Domain Based Security

"Domain Based Security", abbreviated to "DBSy", is a model-based approach to help analyze information security risks in a business context and provide a clear and direct mapping between the risks and the security controls needed to manage them. A variant of the approach is used by the UK government's HMG Infosec Standard No.1 technical risk-assessment method. DBSy is a registered trade mark of QinetiQ Ltd.

DBSy was developed in the late 1990s by the Defence Evaluation and Research Agency (DERA). It is a model-based approach to information assurance that describes the requirements for security in an organisation, taking account of the business that needs to be supported. The model is based around the concept of a security domain, which represents a logical place where people work with information using a computer system, and which has connections with other security domains where this is necessary to support business activity. Hence the focus is on the information that needs protection, the people that work with it and the people they exchange information with. The model can also describe the physical environments where people work and the system boundaries where major system security measures are placed. A systematic method is then applied to the model to identify and describe the risks to which valuable information assets are exposed and specify security measures that are effective in managing the risks.

History
DBSy has its origins in the late 1990s, having been developed by the Defence Evaluation and Research Agency (DERA) for the Ministry of Defence (MOD). Initially called the Domain Based Approach, it was developed alongside Purple Penelope to support the MOD's increasing need for interconnections between systems operating at different security levels,

It was recognised that the risks associated with such connections were directly related to the nature of the information exchange that was needed, and that an effective model for understanding and managing the risks would need to take account of the business needs for information sharing. It was also recognised that the controlled release of information from a system handling secret information (sometimes referred to at the time as 'downgrading' or 'sanitisation') was not adequately described by any of the existing models of Information security (notably Bell-LaPadula, Biba and the associated information flow models).

Information flow models were found to be unhelpful in understanding the risks when information has to be shared with people and systems that are not entirely trusted. An effective model for understanding and managing the risks would need to take account of the business needs for exchanging information both within and outside an organisation.

The modelling technique was applied to some major projects for the MOD and as a result of this experience the graphical modelling techniques were revised and a rigorous risk assessment method, based on the concepts of compromise paths, was developed. An approach to IT security documentation through a project lifecycle was also created. Domain Based Security conferences were held at QinetiQ Malvern in June 2005 and June 2006, promoting discussion of how it could be more widely used, both for defence and commercial systems.

A variant of the DBSy method was subsequently developed and incorporated into the UK government's HMG Infosec Standard No.1 Technical Risk Assessment method, the standard method to be used for security risk assessments for all government Information Technology systems.

The DBSy model
The DBSy approach uses simple models to represent the requirements for security in an organisation using two different but related viewpoints: the Infosec Business Model represents the security aspects of the business, while the Infosec Infrastructure Model represents the logical provision of strong boundaries that enforce separation. When combined, they make up an Infosec Architecture Model . This model forms the basis for conducting a systematic and rigorous risk assessment.

The Infosec business model defines security domains and the connections between them. The model specifies the limits of what information can be processed and exchanged between security domains and so forms the set of security requirements for the business. In particular, connections that are not explicitly modelled are not permitted and are required not to occur. A security domain is characterised by a set of information assets, which may be valuable to the organisation, as well as the people that work with the information and the applications and services that act on their behalf. Connections between domains are characterised by the nature of the interaction that is required (such as interpersonal messages, or shared access to a database) and the sensitivity and integrity requirements of the information exchange. The model can also represent the kinds of physical environment from which a domain can be accessed.

The Infosec infrastructure model defines islands of computing infrastructure that are required to be logically separate, so that information cannot be exchanged between them except at identifiable and manageable points of connection, referred to as causeways. An island is characterised by the strength of separation between it and any other islands and by the people who manage its computing infrastructure.

An Infosec architecture model combines the business and infrastructure views, by showing which security domains are supported by which islands of infrastructure. Where there are connections between security domains that are hosted on different islands, the connections must be supported by an appropriate causeway.

Risk assessment method
The DBSy method uses a rational risk framework for describing the risks to which some information assets are exposed. Similar kinds of assets are grouped together as a focus of interest, and the risk assessment process is applied to each focus of interest in turn.

The key factors determining the risk to a particular focus of interest are:
 * business Impact of compromise to the confidentiality, integrity or availability of the focus of interest;
 * sets of people who might wish to inflict damage (threat sources) and their motivation for doing so;
 * groups of people with different opportunities to inflict damage (threat actors) and their capability to do so, who may also be threat sources or could be influenced by others;
 * the means by which each threat actor might cause damage (causes of compromise);
 * the defences in place (or planned) to protect the focus of interest.

This risk framework is applied in a systematic fashion to an organisation-specific Infosec architecture model, representing the security-relevant features of an organisation's business and IT systems. Through this process, a set of Compromise Paths can be systematically described and the relative effectiveness of different countermeasures can be assessed .

Comparison with other IA risk methods
DBSy differs from other IT risk management methods in that its primary focus is on people, the business drivers of an organisation and the way the business works, rather than on technical security measures. The analyst is required to systematically define the groups of people that pose a threat and the ways they might cause harm, providing a rigorous, business-oriented framework for the concepts of threat and vulnerability. The aim is to understand and analyse information security risks faced by an organisation, especially where the risks appear to conflict with needs for business efficiency across the organisation or in dealings with customers and business partners.