Trade-offs of secure processing in centralized versus distributed networks

Trade-offs of secure processing in centralized versus distributed networks

Trade-Offs of Secure Processing in Centralized v e r s u s Distributed Networks Bennet P. Lientz been an increasing concern for protecting data and s...

795KB Sizes 0 Downloads 85 Views

Trade-Offs of Secure Processing in Centralized v e r s u s Distributed Networks Bennet P. Lientz

been an increasing concern for protecting data and software. Although tEere have been significant developments in the area o f computer data security, the imposition o f security measures often results in significant performance degradation on the workload. This paper is concerned with the effects of imposing security measures on part o f the workload in a computer network. A series o f analyses was conducted to tiadeo f f different network configurations under a variety of workload conditions. The analysis was conducted using a simulation model. The model is briefly summarized in section 2, together with input parameters for the experiments. The results are presented in section 3. They should be viewed in terms of the particuiar framework and should aot be viewed as conclu,;ive for all network cases. Rather, they serve as indications of what might occur and reinforce the need for detailed analysis in workload and network planning. The remainder of this section will briefly review some of the relevant literature. Considering computer networks, a substantial

Graduate $chool oJ'Management, University of California, Los Angeles, USA

and Ira R. Weiss Graduate School o f Business Administration, New York University, New York, USA Simulation was performed for specific network configurations to assess the effect of imposing security measures on a portion of the workload The resutls provide a methodology for performing trade,3ff analysis. The trade-offs are presented in terms of the measures of response time, workload, and cost. Network types inluded distributed, semicentralized, and centralized configurations. The analysis was conducted using a simulation model which is briefly summarized. The results of the simulation for the eases considered indicate that economies of scale shift from centralized to semieentralized configurations for a fixed ![O bound workload. This occurs when throughput degrades, due to the imposition of security measures, approximately 15% (10%) when 10% (20%) of the workload requires secure processing. Degradation is also examined when certain centers process only secure workload versus distributing both secure and nonsecure jobs across the network.

Keywords: Network simuhtion, computer security, centralized processing, distributed processhag, network performance.

Bennet P. Lientz, Ph.D., Associate Professor of Computers and ln~'ormation Systems, Graduale School of Management, University of Califorrda, L.A., is the author of over thirty papers and a Textbook on information systems.

I. lnt:oduetion I'he past few years have seen the growth of netw¢ rk technology and usage. Co;tcomitantly there has

The authors wish to express their appreciation to lhe referees for their valuable suggestions which improved the paper.

O

ka R. Weiss, Ph.D., Assistant Protessor of Accounting and Information Systems, Graduate School of Bu,~iness Admini~;tration,NYU, is the author of articles on computer software security, EDP Auditing and computer based modeling. This spring he will be introducing an experimental course on EDP Auditing at NYU.

This work was partially supported by the Information Systems Program, Office of Naval Research under contract N00014-75C-0266, project NR 049-345. © North-Holland Publishing Company Computer Networks 2 (1978) 35-43. 35

36

KP. £ientz, LR. Weiss / Trade~ffs o f secure processing

body of published research now exists with respect to topological and communication considerations. Networks offer specialization, decentralization, system redundancy, resource sharing, and load leveling. Computer networks offer the scale of usage to permit sophisticated, costly security measures and permit the distribution of workload between secure and nonsecure centers in the network. That problems exist in the legal, social, security, economic, and management areas has been cited by Enslow [9], Herzog [16], and Stefferad [28]. Enslow [11] has pointed out the increased importance of the issue of expanded exposure to privileged information on individuals. Some previous experiments without security considerations appear in refs. [4] and [22,23]. In the area of security, the problems in the U.S. arising from the misuse of information and programs within computer installations have been increasing. Cases of theft, fraud, and embezzlement have been documented by Parker [27] in studies supported by the National Science Foundation. Hall [15] in a recent address indicated that FBI cases have increased and that there is evidence of organized crime being active in this area. Physical security has been examined and measures have been evaluated at some length (see for example [1,2,6,7,25,27]). In the areas of software security, TRW, in a study with |BM [18], indicated that 1) no existing computer system is completely secure and 2) the certification of a computer system as secure is not within the curre~it state of the art. There have been several studies indicati,g the overhead in processing when security measures are applied. Turn and Shapiro [29] estimated overhead of 5--20% based on data available in the literature including the work of Van Tassel [30] and Weissman [31]. Data communication overhead due to encryption is discussed by Friedman and Hoffman [13] and Hoffman [17]. Some additional cases of degradation have been published by IBM [18] using the internally developed Resource Security System under OS/MVT. Degradation ranged from 1-12~;'~ for minimal options and 15-31% for maximal options. In the experiments described here the range of degradation is taken to be 0-30% in processing overhead. Another topic in the security area is the percentage of jobs that must be protected by security measures. The experiments considered a range of i 0 to 40% of the workload needing the measures. However, most of the experiments are for 10 or 20% of the workload requiring protection. In the next section

the model, assumptions, and experiment parameters are explored.

