In the previous blog
The CIA of Information Security, I have mentioned that the CIA triad is based heavily on the information point of view. When the information user, i.e. the client, is introduced into the world of information security, there should be some additional pillars.
Traditionally, the client-information interaction is known as 'data access control' or simply '
data access'. We will consider the data access
Definition,
Enforcement and
Criminalization one by one. (The first letter of these 3 areas are C.D.E.)
First of all, we have to DEFINE the data access. We use the term
Authorization to dictate this pillar of information security. Authorization is to specify a set of data access rules in very detail so as to allow/disallow a client to access to the information. How to specify the authority rules ? We use the traditional
5W1H method.
5W1H | Example |
Who is the client ? |
Who is he/she ?
Whose device ?
Whose host / system ? |
What to do ? |
grant / deny
select / insert / update / delete / permanently delete
read-only / write / alter / comment-only
search / re-index
upload / download / print / store / destroy
sign / confirm |
Which information ? |
Which category of information : sensitive / critical / confidential / internal / public
Which piece of information
Which kind of formatting and layout is required for that information |
Where to do so ? |
in the office
in the data centre
at home
in the entrance
in a particular location with CCTV |
When to do so ? |
during office hour only
24 hour around the clock
only in coming 24 hours
only in next 8 hours
only during a specific period of time |
How to do so ? |
in person alone
in person together with his/her supervisor
remotely using VPN or internet
remotely using a private network
through a mobile or particular device
through a mobile app
through a thick client application
through a thin client browser
through a pre-defined protocol
through a third party service provider |
As seen in the above table, such an authorization rule matrix nearly cover every aspect for a client to access the information.
Also seen in the above table, we need to do some more tasks on the information in order to setup the authorization rule matrix. First of all, we need to classify the information into categories. For many company, the classification is: Sensitive, Critical, Confidential, Internal and Public. Each company has to setup the classification according to the need and compliance to the local legal requirement. This is the traditional way to authorize access to various category of information.
However, with the introduction of IOT (Internet Of Thing), the information will be largely accessed by a system or device, instead of human being. In this case, simple information classification may not be enough. A more refined requirement may be needed. For example, it will be more easy to give each piece of information an unique identity. Then, the client system can clearly define to access which piece of information with the information identity. For another example, the barcode (identification) of a box of milk and the chocolate bar should not be the same, the intelligent refrigerator can then take the stock correctly. Furthermore, the information may need to be accessed with some pre-defined layout and formatting, e.g. how many digits and whether having leading zero. Therefore, there should be an document named information dictionary to denote all these concerns. So, these information
Classification, information
Identification and information
Dictionary forms another pillar, the
C.I.D.
Looking at the authorization rules, there is a very important pillar throughout the rules: authentication.
Authentication is to prove that someone/something is true, not a fake.
For example, how to verify the login user is really that client specified in the authorization rule. Nowadays, we use 2-factor authentication or multi-factor authentication to do so. When the client is a host or a system, how to ensure the client system is not a fake? Today, maybe a digital certificate can do. However, could we trust the certificate? In 2017, Google announced to distrust Symantec CA Brand SSL certificates issued before 2016Jun01. In the near future, it is foreseeable that blockchain technology will help a lot in this topic.
In some circumstances the information itself may need to be authenticated. How to prevent getting a fake document? Accessing/getting a fake information or document is meaningless in the authorization. There are numerous criminal cases related to fake/fraudulent will documents already. The will documents related to Nina Wang is a well known story in Hong Kong. How to verify the document, file or software update are the official true copy issued by a company or authority? In this case, digital certificate or public/private key can help. Again, blockchain should be the next tool.
How to authenticate the location? Can we trust the GPS reported by our mobile application ? There are numerous fake-GPS applications in the mobile store. Also, many GPS application cannot determine the current height above the sea level. So, it is difficult to identify you are working in the 3rd floor or the 40th floor of that building by simply using GPS.
Could we authenticate the actual time of access? It is easy to modify the system clock in mobile and PC. Network time protocol and blockchain may help in this area, I think.
Also, we have to use many hardware/software tools to perform the data access. Will these tools introduce security risk? Sometimes we have to rely on third party service provider such as VPN or video conferencing. Sometimes we outsource our operation to third party service provider. Will these third party service provider introduce security risk? Recently the USA government has officially banned the use of the US-based Zoom app. To address this issue, there comes another pillar: the
security Risk Assessment for the Services, Tools and Systems, abbreviated
R.A.S.T.S.
So far, 4 pillars: Authorization, CID, Authentication and RASTS are introduced. They all related to the DEFINITION of data access. If everyone access the information according to the authorization rule, everything work fine. However, rules are made to be broken. What should be done for those illegal access? Please refer to the blog
Information Security Enforcement and Criminalization.
Alvin SIU
2020-06-17
Copyright/Licence Information:
All information and coding in this article is offered at no charge for NON-COMMERCIAL PERSONAL USE only.
This blog and the coding is copyright.
Reproduction of this blog and its coding in whole or in part in paper or digitally or in any other forms without the explicit written permission of the author is strictly prohibited. |
Disclaimer:
All information in this article is distributed "as is" and is UNSUPPORTED.
NO WARRANTY of any kind is expressed or implied.
You use AT YOUR OWN RISK.
The author will not be liable for any data loss, damages, and loss of profits or any other kind of tangible or intangible loss while using or misusing wholly or partly of the information. |