Separation of protection and security

In computer sciences, the separation of protection and security is an application of the separation of mechanism and policy principle. The protection mechanism is supposed to be a component that implements the security policy. However, many frameworks consider both as security controls of varying types. For example, protection mechanisms would be considered technical controls, while a policy would be considered an administrative control.

Overview
The adoption of this distinction in a computer architecture probably means that protection is provided as a fault tolerance mechanism by hardware/firmware and kernel, whereas the operating system and applications implement their security policies. In this design, security policies rely therefore on the protection mechanisms and on additional cryptography techniques.

Examples of models with protection and security separation include access matrix, UCLA Data Secure Unix, take-grant and filter. Such separation is not found in models like high-water mark, Bell–LaPadula (original and revisited), information flow, strong dependency and constraints.

Critique
However, the line between 'separation of mechanism and policy' and 'separation of protection and security' isn't clear. The terms 'protection' and 'security' aren't widely considered distinct. For example, 'computer security' is commonly defined as 'the protection of computer systems'. Indeed, the major hardware approach of hierarchical protection domains considers its use to be both for security and protection. A prominent example of this approach is the ring architecture with "supervisor mode" and "user mode". Such an approach adopts a policy already at the lower levels (hardware/firmware/kernel), restricting the rest of the system to rely on it. Therefore, the choice to distinguish between protection and security in the overall architecture design implies rejection of the hierarchical approach in favour of another one, the capability-based addressing.