2. Model structure and framework of analysis The analysis was based on an analytic computer model which is summarized in terms of the assumptions and structure. The model inputs are then discussed. The assumptions of the model are remote and local jobs are both considered. A remote job consists of message transmission, computation, and a response. A local job is computation only, with no communications. Messages are assumed to have single sources and destinations message and job arrival distributions are negative exponential. interarrival times are independent of message lengths and job size. centers are assumed to have an infinite traffic capacity. message routing is by a fixed minimal path routing. centers behave independently of each other, which implies infinite capacity message buffers. retransmission is not explicitly taken into account. costs are computed outside of the model using commercial rates and available vendor pricing information. a closed system queing model is assumed for computational analysis. Before proceeding it is appropriate to comment on the assumptions. The fixed minimal path routing has shown to be close to optimal by Frank [12]. Arrival times are more closely approximated by gamma distributions. However, the effective difference has been shown to be quite small. Kleinrock [21 ] has indicated that this occurs when all users are considered simultaneously. This assumption shou!d be verified for a particular network. The assumption of inf'mite capacity message buffers has been shown to hold with a network operating at less than 80% of capacity. Limitations on center capacity have been shown to be minor in an unsaturated network with mimimum time delay [21]. The dosed system queuing model and its validation are disccused in Buzen [3]. The model views tasks as moving from a queue to one of several servers which indude the CPU and I[O • channels. The model is programmed in both APL, FORTRAN and PL/1 and comprises several modules. The first module handles communication parameters

B.P. Lientz, LR. Wei~s / Trade-offs o f secure proce.~sing

and takes as imput the following: center locations, topological confi~ration, channel capacity, packet size, message size, any known switching delay, and product arrival rate. A message routing routine constructs a traffic matrix which serves as input to computing communication delay. Communication delay is composed of switching delay, transmission time, propagation rate of the communication link, and queuing delay. The theoretical framework of the module draws from the work of Kleinrock [20,21 ], and Dijksxra [9]. The computation module computes throughput and comoutational delay at each center. The throughput equ(tion is based on the work of Buzin [3], Gordon ~md Newell [14] and Jackson [19]. This was modified to emulate a multiprogramming environment to obtain computation delay. The input includes the number of initiators, instruction rate, number of channelds, average number of seconds per request for each server (CPU and I/O channels), a probability matrix associated with going from task queues to each server, CPU availability, job arrival matrix, and an adjustment factor to reflect a non FIFO queuing system. Whereas the communication equations had been previously validated, the expressions in [3] had been validated for only a limited set of cases. Therefore, validation work was conducted based on performance and workload statistics of two computer centers (IBM 360/91 for computation oriented workload and an IBM 370/168 for data processing I[O related workload). Validation runs were then statistically evaluated and found to fit within 10-15% of actual results. The analysis utilized the previously mentioned machines or hardware within the same general family. The output module combines the results of both communication and computation modules to give average response time for local and remote jobs for each center timing and utilization of communication links, CPU and channel utilization, and throughput. Having discussed the model and its structure, the parameters can be reviewed. Three different network configurations were used. These are portrayed in Exhibit 1 together with the channel capacity and computer type at each center. The selection of IBM equipment was made to obtain a consistent cost framework. The selection of the individual machines was based on maintaining a dose correspondence of processing power. Data on costs and hardware characteristics was collected from DATAPRO [8] and vendor supplied literature. Additional inputs included

la.

