The Control Architecture
The enterprise operates protection through the
creation, operation, and adaptation of a control architecture. The
control architecture includes structural mechanisms that obtain
security objectives through access control, functional units,
perimeters, authorization, change control, and lower surety
Integrity, availability, and confidentiality
have long been considered keystones of information protection, and in
recent years, use control, accountability, and transparency have
joined the ranks of critical information protection objectives. The
acronym CIA (for confidentiality, integrity, availability) were
historically used because of the military emphasis on confidentiality
and the historical basis of information security in the cryptographic
roots of confidentiality. But for most businesses, integrity is more
important than anything else because wrong answers often produce
higher consequences than no answers or leaked answers. Use control,
accountability, transparency, and custody are also often protection
objectives but have been largely ignored in most of the literature.
Integrity: With the increased use
of computers for control over machines,
integrity is critical to preventing loss of life and similar
consequences while secrecy holds only financial losses and possible
fines which are rarely levied in cases of accidental or maliciously
induced releases. Integrity generally includes proper association of
source to content and purported source to actual source, freedom from
inappropriate changes to content, and that the content is reflective
of the desired reality to within the known parameters. Integrity is
the certainty that content is suitable to its purpose.
Availability: Outages increasingly
cause serious losses to businesses as they
become more dependent on information technology for operational needs
and as just-in-time systems become more critical to business success.
Availability generally includes fault intolerance (hardening and
increased reliability) and redundancy aspects. Availability is the
certainty that content's utility can be gained when desired.
Confidentiality: Confidentiality is
still of great import, but keeping
secrets for long time periods is a rare exception today and not the
norm. Therefore the time limits of secrecy combined with the general
availability of information to those willing to search for it reduce
the emphasis on this issue. While regulatory requirements in certain
cases can be very substantial and consequences very serious it is
typically considered third to integrity and availability today in most
business contexts. Confidentiality typically involves limits on
access and utility of exposed representations of
content. Confidentiality is the certainty that content is
comprehensible or not as appropriate to the context.
Use control: Use control becomes more
of an issue as the utility of control functions and
similar mechanisms leads to higher consequences of misuse. For
example the ability to use an enterprise identity management system
control plane implies the potential for massive damage because of the
high risk aggregation caused by the dependency on this system by the
rest of the enterprise that has integrated identity management. Use
control typically involves identity, authentication levels, and
authorities for use. Use control reflects the certainty that content
is usable for the intended purposes and for no others.
is fundamental to the ability to
attribute actions to actors for attributing financial and other
responsibility. Legal and regulatory drivers also increasingly force
accountability. Accountability typically includes attribution of
actions to actors, situational information relating to time, context,
and so forth, and the activity performed. Accountability is the
certainty of being able to attribute actions to actors with regard to
is essentially the ability for others to
see how processes work. It is often used as a basis for evaluating
trust, is fundamental to open government, is required by law in many
situations, and is increasingly demanded by partners and customers.
It typically includes identification of process elements and how they
are implemented along with records of the history of who did what,
how, when, and why.
is about physical and logical control of
content and media. It is often used as a basis to assert integrity
and authenticity, and is required in many cases for use in legal
settings. The implementation typically involves documenting the
source, chain of possession (or custody), and status relative to
original writing. It is closely linked to integrity, but is sometimes
identified as a unique property.
Change Control: Change control is an
identified set of architectural requirements and implementation
mechanisms that separate research and development, testing and approval,
and operations from each other, and provide the means for assuring
proper control and approval processes over changes.
Access facilitation: Authorization for use is a
process in which a subject is identified, an adequate level of
authentication of that identity is provided for the contextual use,
authorization for that use is granted or denied based on that use and
the authenticated identity, and use proceeds or doesn't.
Trust: Trust is the extent to which you are willing
to sustain harm from another. Trust tends to be transitive
in that when you trust someone or some thing, you trust what they trust, and they
trust what the next person or thing trusts, and so forth. This chain of trust and
the extent to which trust is extended defines and limits the harm that these trusts
Perimeters: The perimeter architecture provides for physical and logical separations of
zones with different and possibly sequential protection mechanisms to
limit access and activities passing those barriers.
Functional Units: These are classes of
mechanisms that are used to partition information and systems in
different ways so that separation of classification levels and need to
know areas are based on a set of control mechanisms and an architectural
level mechanism for control and audit, separation of control and audit
from data, separation of duties, and similar separation mechanisms.
Control Scheme: Access controls in the
control architecture sense, have to do with the overall model used for
determining validity of access of subjects (people, programs, etc.) to
objects (things, data, files, systems, etc.). The typical model uses
(1) clearance levels for people and other subjects, (2) classifications
for data and other objects, (3) a rule for matching clearances to
classifications to determine access restrictions, (4) a notion of
need-to-know that allows separation of projects and other elements based
on risk aggregation and similar requirements, (5) separation
requirements for assuring the proper division of content and
infrastructure, and (6) surrounding controls that assure that the access
control is implemented.
In combination, these form the architectural elements
of the control architecture, independent of implementation specifics.