Windows VPS Information security models

Started by allricjohnson1, Aug 25, 2022, 05:04 AM

Previous topic - Next topic

allricjohnson1Topic starter

An essential issue is the consideration of various information security models that can be used in the construction of an information safety system. There are several models, each of which allows you to answer the questions posed to it.
Three main models of information security can be distinguished, these are the conceptual model, the mathematical model and the functional model of information security.
What is their difference, what questions do they answer and what tasks can solve the main models of information safety, we will consider below.

Conceptual model of information security

The conceptual model answers general questions and reflects schematically the general structure of the information security model, on which other models and concepts of information safety are built as a pivot.

To build a conceptual model of information security, no matter how simple or complex your information system is, you need to answer at least three questions: what to protect, from whom to protect and how to protect? This is a mandatory minimum, which may be sufficient for small information systems. However, taking into account the possible consequences, it is better to build a complete conceptual model of information security, in which it is necessary to determine:

    Sources of information
    The priority or degree of importance of information.
    Sources of Threats
    Threat Targets
    Access methods
    Directions of protection
    Protection methods

The most complete conceptual model of information security, which is common to all information systems, is schematically shown below.

Building a conceptual model of information safety of a virtual server is usually divided into several different levels. In most cases, two levels are sufficient - the upper, organizational and managerial, which covers the entire organization and the corporate information system, and the lower or service, which refers to individual subsystems of the information system itself and various services.

The top-level concept or application is led by the person directly responsible for the organization's information security. In small organizations, this is usually the head of the organization himself, in larger organizations these duties are performed either by the head of the IT department or directly by the head of the information safety department, if such a department is separated into a separate structure.

As part of the top-level program, strategic security decisions are made, this application should contain the following main goals:

    Strategic planning
    Development and implementation of information safety policy
    Risk assessment and risk management
    Coordination of activities in the field of information security
    Control of activities in the field of information security

The main goal or concept of the lower-level application is to provide reliable and cost-effective protection of information subsystems, specific services or groups of services. At this level, decisions are made on the following issues: what mechanisms, means and methods of protection to use, technical means are purchased and installed, daily administration is performed, monitoring of the information safety system as a whole and tracking and the state of weaknesses, primary personnel training is carried out, etc.

Usually, responsible heads of information safety departments, system administrators and administrators and heads of services are responsible for the lower-level program. The most essential action at this level is the assessment of the criticality of both the service itself and the information that will be processed with its help.

For this level, it is necessary to formulate answers to the following questions:

    What data and information will be served by this service?
    What are the possible consequences of a violation of the confidentiality, integrity and availability of this information?
    What are the threats against which the data, information, service and user will be most vulnerable?
    Are there any features of the service that require special measures - for instance, territorial distribution or any others?
    What should be the characteristics of personnel related to security: computer skills, discipline, reliability?
    What are the legal provisions and corporate rules that the service must comply with?

There are a few very important things to keep in mind:

    "This program is not the embodiment of a simple set of technical tools built into the information system - the information safety system has the most essential "political" and managerial aspects. The application must be formally accepted and supported by senior management, it must have a certain staff and an allocated budget. Without such support, orders, orders and various "calls" for the execution of the application will remain an empty phrase.
    "When building an information security model for a physical server or VPS, you must always remember that no matter how much you want to protect information, surrounding it with dozens of fences and safety systems, using the most modern and sophisticated methods and means of protection, the efforts and funds spent on building an information system security must be achieved by economically justified measures".

After the construction of a conceptual model of information safety has been completed, it is possible to start building a mathematical and functional model of information security.

Mathematical and functional models of information security

The mathematical and functional models are directly related to each other. The mathematical model is a formalized description of scenarios in the form of logical algorithms represented by a sequence of actions of violators and response measures.
The calculated quantitative values of the model parameters characterize functional dependencies that describe the processes of interaction between violators and the protection system and the possible results of actions. It is this type of model that is most often used for quantitative assessments of the vulnerability of an object, the construction of a risk assessment protection algorithm and the effectiveness of the measures taken.

When building these models, it is necessary to rely on the following essential circumstances:

    Selection of mathematically rigorous criteria for assessing the optimality of the information security system for a given information system architecture;
    A clear mathematical formulation of the problem of building a model of information safety tools, taking into account the specified requirements for the safety system and allowing you to build information security tools in accordance with these criteria.

In practice, in the face of numerous risks of security threats, it is obviously not possible to make such a numerical assessment without the use of mathematical modeling methods.

For instance, consider a mathematical model of an economically justified system for minimizing information safety risks.

Based on the experts' assessment of the likelihood of an information safety threat being realized, the significance of each threat is calculated, and the level of costs in terms of value for restoring the system's performance is also estimated. Next, the total risk of system failure is calculated as the sum of risks in each of the directions.