Distrlbuted

lb.

semi-centrai ized

37

(All Cer,ters 370/158)

376/125 370/125

O

,.¢

~ 3

~ 7 0 / 16 370/12 50 ~ . . ~ ~

5E~b

~

7 0/12 5 37 o,'I 2~

9"-

370 ,,"12 -=C)~ ~o'~7.:=

%b'TD ~0,125

370/1250//~ !c. Centralized

370/'123('-)

- r

F' 179/125

~';~"~

370.'125

370,1~sCY,,<: 370/125~/~'

370,.,12s

a~\ 3"0,125

Fig. 1. Network structures.

message size (8000 bits), acknowledgement message (168 bits), and job arrival matrix (distribution based on processing capability and security requirements of the workload). In figs. lb and lcthc message routing pan of the model is irrelevant since only 1 or 2 centers are involved. In the data processing type workload the number of 1/O channels was fixed at four per cneter for each of the processing centers (370/158, 370/168,370/195). For each of the communication realted centers I/O channels were fixed at two. In the computational workload these changed to seven and three respectively. The remaining parameters pertain to workload. The workload was divided into categories: nonsecure and computation oriented, nonsecure and data processing (I/O) oriented, secure and computation oriented, and secure and data processing (1/O) oriented. The nonsecure jobs are assumed to be divided into the following categories: - 40% of the jobs were invoked by job control language program (JCL) (data resident in host machine) - 20% of the jobs were invoked by a job control language program and data (data shipped to host machine) - 20% of the jobs were invoked by a ,lob control language program (programs shipped to host machine)

38

B.P. Lientz, LR. Weiss/ Trade-offs of secure processing

20% o( the jobs were invoked by a job control language program data, and programs (programs and data s~'.ipped to host machine) This distribution was based on a statistical analysis of UCLA's center and several commercial data centers. The secure jobs were either invoked by a job control language deck (75% of the jobs) or a job control language deck, program and data (25% of the jobs). The job size o f the workload varied from 1000 to 25000 bytes. The number of jobs was set at 175 jobs for a two hour period (data processing type jobs) and 175 jobs for a fifteen hour period (computition type jobs). The remaining parameters relate to access times and probability of access for the CPU aad the I/O channels. These were collected from system monitoring statistics based on the types of worEload (e.g.," computation, data processing). The semicentralized and distributed configurations permit the secure workload to be localized ~:o a subset of the centers. For the semicentralized case, all secure processing is done at one center. For the d~stribution configuration, the secure workload is handled by a minimum of one center to a maximum of four centers depending on the workload allocation scheme and the percentage of workload secure. Both of the configurations ,ermit dedicating some centers to processing only secure jobs. The remainder of the center handleg the non-secure workload.

! zooo 4

-

3. Simulation The results are summarized in ~gs. 2 - 7 . The figures graph selected performance measures against the percentage degradation imposed by the security measures on throughput. One measure, average response time, is the weighted average time o f the total to send, process and receive messages in the network. The lines in the Figure are least square regression lines computed using the UCLA BMD statistical routines. Data points were found to be within a 90% confidence contour about the respective lines. In the exhibits for the semicer~tralized (distributed) case the secure workload is isolated to one center (at most four centers). The phrase "centralized secure workload" refers to dedicating certain centers to processing exclusively secure jobs. The phrase "distributed secure workload" refers to the mingling of secure and nonsecure jobs in a center with security measures applied to all jobs in the center. The figures will now be considered individually.



N

800 . 7OO t

600

soo



400

u

300

t

0

10 Percentage

20 Degradation

30

Fig, 2. Cost X average response time versus percentage degradation. Fixed workload-175 jobs. Data processing type workload. 10~ secure workload.

Figs. 2 and 3 graph cost X average response time (106 X $ X sec) versus percentage degradation. The

workload is 175 jobs of the data processing type over a two hour period. Figures 2 and 3 correspond to 10% and 20% of the workload being secure, respectively. The lines in figures 2 and 3 are de:,~ned by Fig. 2. 1. semicentralized configuration with a centralized secure workload 2. distributed configuration with a centralized secure workload 3. distributed configuration with a distributed secure workload 4. semicentraiized configuration with a distributed secure workload 5. centralized configuration F i g . 3.

1. distributed configuration witl-~ a centralized secure workload 2. distributed configuration with a distributed secure workload 3. semicentralized configuratior: with a centralized secure workload 4. semicentralized configuration with a distributed secure workload 5. centralized configuration In both figures there is a trade-off point between the centralized case and semicentralized case with a distributed secure workload. The trade-off occurs at

B.P. Lientz, LR. Weiss / Trade-offs of secure processb~g 900

° !

39

$200

800

•!

