Identity Access Management Series
Episode 3:
๐ฏ Syllabus
๐ Learn CIA Principles
๐ Importance of CIA principles
๐ Learn about Security concepts with examples
What is CIA?
C-Confidentiality
I-Integrity
A-Availability
These are the Key principles to guaranty the security of the system and data. It is applicable across the environment including Operating system, Application, Network etc.
Having a weak CIA principle leads to serious consequences for the data owners.
Confidentiality-
Preventing the unauthorized access to system/data and allowing only intended users for accessing the system/data.
Confidentiality can be compromised in several ways by direct attacks where the attacker will gain access to the system/data and trying to penetrate an application/database to take data from it. Example: Man-In-The-Middle attack (MITM) where the hacker put themselves in accessing the data/steal it or even try gaining more privileges from system to access many data.
Confidential data includes your Personal Information (PI), Sensitive Personal Information (SPI), Intellectual Property (IP) etc,
Controls to be in place to maintain the Confidentiality: Encryption, Separation Of Duties (SOD), Least Privilege, Role Based Access control etc.,
Integrity
Ability of ensuring the data is accurate and not changed from the original. Integrity if weak can be compromised intentionally by bypassing Intruder Detection System (IDS) and change the system/file configurations to allow unauthorized access to the system logs. It can also be violated/compromised due to inadequate control of security policies and procedures.
- Authenticity โ Assurance about the data received from authentic source
- Accuracy โ Stored information is accurate and not modified by unauthorized person
- Non-repudiation โ Non-denial from the sender/received that the data is sent/received by them
Availability
Ensuring the system/data is available to access/view whenever required by the intended users without any hindrance. It will be worthless to have a data which is confidential and maintained with integrity if its unavailable. Poor management of availability of information will lead to customer dissatisfaction or also credibility of the organisation. For example, if there is a natural calamity and data is not available, which means poor implementation of disaster recovery which is availability management.
Redundancy & Failover โ System need to be available always and failing one component should not have impact over system operation
Accessibility โ Seamless and uninterrupted access to system/data from users
Disaster Recovery- In case of any disaster need to recover the data seamlessly and restored as quickly as possible.
Important Information Security Concepts of Identity Access Management
Below are the few but not limited important security concepts
Principle of Least Privileges (POLP)โ Users should be given only the access/privileges need to complete an action on the system. Minimal information should be granted and only for the intended users. Ex: accountant can access only information related to accounts, sales person can only see sales info.etc
Separation Of Duty (SOD) โ Segregation or Separation of Duty means not to assign critical privileges to User to prevent from misusing the privilege. More than one user should be identified for any critical task/privilege and control need to be in place for the same. Also, the same user cannot be in authorizing the privilege he/she assigned with.
Ex: Admin in Windows should be assigned to only Admin users and not to only one user/ The same user cannot be a owner of approving the Admin privilege.
Role Base Access Control (RBAC): Though it is a single entity/principle, but it indirectly serves the purpose of Least privilege/SOD/Data abstraction. RBAC means access is given based on role of the user in an organisation and it is an effective access control method reducing the cyber security risk and protective sensitive data against the unintended users. Also, It is a simplified access control mechanism used to provision an user.
Ex: HR Role have access only to the HR application tools/ Payroll role has access only to the Payroll tool/application not to entire finance systems. Marketing role will have access to application used for marketing and analytics. etc