As a result of solving the described problem, we will consider the distribution of financial resources in the selected areas of the organization's activities, minimizing the risks of failure of the system's operability according to the criterion of information security.

Let in a technical or socio-economic system, dependencies of the risks Ri of failure of the system operability on the costs Xi for their avoidance (exclusion, reduction) in the i-th direction of ensuring information security (failure of hardware, software, failure of the system operability due to insufficient qualification of employees, managers, etc.)

i = 1...n, where n is the number of indicated directions.

Thus, while minimizing information security risks, we will use such an indicator as the level of costs (in material or monetary terms) for restoring the system's performance in the event of a failure in one or more areas.

Next, we define the following quantities:

1) Total risk of system failure

2) Z - the maximum amount of costs to reduce (eliminate) identified risks

3) ZMAXi - the maximum amount of costs for the implementation of the i-th direction

4) ZMINi - the minimum amount of costs for the implementation of the i-th direction,

Further, we can formulate the following mathematical programming problem, in which each of the risks must be minimized, while the total cost of avoiding them must be less than or equal to the maximum amount of costs for reducing (eliminating) the identified risks, where the cost of avoiding threats in each of directions must be greater than the minimum amount pledged for this direction, but not exceed the maximum amount for the same direction.

The constructed system is economically justified if the sum of all costs for avoiding, reducing or eliminating the compiled risks does not exceed or is equal to the total maximum amount of costs allocated for reducing (eliminating) the total risks.

This is just one of the examples of using mathematical modeling when building an information security system for your virtual server. Mathematical modeling can also be used to build a mathematical model of a potential intruder, in which it is possible to determine the coefficient or probability of realizing the threat of an attack by a potential intruder. Or the task of redundant elements of the system, which is solved to protect against violation of the confidentiality of the information processed in the information system, can be considered.

Depending on the goals and the task to be solved, many mathematical models of a part of the information security system can be built and applied, which will help to evaluate its effectiveness even at the design stage of the information security system.
The last not unimportant issue in the construction of any models or systems is the life cycle of this model or system.

regrettably, it is not enough just to build an information security system using various models, but it is also necessary to observe the life cycle of this system.

At the same time, it is essential not to miss any significant aspects. This will guarantee a certain minimum (basic) level of info security, which is mandatory for any information system.


VPS on Windows may be needed to develop ASP.NET applications and websites, databases on Microsoft SQL. Windows servers are also often used to operate fоrex trading robots and terminals; this is a good alternative to specialized tariffs if you are ready to install and configure all the VDS server software yourself.

For many years, Windows VPS has used a mechanism to control access at the user and group level. The user can work on a secure local network or connect through a public hotspot. The person is one, but the risks for the business are different.

This issue is especially acute now, since, according to statistics, most leaks occur through the fault of insiders (intentional or accidental) who have legal access to some information. As a result, a large number of groups are created to cover all needs, which seriously complicates administration, in particular, understanding who really has access to where. The slightest mistake of the user or administrator - and the document is out of place and has improper access rights. Today's organizations urgently need an easy-to-use mechanism for preventing information leakage (DLP, Data Leak Prevention).

You can protect content using Rights Management Services, but it only solves some of the problems. More globally, the task of access control and audit is designed to be solved by the technology of dynamic access control (Dynamic Access Controls, DAC).

The technology is based on three main concepts:
document classification - based on tags that are added by the user when creating / editing a document (in properties), by the application, inherited from the catalog or assigned by context. If the document is not classified, then only traditional means of access are used;
policies - consist of one or more expression-based rules that describe access conditions for user/device claims and tags. Expressions contain Active Directory attributes and, in fact, are the basis of the DAC, showing who and under what conditions can access;
audit - advanced audit policies that allow you to obtain information about attempts to access confidential information.

Implemented DAC integration with the RMS service, which allows real-time protection of documents that have been assigned the appropriate tag. Settings simplifies automatic tagging of docs, which is created using rules configured in the File Server Resource Manager.


If I don't set the tag, will this app work? On remote access, documents that were taken from another account can also be encrypted?


Any user in the domain can enter up to 10 computers into the domain — a computer added to the domain can be an attacker's computer, and when your computer is in the domain, then it is less necessary to try to get into the domain.

So, it is more correct to disable this feature for all users and not to have a separate user to add computers to the domain. And to create a group with the role of adding computers and include a user in it only when it is necessary to enter a computer into the domain and after adding a computer to clear the group.
Moreover, it is worth changing the Computers OU used by default for new computers to another OU, on which to impose preliminary group security policies, if there is a practice of entering computers with Windows already installed not from the reference image.
And even better, so that it is impossible to create new objects of the computer type, but only add computers with a name according to a template by updating an existing computer account.