~

1100

700

~,

i000 ~J

®

600

~w

I$

~

900

500 800

uO 400 700

30O -

0

"

I

I

"

Fig. 3. Cost X average response time versus percentage degradation. Fixed workload-175 jobs. Data processing type workload. 20% secure workload,

10-15% percentage degradation in each case (point A in fig. 2, point B in fig. 3). Another observation can be made from figs. 2 and 3. It can be seen that the distributed secure workload case gives better performance than the centralized secure workload case since it allows the optimization of response time in the network. This can be seen by comparing lines I and 4 and lines 2 and 3 in fig. 2 a~d lines 1 and 2 and lines 3 and 4 in fig. 3. A related observation is that the distributed network is preferred to the semicentralized network in the centralized secure workload case. We also expect that as the secure workload increases as a percentage of total workload, the centralized secure workload cases will approach the distribt, ted secure workload cases. This is verified by comparing lines 2 and 3 in fig. 2 with lines 1 and 2 of fig. 23, and lines 1 and 4 in fig. 2 with lines 3 and 4 of fig. 3. In fig. 4 cost is removed from consideration and average response time is graphed against percentage def.radation. The distributed and semicentralized ca~,~; are both for a distributed secure workload. At

,,1

I0

I

10 20 30 Percentage Degradation

,,

,.,J

20

.

, ,f

30

Percentage Degradetion Fig. 4. Average response time versus percentage degradation. Fixed workload-175 jobs. Data processing type workload. At least 2(Y,~ secure workload.

least 20f4 of the workload is secure. The lines are described by fig. 4. 1. distributed configuration with a distributed secure workload 2. semicentralized configuration with a distributed secure workload 3. centralized configuration There are two trade-off points (labeled C and D}. Point C corresponds to points A and B of figs. 2 and 3. It is the point a~ which a semicentralized network becomes as effective in average response time as a centralized network. Point D is the trade-off point between the centralized and distributed network. Extrapolating lines 1 and 2, we could hypothesize a trade-off point between semicentralized and distrib,ted networks at about the 35% level of percentage degradation. Fig. 5 applied to a fixed workload of 175 jobs of a data processing type. Average response time is plotted against percentage degradation. The lines in the figure are described as fig. 5. 1. semicentralized configuration with a centralized secure workload and 10% of the workoad being secure

2. semicentralized configuration with a centralized

8.1'.Lientz, LR. We;ss / Trade~ffs o f secur~ processing

40

2100

l e

2000 k

1900 1800 1700~i,i 1600

/

0

~-

i~oo.

/_

/

1400~ i

1300i

"

:000i / / <

10 0

1~

9

700

t,~)

,

,

,

0

10

20

30

Percentage

.

Degradation

Fig. 5. Average response time versus percentage degradation. Fb:ed workload-175 jobs. Data processing type workload.

secure workload and 10% of the workload secure 9. semicentralized configuration with centralized secure workload and 40% of the workload secure 10. semicentralized configuration with security measures imposed at every center 11. semicentrlalized configuration with a distributed secure workload 12. centralized configuration To use this figure we would search for the lower envelope of lines under a given set of conditions. For example, with 10% or less of the workload being secure, the lower envelope consists of the lines 12, 11, and 8. This yields two trade-offpoints (E and F). The point E is the point at which the semicentralized configuration with a distributed secure workload becomes more effective than the centralized case. Point F is the trade-off point between the semicentralized and distributed configurations. It is also possible to use the figure to examine different conditions for a particular configuration. The distributed configurations begin at the point G. Considering the family of lines from G reveals the deterioration in performance as the percentage of the workload needing security measures increases. The worse case is where all centers are made secure. Analogous remarks can be made for the semicentralized lines beginning at point H. Centralizing the secure workload in the semicentralized network incurs a substantial degradation. This can be seen by comparing lines 9 and 11 with linez 1,2, and 3. Fig. 6 shows a similar set of lines as in fig. 5 for computation type workload with a total fixed workload of 175 jobs. The labels for the lines in fig. 6 are 1. distributed configuration with a centralized secure workload and 10% of the workload being secure

3.

4. 5. 6. 7. 8.

secure workload and 20% of the workload being secure semicentralized configuration with a centralized secure workload and 30% of the workload being secure distributed configuration with security me lsures at each center distributed configuration with a distributed secure workload and 40% of the workload s~cure distributed configuration with a distributed secure workload and 30% of the workload s:~cure distributed configuration with a distributed secure workload and 20% of the worklozd secure distributed configuration with a d!stributed

2. distributed configuration with a centralized secure workload and 40% of the workload being secure 3. distributed configuration with a centralized secure workoad and 20% of the workload being secu~

4. distributed configuration with a distributed secure workload and 40% of the workload being secure

5. distributed configuration with secure workload and 30% of the secure 6. distribu*.ed configuration with secure workload and 20% of the secure

a distributed workload being a distributed workload being

B.P. Lientz, LR. Weiss / Trade~affs o f secure processing

90o/

41

6.0 A

8000~ x 5.0~

u~ ~

6)

600C

.

