Access control and Identity management:
Digital signature and PKI:
Authentication Protocols and Network Security:
- Matt Bishop, Computer Security Art and Science;
- CISSP certification handobook, McGrawHill/Wiley;
- Pfleeger &Pfleeger: Security in Computing, 4th Edition, Prentice Hall;
Distributed systems are usually very complex; indeed there are many interconnected subsystems that may be critical.
The goal of a security policy is to locate critical resources and define access control rules (or criteria).
A security mechanism is made of a set of tools, methods and procedures to enforce a security policy.
Security is a term adopted in many different contexts with different meanings; it encloses many concepts such as: access control, authentication, authorization, user profiling, access control sites, back up, disaster recovery but also dependability, availability, business continuity, etc…..
A security administrator needs to define different security policies to meet security requirements.
Access Controls protect the systems and resources from unauthorized access.
Its goal is to determine the level of authorization after an authentication procedure has successfully completed.
There are many types of entities that require access to network entities and resources that are subject to access control. It is important to understand the definition of a subject and an object when working in the context of access control.
Access is the flow of information between a subject and an object.
A subject is an active entity that requests access to an object or the data within an object (users, programs or process that accesses an object to accomplish a task).
An object is a passive entity that contains information (computer, database, file, computer program, directory, or field contained in a table within a database).
These principles are a constant theme throughout a security course because every control that is used in computer and information security provides at least one of these security principles.
It is critical that security professionals understand all of the possible ways that these principles can be provided and circumvented.
Most information needs to be accessible and available to users when it is requested so that they can carry out tasks and fulfill their responsibilities.
Accessing information does not seem that important until it is inaccessible. Administrators experience this when a file server goes offline or a highly used database is out of service for one reason or another.
Fault tolerance and recovery mechanisms are put into place to ensure the continuity of the availability of resources.
Information must be accurate, complete, and protected from unauthorized modification.
When a security mechanism provides integrity, it protects data, or a resource, from being altered in an unauthorized fashion.
If some type of illegitimate modification does occur, the security mechanism must alert the user in some way.
Example: a user sends a request to her online bank account to pay her $24.56 water utility bill. The bank needs to be sure that the integrity of that transaction was not altered during transmission, so the user does not end up paying the utility company $240.56 instead.
Confidentiality is the assurance that information is not disclosed to unauthorized individuals, programs, or processes.
Some information is more sensitive than other information and requires a higher level of confidentiality.
Control mechanisms need to be in place to dictate who can access data and what the subject can do with it once they have accessed it. These activities need to be controlled, audited, and monitored.
Examples of information that could be considered confidential are health records, financial account information, criminal records, source code, trade secrets, and military tactical plans.
Some security mechanisms that provide confidentiality are: encryption, logical and physical access controls, transmission protocols, database views, and controlled traffic flow.
It is important for a company to identify the data to be classified, so that the company can ensure that a top priority of security protects this information and keeps it confidential. If this information is not singled out, too much time and money can be spent on implementing the same level of security for critical and mundane information alike.
So, the first step in protecting data confidentiality is to identify which information is sensitive and to what degree, and then implement security mechanisms to protect it properly.
Different security mechanisms can supply different degrees of availability, integrity, and confidentiality. The environment, the classification of the data that is to be protected, and the security goals need to be evaluated to ensure that the proper security mechanisms are bought and put into place.
Many corporations have wasted a lot of time and money not following these steps and instead buying the new products that recently hit the market.
11. Network security