A book by Winn Schwartau
- The "Orange Book" introduces the reference monitor, or something that either accepts or denies every access request
- On a computer, an example may be a process requesting a file descriptor or network socket
- This kind of mandatory access control made sense for the military but not for the private sector
- Schwartau calls this an example of a Fortress Mentality, or "prevent everything"
- Vaults are not 100% secure. They can be broken into
- The purpose of a vault is not to secure something on its own
- It's to prevent the robbers from stealing what's inside before the police come
- Pt > Dt + Rt
- The amount of time offered by the prevention controls must exceed the amount of time it takes to detect and respond to the attack