0

-,-I

'~o

4.0

,-I v

1

O

E • el 4.1

t

; 3000[

d~ 3.o~

:> ,a:

um

©

-~

2000

iooo

0 0

4 I0 Percentage

20

30

Degradation

Fig. 6. Average resonse time versus percentage degradation. Fixed workload-175 jobs. Computation type workload.

2.0

f [

1"0 t 0

--

;

i0

....

/,

I

20

30

Percentage Degradation

7. distributed configuration with a distributed secure workload and 10% of the workload being secure

8. distributed configuration with a centralized secure workload and 30% of the workload being secure 9. semicentralized configuration with a centralized secure workload and 40% of the workload being secure

1 l. semicentralized configuration with a distributed secure workload 12. centralized configuration These jobs are very long, almost exclusively CPU bound. Hence, there is no trade-off between a semicentralized and centralized network. It can also be observed that the semicentralized network is more effective in terms of response time than the distributed cases. The distributed cases for the distributed secure workload behave in a similar manner to that observed in fig. 5 (increasing in response time as the secure workload increases). The centralized secure workload case for the distributed network displays a substantial variation as the percentage of workload being secure increases. Line 2 corresponds to the 40%

Fig. 7. Workload varation~ Datz processing type workload.

centralized secure workload for the distributed network and ends at 10~ degradation since the 20',~ and 30% cases would produce greatly increased response time. Up to the 40% secure workload case response time improves in the centlalized secure workload distributed network since the proportion of jobs allocated to the fixed centers handling the secure workload continues to irr~prove. At a workload of 40% secure a disproportionate allocation again occurs and response time reacts accordingly. Fig. 7 compares all confiburations in terms of workload factored by cost x average response time for data processing type jobs. The lines in fig. 7 are 1. centralized configuration 2. semicentralized configuration with a distributed secure workload 3. semicentralized configuration with a centralized secure workload and 40% o f the workload secure 4. semicentralized configuration with a centralized secvre workload and 30% o f the workload secure 5. semicentralized configuration with a centralized secure workload and 20% o f the workload secm ~-

42

B.P. Lientz, LR. Weiss / Trade-offs o f secure processing

6. distributed configuration with a distributed secure workload and 10% o f the workload secure 7. distributed configuration with a distributed secure workload and 40% o f the workload secure 8. distributec configuration with a centralized secure workload and 40% o f the worl-3oad secure 9. distributed configuration with a centralized secure workload and 10% o f the workload secure 10. semicentralized configuration with a cnetralized secure workload and 10% o f the workload secure A series of trade-off points are generated by following the centralized network line. These points are explained belog' and reveal the various points at which trade-offs occur. I - centralized network and semicentralized network with secure workload J - centralized network and semicentralized network with centralized secure workload, 40% o f workload secure K - centralize:/ network and semicentralized network w-~h centralized secure workload, 30% o f workload sec,are L - c e n t r a l i z e , ] network and semicentralized network with centralized secure workload, 20% of workload secure M - centralized network and distributed network wifia distributed secure workload, llY/o of workload ,.~ecure N - centralized network and distributed network with centralized secure workload, 10% of workload sec~.~e In all cases bu! one, the semicentralized network is more effective than the distributed network. The exception occurs for the case of the semicentralized network with a centralized secure workload and 10% of the workload being secure.

4. Conclusion It should be emphasized that the results are specific to the conditions outlined in Section 2. Additional analysis would be nece-~ary to examine particular cases. With these qualifi0atiotls, we can now consider the analysis as a whole. A methodology has been developed for examining the effect o f imposing security measures on network performance. The literature indicates that there can be substantial degradation with the impofition of security measures. The results reveal that trade-off points can occur at relatively low levels o f degrada-

tion between different conditions. The deterioration in performance due to centralizing the secure part o f the workload has been shown for the semicentralized and distributed networks. It also has been shown economies o f scale for centralized computing still hold for a computation-type workload. The effect o f increasing the percentage of total workload being secure has been seen for both distributed and semicentralized configurations. It is important then, in ne~atork design, to analyze security requirements in both present and projected environments. The results also emphasize the need for developing technical security measures which produce less degration and to considering the effects o f management decisions on both the workload distribution and percentage o f workload secure in the network.

