In operating systems architecture a reference monitor concept defines a set of design requirements on a reference validation mechanism, which enforces an access control policy over subjects' (e.g., processes and users) ability to perform operations (e.g., read and write) on objects (e.g., files and sockets) on a system. The Reference Monitor is the controlling element in the hardware and OS of a computer that regulates access of subjects to objects on the basis of security parameters of the subject and object (Stallings, 2014). The reference monitor is the governor to ensure access controls to the system are adhered to. If implemented correctly it will ensure that attackers cannot bypass the system, the completeness of the monitor can be verified, it is always on and finally, it is tamper proof.
The graphic below is taken from the original reference monitor concept developed by John Anderson in 1972.
Reference Monitor Applied
A hypothetical company named Fleming Financial is a cloud-based financial applications system that supports budgeting, planning, forecasting, dashboards, modeling, analysis and collaboration. An administrator provisions end users by creating a new account name and temporary password. All access is done via the Internet. An object oriented security model is used to create profiles for read, write, execute access to different functions as well as access to data. It can be used for budgeting and forecasting, sales and operational planning and other analytical purposes.
The overall system does map directly to the reference model concept. However, since this is built with a flexible security model in mind, there are challenges with respect to the goal of information protection. Namely, since the point of entry is from a web page / portal, the reference model can be bypassed if a bad actor was able to penetrate the web server. Further, if fraudulent administrative privileges where obtained, a bad actor could provision access to nonauthorized objects.