Course Organization – Part 1
Security definitions:
- Overview of system security
- Policy/mechanism separation
Access control and Identity management:
- Mandatory Access Control (MAC)
- Discretionary Access Control (DAC)
- Role Based Access Control (RBAC)
- Identity management
- Policy and XML languages for policy definition
Course Organization – Part 2
Basic cryptography:
- Fundamentals of cryptography
- Encryption and privacy
- Symmetric cryptosystems
- Asymmetric cryptosystems
Course Organization – Part 3
Digital signature and PKI:
- General architecture of a Public Key Infrastructure
- Digital Signature
- Directory services
- Certification paths
- Cross Certification
- Certificate policies and CPS
Course Organization – Part 4
Authentication Protocols and Network Security:
- Authentication, integrity, confidentiality, non repudiation
- Authentication and authorization protocols
- Network security
- Intrusion detection systems
- Firewalling and Packet filtering
- Design of Secure sites
Practice and Home works
Practice:
- Java Authentication and Authorization Security (JAAS);
- XACML;
References
- Books:
- Matt Bishop, Computer Security Art and Science;
- CISSP certification handobook, McGrawHill/Wiley;
- Pfleeger &Pfleeger: Security in Computing, 4th Edition, Prentice Hall;
- Standard References;
- Operative Manuals;
System Security
Distributed systems are usually very complex; indeed there are many interconnected subsystems that may be critical.
The goal of a security policy is to locate critical resources and define access control rules (or criteria).
A security mechanism is made of a set of tools, methods and procedures to enforce a security policy.
Security
Security is a term adopted in many different contexts with different meanings; it encloses many concepts such as: access control, authentication, authorization, user profiling, access control sites, back up, disaster recovery but also dependability, availability, business continuity, etc…..
A security administrator needs to define different security policies to meet security requirements.
Security Requirements
Access Control Overview
Access Controls protect the systems and resources from unauthorized access.
Its goal is to determine the level of authorization after an authentication procedure has successfully completed.
There are many types of entities that require access to network entities and resources that are subject to access control. It is important to understand the definition of a subject and an object when working in the context of access control.
Access Control: some definitions
Access is the flow of information between a subject and an object.
A subject is an active entity that requests access to an object or the data within an object (users, programs or process that accesses an object to accomplish a task).
An object is a passive entity that contains information (computer, database, file, computer program, directory, or field contained in a table within a database).
Access Control: security principles
- Access controls give organizations the ability to control, restrict, monitor, and protect resources.
- The three main security principles for any type of security control are:
- Availability
- Integrity
- Confidentiality
Access Control: security principles (continued)
These principles are a constant theme throughout a security course because every control that is used in computer and information security provides at least one of these security principles.
It is critical that security professionals understand all of the possible ways that these principles can be provided and circumvented.
Availability
Most information needs to be accessible and available to users when it is requested so that they can carry out tasks and fulfill their responsibilities.
Accessing information does not seem that important until it is inaccessible. Administrators experience this when a file server goes offline or a highly used database is out of service for one reason or another.
Fault tolerance and recovery mechanisms are put into place to ensure the continuity of the availability of resources.
Integrity
Information must be accurate, complete, and protected from unauthorized modification.
When a security mechanism provides integrity, it protects data, or a resource, from being altered in an unauthorized fashion.
If some type of illegitimate modification does occur, the security mechanism must alert the user in some way.
Example: a user sends a request to her online bank account to pay her $24.56 water utility bill. The bank needs to be sure that the integrity of that transaction was not altered during transmission, so the user does not end up paying the utility company $240.56 instead.
Confidentiality
Confidentiality is the assurance that information is not disclosed to unauthorized individuals, programs, or processes.
Some information is more sensitive than other information and requires a higher level of confidentiality.
Control mechanisms need to be in place to dictate who can access data and what the subject can do with it once they have accessed it. These activities need to be controlled, audited, and monitored.
Examples of information that could be considered confidential are health records, financial account information, criminal records, source code, trade secrets, and military tactical plans.
Some security mechanisms that provide confidentiality are: encryption, logical and physical access controls, transmission protocols, database views, and controlled traffic flow.
Confidentiality (continued)
It is important for a company to identify the data to be classified, so that the company can ensure that a top priority of security protects this information and keeps it confidential. If this information is not singled out, too much time and money can be spent on implementing the same level of security for critical and mundane information alike.
So, the first step in protecting data confidentiality is to identify which information is sensitive and to what degree, and then implement security mechanisms to protect it properly.
Confidentiality (continued)
Different security mechanisms can supply different degrees of availability, integrity, and confidentiality. The environment, the classification of the data that is to be protected, and the security goals need to be evaluated to ensure that the proper security mechanisms are bought and put into place.
Many corporations have wasted a lot of time and money not following these steps and instead buying the new products that recently hit the market.
Le lezioni del Corso
1. Course Introduction: Security basic concepts
2. Access Control models: Authentication and authorization mechanisms
6. Role Based Access Control standard (v3)
7. XACML: extensible Access Control Markup Language
8. Authentication Protocols in distributed system
10. Java Authentication and Authorization Service (JAAS)
11. Network security
12. Network security, security protocols: PGP, SSL
