Security Rainbow

C2 level security is an unique standard in a computer security realm that the United States Department of Defense (DoD) has developed over the past 30 years. The National Computer Security Center (NCSC), an arm of the National Security Administration, began working on security ratings for military computer systems in 1967. The center published its first report in 1970 and issued its final specifications in the mid-1980s.

There is a rainbow series marking the criteria of different kinds of security standards. Trusted Computer Standards Evaluation Criteria (TCSEC), or the Orange Book, lays out the requirements for security at various levels according to such parameters as the ability of a system to be audited, to control access, and to authenticate users. The Orange Book applies to standalone machines and operating systems.

There are more than 20 such books in this Rainbow Series which have thoroughly interpreted the criteria for other system components. For instance, the Red Book interprets the criteria for network components, the Lavender Book for databases and so on.

There also are security categories, which mark out the level of protection. They are D (minimal protection), B (mandatory protection), C (discretionary protection), and A (verified protection). C2, or controlled access protection, is the lowest that offers viable security.

For C2 certification, a system must

1- Have good documentation at both the user and administration level and have documentation on security testing
2- Authenticate all users as unique individuals
3- Not allow objects to be reused or recovered once deleted
4- Let systems administrators audit all security events and the actions of individual users
5- Protect all objects and processes from all others

Leave a Reply