Separation of protection and security

In Computer sciences the Separation of protection and security is a design choice. Wulf et al^[1] identified protection as a mechanism and security as a policy, therefore making the protection-security distinction as a particular case of the mechanism-policy distinction principle.

The adoption of this distinction in a computer architecture, usually means that protection is provided as a fault tolerance mechanism by hardware/firmware and kernel, supporting the operating system and applications running on top in implementing their security policies. In this design, security policies rely therefore on the protection mechanisms and on additional cryptography techniques.

The two major hardware approaches^[2] for security and/or protection are Hierarchical protection domains (ring architectures with "supervisor mode" and "user mode"),^[3] and capability-based addressing.^[4] The first approach adopts a policy already at the lower architecture levels (hw/firmware/kernel), restricting the rest of the system to rely on it; therefore, the choice to distinguish between protection and security in the overall architecture design leads to the rejection of the hierarchical approach in favour of capability-based addressing.^[1]

The Bell-LaPadula model is an example of a model where protection and security are not separated.^[5] In Landwehr 1981 there's a table showing which models for computer security separates protection mechanism and security policy.^[6] Those with the separation are: access matrix, UCLA Data Secure Unix, take-grant and filter; those without are: high-water mark, Bell and LaPadula (original and revisited), information flow, strong dependency and constraints.