Security Concepts

 

Security is...

... not a product; it's a process

... a journey, not a destination

... not an ends but a means

... only as strong as its weakest link

... a "tax" on the honest (but doesn't have to be)
... about preventing adverse consequences from the intentional and unwarranted actions of others

 

 

...like the brakes on an automobile.
It allows you to go faster.

 

Definitions

  • Attacker (non-pejorative and value-neutral) - Performs intentional and unwarranted actions
  • Attacks - Intentional unwarranted actions
  • Assets - Objects of attack
  • Countermeasures - Individual, discrete and independent security components

 

Universal Truisms

  • Security decisions need to be made as close to the problem as possible
  • Security analysis needs to happen as far away from the sources as possible
  • The implication of these two truisms is that security will work better if it is:

Centrally coordinated yet…

…implemented in a distributed manner

A chain with the middle link breaking

The Security "Chain"

  • End-to-End
    • Security depends on a true end-to-end (system) solution
  • Process
    • Security is a process that involves all aspects and security measures in place, not any single element
  • Design
    • Security cannot be “patched” or added-on but must be designed directly into the system 
  • Strong, effectively unbreakable cryptographic algorithms are easily available
  • Attackers don’t attack the algorithm, they attack the…
    … Infrastructure
    … Implementation
    … Users

Security Objectives

 

Confidentiality / Privacy

  • Ensures the protection (through encryption) of sensitive and private data

Integrity

  • Ensures that the data has not been altered or manipulated

Non-repudiation

  • Ensures that data or transaction cannot be “disowned”

Availability

  • Ensures that authorized users have access to data when required
  • Provide adequate redundancy to perform at scale and not impact user experience

Authentication

  • Verification of users' claimed identities

Authorization

  • Determination that a user is authorized to carry out a particular action

Audit

  • Logging of authentication and authorization actions
  • Ability to review and analyze logs to uncover suspicious activities, failures, etc. 

Administration

  • Can centrally enroll users and define policies
  • Controls authentication and authorization for particular users or applications 

Let us help you change your mindset and address cybersecurity

Cybersecurity