One cannot design an airplane to be safe, such that it can never be unsafe, but one can, indeed aeronautical engineers do, design them such that they can be operated safely. Neither IBM nor Microsoft can design a system that is safe for all applications and all environments. They can design one that can be operated safely for some applications and some environments. As the aeronautical engineer cannot design a plane that is proof against ”pilot error,” so IBM and Microsoft cannot design a system that is proof against the infamous ”user error.” One cannot design a plane that is proof against terrorism or a computer that is proof against brute force attacks.
In the early days we talked about the properties of secure systems, Integrity, Auditability, and Controllability, and we told product managers that the properties, features, and functions of the product must be appropriate for the intended application and environment of the product.
Integrity speaks to the wholeness, completeness, and appropriateness of the product. One test of Integrity is predicability, that is the product does what, and only what, is expected. Note that very few modern computer systems meet this test, in large part because they too complex.
Auditability is that property that provides for relative ease in inspecting, examining, demonstrating, verifying, or proving the behavior and results of a system. The tests for Auditability include accountability and visibility or transparency. The test of accountability is that it must be possible to fix responsibility for every significant event to the level of a single individual. The test of visibility is that a variance from the expected behavior, use, or content of the system must come to thattention of responsible management in such a way as to permit timely and appropriate corrective action.
Controllability is that property of a system that enables mamnagemrnt to exercise a directing or restraining influence over the behavior, use, or content of the system. The tests are Granularity and Specificity. The test of granularity requires that the size of the resource to be controlled must be small enough to permit management to achieve the intended level of risk. Specificity requires that management be able to predict the effect of granting any access to any resource, privilege, or capability from the meta-data, e.g., name, properties, of the resource, privilege or capability.
Note that these properties compliment one another, indeed are really simply different ways of looking at the property of ”securability.” However, they may be achieved at the expense of other desiderata of the system. How to achieve the proper balance is the subject for another day.