In practicable multi-level secure systems it is necessary occasionally to transfer information in violation of security policy. Machines for doing this reliably and securely are called cross domain solutions; systems incorporating them are cross domain systems. Data owners, especially in classified environments, tend to distrust other data owners, other systems and networks, their own users, and developers of cross domain solutions. Hence, data owners demand rigorous testing before they will allow their information into a cross domain system. The interests of data owners are represented by certifiers and accreditors, who test newly developed cross domain solutions and newly installed cross domain systems, respectively. Accreditors have the authority to grant approval to operate and the responsibility for accepting residual risk. Certification and accreditation have always been expensive and time consuming, but there are hidden inefficiencies and unexploited opportunities to predict the actions of accreditors and to control the cost of certification. Some case studies of successful and unsuccessful security certifications and accreditations were analysed using grounded theory methodology. It was discovered that inefficiency arises from conflation of the principle of defence in depth with the practice of independent verification and validation, resulting in an irresistible appearance of cost savings to managers with a possible explanation in the relative maturity of different levels of software engineering organisations with respect to policy, process, and procedures. It was discovered that there is a simple rule relating certifier findings to developer responses that predicts the duration of penetration testing and can be used to bound the schedule. An abstract model of cross domain system accreditation was developed that is sufficiently powerful to reason about collateral, compartmented, and international installations. It was discovered that the behaviour of accreditors satisfies the criteria for reliable signalling in the presence of asymmetric information due to Akerlof, Spence, and Stiglitz.
Identifer | oai:union.ndltd.org:bl.uk/oai:ethos.bl.uk:711828 |
Date | January 2014 |
Creators | Loughry, Joe |
Contributors | FleĢchais, Ivan ; Martin, Andrew P. |
Publisher | University of Oxford |
Source Sets | Ethos UK |
Detected Language | English |
Type | Electronic Thesis or Dissertation |
Source | https://ora.ox.ac.uk/objects/uuid:71694222-3ef1-4fe6-9637-c8586798f352 |
Page generated in 0.0239 seconds