The reference monitor is much like the bouncer at a club because it stands between each subject and object. Its role is to verify the subject meets the minimum requirements for access
he correct answer is:
B. Policies to validate organization rules
Explanation:
The reference monitor is a concept in access control that enforces a system's security policy by validating every attempt to access resources according to defined rules. It ensures that all access requests conform to the organization's security policies, such as access permissions and data classification levels.
The reference monitor acts as a mediator between subjects (users or processes) and objects (resources like files, databases, or systems), ensuring that only authorized interactions occur. It is a critical component of security models like the Bell-LaPadula or Clark-Wilson models.
It's called the reference monitor CONCEPT - because it is NOT an implementation of any system or policy. When it is implemented it would be called the Security Kernel.
A reference monitor is a security kernel that enforces access control policies for a system. It acts as an intermediary between subjects (users or processes) and objects (resources) and ensures that subjects have the necessary permissions to access objects.
According to NIST
https://csrc.nist.gov/glossary/term/reference_monitor
reference monitor is "A set of design requirements on a reference validation mechanism that, as a key component of an operating system, enforces an access control policy over all subjects and objects. A reference validation mechanism is always invoked (i.e., complete mediation), tamperproof, and small enough to be subject to analysis and tests, the completeness of which can be assured (i.e., verifiable)."
1) reference monitor is a design principle, therefore D correct
2) reference monitor is needed to validate whether subjects can access objects; it is used to validate access using access rights defined in a policy; it is not used to validate organization rule, therefore, B is incorrect
I chose A, the policy seems to be at a higher level, and the reference monitor should be controlled at more specific levels of each operation (unit operation)
The purpose of the reference monitor when defining access control to enforce the security model is BEST described by option B: Policies to validate organization rules.
The reference monitor is a concept in computer security that represents an abstract machine or component responsible for enforcing access control policies. It is an essential component of the security model used to ensure that access to system resources is granted or denied based on predefined rules and policies.
The reference monitor validates and enforces these organization-specific rules and policies regarding access control. It acts as a trusted authority that mediates all access requests and determines whether they should be permitted or denied based on the established security policies.
B. Policies to validate organization rules. The reference monitor is a security mechanism that controls and mediates the access of programs, processes, or users to resources or objects in a system. It enforces the security policy for the system by validating and controlling access requests according to the rules specified in the security policy. Resources such as https://searchsecurity.techtarget.com/definition/reference-monitor and https://www.academia.edu/25732717/Reference_Monitor_and_Security_Policies provide more information on the purpose of the reference monitor.
Bad wording questions. Pick B.
A core function of the kernel is running the reference monitor, which mediates all access between subjects and objects. It enforces the system's security policy, such as preventing a normal user from writing to a restricted file, such as the system password file.
I believe A is the answer. B cannot be correct coz the TCB and reference monitor having nothing to do with the organization but have everything do with the Operating system, hardware, and other units / modules of the system as a whole. D is also out because the goal of the reference monitor is more about security than design.
I am between B and D. As I think like a manager it sounds like B. Now, from technical side of things. It sounds like D.
From NIST: https://csrc.nist.gov/glossary/term/reference_monitor
A set of design requirements on a reference validation mechanism that, as a key component of an operating system, enforces an access control policy over all subjects and objects. A reference validation mechanism is always invoked (i.e., complete mediation), tamperproof, and small enough to be subject to analysis and tests, the completeness of which can be assured (i.e., verifiable).
Soooo, Maybe "D". I don't know.
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
Nickname53796
Highly Voted 2 years, 1 month agojackdryan
1 year, 7 months agoFouad777
Most Recent 6 days, 8 hours agonuggetbutts
2 weeks, 2 days agorobervalchocolat
2 months, 3 weeks agoVasyamba1
8 months, 2 weeks agofinallink
9 months, 3 weeks agosusmit683
10 months, 1 week ago74gjd_37
1 year, 2 months agoVince_F_Fang
1 year, 2 months agoBach1968
1 year, 4 months agos_n_
1 year, 10 months agoFiredragon
2 years agoRonWonkers
2 years agoJamati
2 years agosomkiatr
1 year, 11 months agorootic
2 years agokrassko
2 years, 1 month agofranbarpro
2 years, 2 months ago