The Protection of Information in Computer Systems
| The Protection of Information in Computer Systems | |
|---|---|
| Created | 1975 |
| Authors | |
| Subject | Information security |
The Protection of Information in Computer Systems is a 1975 seminal publication by Jerome Saltzer and Michael Schroeder about information security.[1][2] The paper emphasized that the primary concern of security measures should be the information on computers and not the computers itself.[3]
It was published 10 years prior to Trusted Computer System Evaluation Criteria, commonly known as the Orange Book.[4]
Design principles
The following design principles are laid out in the paper:
- Economy of mechanism: Keep the design as simple and small as possible.
- Fail-safe defaults: Base access decisions on permission rather than exclusion.
- Complete mediation: Every access to every object must be checked for authority.
- Open design: The design should not be secret.
- Separation of privilege: Where feasible, a protection mechanism that requires two keys to unlock it is more robust and flexible than one that allows access to the presenter of only a single key.
- Least privilege: Every program and every user of the system should operate using the least set of privileges necessary to complete the job.
- Least common mechanism: Minimize the amount of mechanism common to more than one user and depended on by all users.
- Psychological acceptability: It is essential that the human interface be designed for ease of use, so that users routinely and automatically apply the protection mechanisms correctly.
- Work factor: Compare the cost of circumventing the mechanism with the resources of a potential attacker.
- Compromise recording: It is sometimes suggested that mechanisms that reliably record that a compromise of information has occurred can be used in place of more elaborate mechanisms that completely prevent loss.
See also
References
- ^ Smith, Richard E. (November 2012). "A Contemporary Look at Saltzer and Schroeder's 1975 Design Principles". IEEE Security & Privacy. 10 (6): 20–25. doi:10.1109/MSP.2012.85. ISSN 1540-7993. S2CID 13371996.
- ^ Seeley, Nicholas. "Seminal Papers in Cybersecurity: A Review (Part 2 of 2)". Schweitzer Engineering Laboratories. Retrieved 2024-11-11.
- ^ Samonas, Spyridon; Coss, David (2014). "The CIA Strikes Back: Redefining Confidentiality, Integrity and Availability in Security". Journal of Information Systems Security. 10 (3): 21–45.
- ^ Smith, Sean; Marchesini, John (2007). The Craft of System Security. Pearson Education. ISBN 9780132797542.
External links
- Saltzer, Jerome; Schroeder, Michael (April 17, 1975). "The Protection of Information in Computer Systems". Symposium on Operating Systems Principles.
 | This computer security article is a stub. You can help Wikipedia by adding missing information. |
Content Disclaimer
Informasi ini disarikan dari Wikipedia dan disajikan kembali untuk tujuan edukasi. Konten tersedia di bawah lisensi CC BY-SA 3.0. Kami tidak bertanggung jawab atas ketidakakuratan data yang bersumber dari kontribusi publik tersebut.
- The information displayed on this website is sourced in part or in whole from Wikipedia and has been adapted for the purpose of restating it. We strive to provide accurate and relevant information, however:
- There is no guarantee of absolute accuracy. Wikipedia is an open, collaborative project that can be edited by anyone, so information is subject to change.
- It is not intended to constitute professional advice. The content displayed is for informational and educational purposes only. For important decisions (e.g., medical, legal, or financial), please consult a professional.
- Content copyright. Wikipedia is licensed under the Creative Commons Attribution-ShareAlike License (CC BY-SA). This means that content may be reused with appropriate attribution and shared under a similar license.
- Responsible use. Any risk arising from the use of information from this website is entirely the responsibility of the user.