Security should be designed into a system - it is very difficult to make an insecure system secure after it has been designed or implemented. Adding security features to a system to enhance its security affects other attributes of the system:
• Performance: additional security checks slow down a system so its response time or throughput may be affected.
• Usability: security measures may require users to remember information or require additional interactions to complete a transaction. This makes the system less usable and can frustrate system users.
Design risk assessment is done while the system is being developed and after it has been deployed. More information is available - system platform, middle-ware and the system architecture and data organization. Vulnerabilities that arise from design choices may therefore be identified. During architectural design, two fundamental issues have to be considered when designing architecture for security:
Protection: how should the system be organized so that critical assets can be protected against external attack?
Layered protection architecture
Platform-level protection: top-level controls on the platform on which a system runs.
Application-level protection: specific protection mechanisms built into the application itself e.g. additional password protection.
Record-level protection: protection that is invoked when access to specific information is requested.
Distribution: how should system assets be distributed so that the effects of a successful attack are minimized?
Distributing assets means that attacks on one system do not necessarily lead to complete loss of system service. Each platform has separate protection features and may be different from other platforms so that they do not share a common vulnerability. Distribution is particularly important if the risk of denial of service attacks is high.
These are potentially conflicting. If assets are distributed, then they are more expensive to protect. If assets are protected, then usability and performance requirements may be compromised.
