us to understand the sometimes-complex security mechanisms in information systems. Security models illustrate simple concepts that we can use when analyzing an existing system or designing a new one.
In this section we describe the time-honored concepts of confidentiality, integrity, and availability (known together as CIA, or the CIA Triad), and access control models.
Confidentiality refers to the concept that information and functions should be accessed only by authorized subjects. This is usually accomplished through several means, including
Access and authorization: Ranging from physical access to facilities containing computers, to user account access and role-based access controls, the objective here is to make sure that only those persons with proper business authorization are permitted to access information.
Vulnerability management: This includes everything from system hardening to patch management and the elimination of vulnerabilities from web applications. What we’re trying to avoid here is any possibility that someone can attack the system and get to the data.
Sound system design: The overall design of the system excludes ...