Monthly Archives: May 2024

Working With Secure Entities

Posted on by
Reply

Working with Secure Entities

We encounter all kinds of entities in our environment. According to an English dictionary, an entity is defined as “something that exists separately from other things and has a clear identity of its own.” Some examples of entities are business and government organizations, the human body, and earth, etc. We would like to understand and learn about the entities. In this article, we discuss entities as “secure” entities. A secure entity is an entity with built-in security mechanisms to ward off malicious attacks. From here onward, the term entity means a secure entity.

The real-world entities are complex. It is very hard to understand them unless we represent them in a manageable form.  So, we need to find a way to represent them at a varying level of details depending on our purpose and the context. The construct of a system is one way to represent an entity. System is a conceptual framework for representing things (entities). A system is defined (constructed) by a modeler with a given purpose and the context. The word system is also used to refer to the physical and abstract entity it represents.

What is Secure System?

A system is a collection of interrelated parts that work together for a common purpose.  For example, a car can be thought of as a system.  It is a collection of components (parts) that work together to provide transportation.  Some of the parts of a car are axle, suspension, wheel, steering, etc. Some of the tasks (functions) of a car are acceleration, deceleration, turning, etc. A system may include people as well as physical parts. Systems are created in our mind so we can think and talk about the things they represent. In addition, a secure system has built-in security mechanisms.

A secure system is frequently made up of many smaller systems.  It may also be a part of a larger system. Thus, it is possible to talk about different levels of systems.  Using an example of a human body as a system, we find several smaller systems within it, such as the circulatory, respiratory, and hormonal systems.  We call these subsystems within the human body system.  A subsystem is simply a system within a larger system.  This suggests that any system or subsystem has a boundary.  It is evident from the system definition and our discussion so far, that a system:

  1. has a purpose or goal,
  2. performs a set of functions securely to achieve its goal,
  3. has components or parts that perform the functions,
  4. has a structure to support and integrate the parts, and
  5. has a boundary.

Most of the systems we work with are open systems. An open system is a system that interacts with its environment. They are influenced by the inputs from the environment, and they affect the environment by their outputs. Today’s systems are generally online and are accessed via the Internet. They are not only becoming complex, but they are also being subjected to a constant barrage of internal and external cyber as well as physical security threats.  They need to be protected and secured from various kinds of threats. One of the best ways to protect a system is to have built-in protection and security. In other words, there is a need to develop a secure system. A secure system has protection and security mechanisms integrated (built-in) into it.

Working with a Secure System

From here onward, we use the term system to mean a secure system. When working with a system, we encounter problems that can be classified into the following three types:

  1. Analysis of the system.
  2. Synthesis (Design) of the system.
  3. Investigation of the system regarded as the “black box”.

In any problem dealing with the system, we start from certain known properties of the system, and we are to find its remaining properties.  For example, the structural properties of a system may be known, and we must find the functional as well as non-functional properties of that system.

In the general case of the analysis of a system, the components or parts of the system are given.  The task of the analysis is to find the functions (behavior or activities) and the relationship among functions. The other task of analysis is to find the non-functional including the security requirements of the system.

The synthesis of a system is the converse of the problem of its analysis.  It can be stated as follows:  A set of functions and non-functional characteristics and goals of a system are given.  We are supposed to find such a structure of the system, which realizes the prescribed functions securely.

The term “black box” has been used for every system whose organization and/or behavior are unknown (incompletely known) and either some or all are to be determined.

In the real world, the “given” things are generally incompletely known.  In such cases, we must first find and understand the “given” things in more detail before proceeding further with the analysis or the synthesis of a system.

 

What is System Analysis?

System Analysis is the process of taking something apart to find out more about it.  We represent a thing as a system. In essence, we are factoring a system into subsystems.  We study and evaluate these systems to determine if there are better ways of meeting the needs of stakeholders.

In fact, the above definition covers the activities of:

  1. Industrial engineer, whose task is to improve and measure the performance of man-machine systems,
  2. Operations researcher, who develops models to evaluate alternative decisions, and
  3. Systems analyst, who is concerned with the design, implementation, and maintenance of information systems in organizations.

In information systems development work, we study the inputs and threats to a system, the functions to process the inputs and threats, and the outputs the system must provide.  We study the machines or technology used in the system and the procedures that control the machines.  We study the organizing structure, including the reason for the system’s existence and what changes in the environment or in the system itself might cause it to go out of control or not provide the needed outputs.  We study the people providing inputs, doing functions, and receiving inputs.  We look for bottlenecks, delays, and threats. We try to determine what can be done better and what things are not done that should be done.

The focus of this discussion will be on one group of systems called business systems. We will discuss analyzing and developing secure information systems to support business systems.

The discussion will deal with the methods, tools and techniques used by analysts and designers for the development and evaluation of secure information systems.

Why Study Business systems?

An average businessman or businesswoman usually does not base decisions upon a thorough understanding of the network of relationships and interdependencies which exist within the business organization.  After all, it is difficult enough to deal with marketing problems without also becoming an expert in production planning, accounts receivable, order processing, and the many other related activities which characterize the complexity of modern business.  And yet, without some real understanding of these interactions it is difficult to assess what the impact of decisions would be upon the total organization.

A business organization needs to be modeled as a system. The system approach enables us to view the business activities from a customer perspective and not from a departmental perspective. It cuts across the departmental silos that exist in business organizations. It also facilitates the identification of duplicate and redundant activities/tasks.

What is Secure System Analysis?

The secure systems analysis process includes studying these networks of interactions within an organization and assisting in the development of new, secure, and improved ways for performing the necessary work. A conscious effort must be made to not only identify and study normal business activities but also activities that may cause security risks to the business. Counter measures/actions can be identified to deal with security risks. For example, when developing a use case model of a system, it is important to also identify misuse cases along with use cases. Then, the details of misuse cases can be understood to identify counter measures such as secure use cases to deal with misuse cases.