References [1[ 8randt R. Allen, Computer Security: Part !. Data Management Ianuary, 1972, pp. 18-24. [2] Melvin Bray, How Safe is Your System, Data Systems, December 1971, pp. 12-15. [3] J.P. Buzen, Computational Algorithms 'or Closed Queuing Networks with Exponential Servers, Comm. ACM, 10, 1973, pp. 527-531. [4] G. Cady, B.P. Lientz, and N.E. WiUmorth, Experiments in Commt, nication Networks, Naval Res Logist, Quarterly, 21, 1974, pp. 107-124. [5] R.G. Canning, Protecting Vah,~b!e Dat::: Part l, EDP Analyzer, January 1974, Vol. 12, No. 1. [6] Paul Carlsen, A Bank Protects it Memory, Banking, April 1971, pp. 38-39. [7] Peter F. Cart, Limiting Access to Centers Called a Major Problem, Computerworld, June 24, 1970, p. 1. [81 DATAPRO, Vol. 1, Data~ro Research Corporation, 1976. [9] E.W. Dijkstra, A Note on Two Problems in Connection with Graphs, Numerical Mathematics 1, 1959. [10] Philip Enslow, Non Technital Issues in Network Design of Economic, Legal, Social and other Considerations, Computer, Vol. 6, No. 8, August 1973, pp. 20-30. [ 11 ] Philip Enslow, Network Viability and Economic, Legal, and Social Considerations, Compcon, 1973, pp. 7-9. [12] H. Frank, .~inimum Line Traffic Routing, unpublished, 1970. [ 13] T.D. Friedmand, and Lance Hoffman, Execution Time Requirements for Encipherment Programs, Communications of ACM, Vol. 17, No 8, August 1974, pp. 445449. [14] W.J. Gordon and G.F. NewelS, Closed Queuing Systems with Exponential Servers, Opus. Res. 15, 1967, pp. 254-265. [15] F. Hall, Address before EDP Auditors Association, 1975.

B.P. Lientz, LR. Weiss / Trade-offs of secure processing [ 16] Bertran Herzog, Organizational Issues and the Computer Network Market, Compcon 73, 1973, pp. 11-13. [17] Lance J. Hoffman, The Formulary Model for Flexible Privacy and Access Control, Atomic Energy Paper. [18] IBM, Data Security and Data Processing, IBM Corporation, G320-1370-0, 1974. [191 J.R. Jackson, Jobshop-like Queuing Systems, Mgmt. Sci. I0, 1963, pp. 131-142. [20] L. Kleinrock, Communication Nets: Stochastic Message Flow and Delay, New York, McGraw-Hill, 1964. [21 ] L. Kleinroek, Analytic and Simulation Methods in Computer Network Design, Proc. SJCC, Atlantic City, New Jersey, 1970. [221 B.P. Lientz, Cost Trade-offs Between Local and Remote Computing, Computer Communications Networks (L. Grimsdale and F. Kuo, eds.) Leyden, The Netherlands: Nordhoff Publishing Co., 1975, pp. 469-479. [23] B.P. Lientz, Computer Network Usage-Cost Benefit Analysis, Information Systems and Networks (J. Sherrod, ed.), Westport, Conn.: Greenwood Press, 1975, pp. 117-134.

-i

J

43

[24] B.P. Lientz, J. Schenck, and I. Weiss, A Model for Analyzing Computer Networks, Technical report, 1976. [25] J.J. Martin, Security and Privacy in Computer Systems, Englewood Cliffs, New Jersey: Prentice-Hall, 1973. [26] OS/MVT with Resource Security: General Information and Planning Manual, IBM Corporation, Manual, 6H 20-1059-0, December 1971. [27] Don B. Parker, Report to the SRI Conference on Computer abuse, Stanford Research Institute, 1973. [28] E. Stefferad, David Grubstein, and Ronals Uhlig, Wholesale/Retail Specialization in Resource Sharing Networks, Computer, Vol. 6, No. fi, August 1973, pp. 3137. [29] R. Turn and N.Z. Shapiro, Privacy and Security in Data Base Systems, Rand Corporation Document, July 1972. [30] D. Van Tassel, Computer Security Mangement, Englewood Cliffs, New Jersey, Prentice-Hail, 1972. 131 ] C. Weissman, Trade-Off Considerations in Security System Design, System Development Corp., SP-3548, 1970.