[Gnue-dev] Update to draft security framework proposal

[Stanley A. Klein]

I provided for posting, comment, and feedback my latest draft (0.3.1) of
the security framework proposal document.  It is over 25 pages in sxw
format, so (as before) I figured it would be better to send it in for
posting and notify the list by a message.

The changes are focused on discussing security assurance levels and
introducing them into the discussion.

The principles in Section 1 (introduction and overview) were modified to
include enabling users to select the level of security assurance
appropriate to their needs.  The discussion of dependence on operating
system and database security was revised to indicate that this is only
needed if the user requires a higher level of assurance than GNUe can
provide itself (which is low level assurance).

The general discussion of factors that can potentially drive security
policy was moved to Section 2.  The discussion of categories of enterprises
by security requirements was moved to Section 3.  For each enterprise
category, a paragraph was added on the likely levels of security assurance
required by that type of enterprise.

It is interesting to note that there are several conditions under which an
enterprise could use GNUe at its estimated low security assurance level
without going to operating system or database features to get higher levels
of assurance.  These include:

1.  For Category A: Very small company, all users fully trusted for all
functions, no legal or contractual constraints -- all uses.

2.  For Category B: Very small company, all users fully trusted for all
functions; legal or contractual constraints -- it is noted that a low
assurance system could be used, but if the legal/contractual obligations
require the system to be subject to outside audit, an assurance level of at
least medium may be advisable.  (An example of an outside audit requirement
would be a medical or dental practice subject to the US Health Insurance
Portability and Accountability Act.  As I understand it, there is an audit
requirement, although the security/privacy requirements have not been
finalized.  The audit now mainly affects the electronic claim submittal
capability.)

3.  For Category C: Small/medium company, legal and contractual
requirements, any external network connection tightly controlled -- a low
assurance system may be acceptable if the external obligations are
relatively simple, the insider technical threat relatively unsophisticated,
and the consequences from both threats relatively minimal.

4.  For Category D: Small/medium company, legal and contractual
requirements, external network connection -- A low assurance system could
be used for a critical purpose if it were isolated or "stovepiped," but
they would need to accept the disbenefit of not having the system
integrated with the remainder of the enterprise.

5.  For Category E: Medium to Large company with special concerns -- a low
assurance system is not likely to be acceptable.

I hope the revised document clarifies the situations under which the
ability to satisfy security requirements in a GNUe system will need to be
based on the operating system and database and will restrict the user's
choice of operating systems and databases to those with appropriate
features at sufficient levels of assurance.

As stated above, feedback is welcomed.


Stan Klein