Lecture 2 "UNIT 4"

LECTURE 2

CIA Triad

The first tenet of the information security triad is confidentiality.

In the context of information security, confidentiality means that information that should stay secret stays secret and only those persons authorized to access it may receive access.

Main mechanisms of protection of confidentiality in information systems are cryptography and access controls. Examples of threats to confidentiality are malware, intruders, social engineering, insecure networks, and poorly administered systems.

The second tenet of the information security triad is integrity.

Integrity is defined by ISO-17799 as “the action of safeguarding the accuracy and completeness of information and processing methods.” This can be interpreted to mean that when a user requests any type of information from the system, the information will be correct.

Integrity protection mechanisms may be grouped into two broad types: preventive mechanisms, such as access controls that prevent unauthorized modification of information, and detective mechanisms, which are intended to detect unauthorized modifications when preventive mechanisms have failed. Controls that protect integrity include principles of least privilege, separation, and rotation of duties.

The last tenet of the information security triad is availability.

Once again, ISO-17799 defines availability as ensuring that authorized users have access to information and associated assets when required. This means that when a user needs a file or system, the file or system is there to be accessed. This seems simple enough, but there are so many factors working against your system availability. You have hardware failures, natural disasters, malicious users, and outside attackers all fighting to remove the availability from your systems. Some common mechanisms to fight against this downtime include fault-tolerant systems, load balancing, and system failover. 

CLOUD SECURITY SERVICES

Now that the cornerstone concepts of confidentiality, integrity, and availability have been discussed, let’s take a look at authentication, authorization, accountability, processes and methods, which are some of the main controls aimed at protecting the C-I-A triad.

Authentication

Authentication is the testing or reconciliation of evidence of a user’s identity. It establishes the user’s identity and ensures that users are who they claim to be. For example, a user presents an identity (user ID) to a computer login screen and then has to provide a password. The computer system authenticates the user by verifying that the password corresponds to the individual presenting the ID.  

Authentication, which happens just after identification and before authorization, verifies the authenticity of the identity declared at the identification stage. 

The three methods of authentication are what you know, what you have, or what you are.

What you know authentication is the most commonly used authentication method thanks to its low cost and easy implementation in information systems. However, what you know authentication alone may not be considered strong authentication and is not adequate for systems requiring high security.

What You Have Perhaps the most widely used and familiar what you have authentication methods are keys—keys we use to lock and unlock doors, cars, and drawers; just as with doors, what you have authentication in information systems implies that if you possess some kind of token, such as a smart card or a USB token, you are the individual you are claiming to be. Of course, the same risks that apply to keys also apply to smart cards and USB tokens—they may be stolen, lost, or damaged. What you have authentication methods include an additional inherent per-user cost. Compare these methods with passwords: it costs nothing to issue a new password, whereas per-user what you have authentication costs may be considerable.

What You Are What you are authentication refers to biometric authentication methods. A biometric is a physiological or behavioral characteristic of a human being that can distinguish one person from another and that theoretically can be used for identification or verification of identity. Biometric authentication methods include fingerprint, iris, and retina recognition, as well as voice and signature recognition, to name a few. Biometric authentication methods are less well understood than the other two methods but when used correctly, in addition to what you have or what you know authentication, may significantly contribute to strength of authentication. Nevertheless, biometrics is a complex subject and is much more cumbersome to deploy than what you know or what you have authentication. Unlike what you know or what you have authentication methods, whether or not you know the password or have the token, biometric authentication systems say how much you are like the subject you are claiming to be; naturally this method requires much more installation-dependent tuning and configuration.

Authorization

Authorization refers to rights and privileges granted to an individual or process that enable access to computer resources and information assets.

After declaring identity at the identification stage and proving it at the authentication stage, users are assigned a set of authorizations (also referred to as rights, privileges, or permissions) that define what they can do on the system. These authorizations are most commonly defined by the system’s security policy and are set by the security or system administrator. These privileges may range from the extremes of “permit nothing” to “permit everything” and include anything in between.

Accountability

Accountability is the ability to determine the actions and behaviors of a single individual within a cloud system and to identify that particular individual. Audit trails and logs support accountability and can be used to conduct postmortem studies in order to analyze historical events and the individuals or processes associated with those events. Accountability is related to the concept of non repudiation, wherein an individual cannot successfully deny the performance of an action.

A system may not be considered secure if it does not provide accountability, because it would be impossible to ascertain who is responsible and what did or did not happen on the system without that safeguard. Accountability in the context of information systems is mainly provided by logs and the audit trail.