Page 647 - (ISC)² CISSP Certified Information Systems Security Professional Official Study Guide
P. 647

processes.

               Many modern operating systems address the need for process
               isolation by implementing virtual machines on a per-user or per-

               process basis. A virtual machine presents a user or process with a
               processing environment—including memory, address space, and other
               key system resources and services—that allows that user or process to
               behave as though they have sole, exclusive access to the entire
               computer. This allows each user or process to operate independently

               without requiring it to take cognizance of other users or processes that
               might be active simultaneously on the same machine. As part of the
               mediated access to the system that the operating system provides, it
               maps virtual resources and access in user mode so that they use
               supervisory mode calls to access corresponding real resources. This
               not only makes things easier for programmers, it also protects
               individual users and processes from one another.


               Hardware Segmentation


               Hardware segmentation is similar to process isolation in purpose—it
               prevents the access of information that belongs to a different
               process/security level. The main difference is that hardware
               segmentation enforces these requirements through the use of physical
               hardware controls rather than the logical process isolation controls
               imposed by an operating system. Such implementations are rare, and
               they are generally restricted to national security implementations

               where the extra cost and complexity is offset by the sensitivity of the
               information involved and the risks inherent in unauthorized access or
               disclosure.


               Security Policy and Computer Architecture

               Just as security policy guides the day-to-day security operations,

               processes, and procedures in organizations, it has an important role to
               play when designing and implementing systems. This is equally true
               whether a system is entirely hardware based, entirely software based,
               or a combination of both. In this case, the role of a security policy is to
               inform and guide the design, development, implementation, testing,
               and maintenance of a particular system. Thus, this kind of security
   642   643   644   645   646   647   648   649   650   651   652