CISSP: Security Protection Mechanisms

Protection Mechanisms

• Use multiple layers or levels of access,
• Employ abstraction
• Hide data, and
• Use encryption

Layering(defense in depth), use of multiple controls in a series. As one control cannot protect against all possible threats we need to use protection majors in a series rather than parallel. E.g.

• Parallel systems: useful in distributed computing applications. 
• Series configuration: used in bank/airport.

Abstraction is used for efficiency and is used to define what types of data an object can contain, what types of functions can be performed on or by that object, and what capabilities that object has. The concept is to put similar items into groups, classes, or roles that are assigned security controls, restrictions, or permissions as a collective.

Data hiding prevents data from being discovered by a subject. Here the data is positioned in a logical storage compartment that is not accessible by the subject. E.g.

• Keeping a database from being accessed by unauthorized visitors.
• Restricting a subject at a lower classification level from accessing data at a higher level. 
• Preventing an application from accessing hardware directly.

Security through obscurity is the idea of not informing a subject about an object being present and thus hoping that the subject will not discover the object. This does not actually implement any form of protection but it's just an attempt to hope something is not discovered by keeping knowledge of it a secret. E.g.

• A programmer is aware of a flaw in code, but releases the product hoping that no one discovers the issue and exploits it.

Encryption an art and science of hiding the meaning or intent of a communication from unintended recipients.

Reference:
Mike Chapple. (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide.