The Hydra of Information Security

In previous blogs "The CIA of Information Security", "The CDE of Information Security" & "Information Security Enforcement and Criminalization", 10 pillars are introduced in information security. Here is a summary of all the pillars:

Area		Abbr.	Pillar	#
Information		C	Confidentiality	1
		I	data Integrity	2
		A	Availability	3
Client-Information Interaction (Data Access)	Definition	A	Authorization	4
		CID	information Classification / Identification / Dictionary	5
		A	Authentication	6
		RASTS	security Risk Assessment for the Services, Tools & Systems	7
	Enforcement	A	Auditability	8
	Criminalization	A	Accountability	9
		NR	Non-repudiation	10

Here is a brief description of the pillars:

#	Pillar	Brief Description
1.	Confidentiality	Only authorized client is allowed to access the information. Prevent un-authorized access.
2.	Data Integrity	Ensure the accuracy and completeness of the data.
3.	Availability	Guarantee that the information is accessible at any time to the authorized client.
4.	Authorization	Define a set of data access rules with 5W1H details: Who is the client/person? Whose device/host/system? What action to do? (e.g. read, update, print, sign, confirm, etc) Which category of data? Which piece of data (with a ID) in a predefined format or layout specified in the data dictionary? Where to do the data access? When to do so? How to do so? (e.g. in person or remotely, use which tool or service provider)
5.	CID	Classify the information into categories. Identify each piece of data with pre-defined formatting and layout specified in the data dictionary.
6.	Authentication	Prove the true identity (not a fake) of the person, device, host, system and location. Prove the real/true time of data access activity.
7.	RASTS	Perform security risk assessment for the services, hardware/software tools and systems which are used during the data access activities.
8.	Auditability	Able to let an auditor to examine all the data access activities to check for authorized/illegal activities.
9.	Accountability	Ensure that a person is accountable or responsible for the data access activities.
10.	Non-repudiation	Ensure that the accountable person cannot deny for his/her activities.

For easy to remember, I would like to call these 10 pillars as the Hydra of information security. Hydra is a multi-head (usually 9-head) serpentine water monster in Greek and Roman mythology. Although presently there are 10 pillars, maybe later additional pillar is needed in information security, just like the heads of Hydra.


Alvin SIU
2020-06-17

Copyright/Licence Information: All information and coding in this article is offered at no charge for NON-COMMERCIAL PERSONAL USE only. This blog and the coding is copyright. Reproduction of this blog and its coding in whole or in part in paper or digitally or in any other forms without the explicit written permission of the author is strictly prohibited.

Disclaimer: All information in this article is distributed "as is" and is UNSUPPORTED. NO WARRANTY of any kind is expressed or implied. You use AT YOUR OWN RISK. The author will not be liable for any data loss, damages, and loss of profits or any other kind of tangible or intangible loss while using or misusing wholly or partly of the information.

Information Security Enforcement and Criminalization

In the previous blog The CDE of Information Security, the pillars about the definition of the information access rules are introduced. In this blog, I will talk about illegal access, i.e. how to tackle the situation when some client breaks the rule.

First of all, how to do with the information security enforcement? We have to find out which client observes the authorization rules and which breaks the rules. This introduce another information security pillar: auditability. Auditability refers to the ability for an auditor to examine all the information access activity.

For auditability, audit log is one of the many important tools. Will the system log all the information access activities? Will it record the activities in a timely base? Does the logging complete? Will it record the time and location of access? Does the audit log itself secured? How to ensure the confidentiality and integrity of the audit log? Will the audit log be altered deliberately?

When we find out some seem-to-be illegal access in the audit log, who is the suspect? This introduce another information security pillar: accountability. Accountability ensure that there should be a person accountable or responsible for those activities. For example, when the audit log discloses some unauthorized access done by an account, who is the person accounted for this activities? When all the colleagues of a department share one account, we cannot identify who is/are the real suspect(s) for that illegal access activity. In countries/regions using common law, the suspect can enjoy benefit of doubt in this scenario. Therefore, the suspect is likely not to be sentenced.

Moreover, when the illegal access is performed by a device, host or a system, who should be accountable?

When CCTV records serve the auditability issue, can we identify the person in the CCTV video without doubt? If not, no one is accountable even though there is a video recording some illegal activity.

Auditability provides evidences of illegal access. Accountability provides a suspect. Everything seems to be ready for the criminalization of the suspect. In many countries/regions using common law, besides evidence, a witness is also required. However, in the cyber world, such a witness may NEVER exist. The suspect can afterward deny everything he/she did. In this case, we introduce another pillar of information security: non-repudiation. Non-repudiation is the assurance that someone cannot deny something.

Non-repudiation has a very close relationship with other pillars. For example, when the suspect denies doing an illegal access activity, the audit log can show that it is done by which account and the accountability can relate the account to the suspect. When the suspect claims that the information received is empty, the integrity measures can guarantee that information is not. When the suspect claim that the illegal activity is done by someone else, using 2-factor authentication, digital certificate with trusted third party (e.g. certificate authority) can address this authentication issue. In short, all these techniques can help in this non-repudiation area.

In short, we use the pillars Auditability, Accountability and Non-repudiation to provide enforcement and criminalization of data access.

So far, 10 pillars are introduced. A summary will be given in the next blog The Hydra of Information Security.

Alvin SIU
2020-06-17

Copyright/Licence Information: All information and coding in this article is offered at no charge for NON-COMMERCIAL PERSONAL USE only. This blog and the coding is copyright. Reproduction of this blog and its coding in whole or in part in paper or digitally or in any other forms without the explicit written permission of the author is strictly prohibited.

Disclaimer: All information in this article is distributed "as is" and is UNSUPPORTED. NO WARRANTY of any kind is expressed or implied. You use AT YOUR OWN RISK. The author will not be liable for any data loss, damages, and loss of profits or any other kind of tangible or intangible loss while using or misusing wholly or partly of the information.

The CDE of Information Security

In the previous blog The CIA of Information Security, I have mentioned that the CIA triad is based heavily on the information point of view. When the information user, i.e. the client, is introduced into the world of information security, there should be some additional pillars.

Traditionally, the client-information interaction is known as 'data access control' or simply 'data access'. We will consider the data access Definition, Enforcement and Criminalization one by one. (The first letter of these 3 areas are C.D.E.)

First of all, we have to DEFINE the data access. We use the term Authorization to dictate this pillar of information security. Authorization is to specify a set of data access rules in very detail so as to allow/disallow a client to access to the information. How to specify the authority rules ? We use the traditional 5W1H method.

5W1H	Example
Who is the client ?	Who is he/she ? Whose device ? Whose host / system ?
What to do ?	grant / deny select / insert / update / delete / permanently delete read-only / write / alter / comment-only search / re-index upload / download / print / store / destroy sign / confirm
Which information ?	Which category of information : sensitive / critical / confidential / internal / public Which piece of information Which kind of formatting and layout is required for that information
Where to do so ?	in the office in the data centre at home in the entrance in a particular location with CCTV
When to do so ?	during office hour only 24 hour around the clock only in coming 24 hours only in next 8 hours only during a specific period of time
How to do so ?	in person alone in person together with his/her supervisor remotely using VPN or internet remotely using a private network through a mobile or particular device through a mobile app through a thick client application through a thin client browser through a pre-defined protocol through a third party service provider

As seen in the above table, such an authorization rule matrix nearly cover every aspect for a client to access the information.

Also seen in the above table, we need to do some more tasks on the information in order to setup the authorization rule matrix. First of all, we need to classify the information into categories. For many company, the classification is: Sensitive, Critical, Confidential, Internal and Public. Each company has to setup the classification according to the need and compliance to the local legal requirement. This is the traditional way to authorize access to various category of information.

However, with the introduction of IOT (Internet Of Thing), the information will be largely accessed by a system or device, instead of human being. In this case, simple information classification may not be enough. A more refined requirement may be needed. For example, it will be more easy to give each piece of information an unique identity. Then, the client system can clearly define to access which piece of information with the information identity. For another example, the barcode (identification) of a box of milk and the chocolate bar should not be the same, the intelligent refrigerator can then take the stock correctly. Furthermore, the information may need to be accessed with some pre-defined layout and formatting, e.g. how many digits and whether having leading zero. Therefore, there should be an document named information dictionary to denote all these concerns. So, these information Classification, information Identification and information Dictionary forms another pillar, the C.I.D.

Looking at the authorization rules, there is a very important pillar throughout the rules: authentication. Authentication is to prove that someone/something is true, not a fake.

For example, how to verify the login user is really that client specified in the authorization rule. Nowadays, we use 2-factor authentication or multi-factor authentication to do so. When the client is a host or a system, how to ensure the client system is not a fake? Today, maybe a digital certificate can do. However, could we trust the certificate? In 2017, Google announced to distrust Symantec CA Brand SSL certificates issued before 2016Jun01. In the near future, it is foreseeable that blockchain technology will help a lot in this topic.

In some circumstances the information itself may need to be authenticated. How to prevent getting a fake document? Accessing/getting a fake information or document is meaningless in the authorization. There are numerous criminal cases related to fake/fraudulent will documents already. The will documents related to Nina Wang is a well known story in Hong Kong. How to verify the document, file or software update are the official true copy issued by a company or authority? In this case, digital certificate or public/private key can help. Again, blockchain should be the next tool.

How to authenticate the location? Can we trust the GPS reported by our mobile application ? There are numerous fake-GPS applications in the mobile store. Also, many GPS application cannot determine the current height above the sea level. So, it is difficult to identify you are working in the 3rd floor or the 40th floor of that building by simply using GPS.

Could we authenticate the actual time of access? It is easy to modify the system clock in mobile and PC. Network time protocol and blockchain may help in this area, I think.

Also, we have to use many hardware/software tools to perform the data access. Will these tools introduce security risk? Sometimes we have to rely on third party service provider such as VPN or video conferencing. Sometimes we outsource our operation to third party service provider. Will these third party service provider introduce security risk? Recently the USA government has officially banned the use of the US-based Zoom app. To address this issue, there comes another pillar: the security Risk Assessment for the Services, Tools and Systems, abbreviated R.A.S.T.S.

So far, 4 pillars: Authorization, CID, Authentication and RASTS are introduced. They all related to the DEFINITION of data access. If everyone access the information according to the authorization rule, everything work fine. However, rules are made to be broken. What should be done for those illegal access? Please refer to the blog Information Security Enforcement and Criminalization.

Alvin SIU
2020-06-17

Copyright/Licence Information: All information and coding in this article is offered at no charge for NON-COMMERCIAL PERSONAL USE only. This blog and the coding is copyright. Reproduction of this blog and its coding in whole or in part in paper or digitally or in any other forms without the explicit written permission of the author is strictly prohibited.

Disclaimer: All information in this article is distributed "as is" and is UNSUPPORTED. NO WARRANTY of any kind is expressed or implied. You use AT YOUR OWN RISK. The author will not be liable for any data loss, damages, and loss of profits or any other kind of tangible or intangible loss while using or misusing wholly or partly of the information.

The CIA of Information Security

What is information security? When I took the CISSP examination in 2002, the definition is confidentiality, integrity and availability, which is also known as the CIA triad. When I took my master course later, there is another definition with 4 pillar stones (one of them is authentication). When I did internet search later, someone suggested an 8-pillar definition. Anyway, the information security triad is the most acceptable definition so far.

The first consideration of the triad is confidentiality. Confidentiality means only authorized person/party/process is allowed to access the information (no matter whether the information is 'confidential' or not). This is to prevent 'unauthorized access' to information. Put it simple, if you are allowed to access the data, you can access. If you are not allowed to do so, you are unable to access. If this scenario is observed, the confidentiality is said to be done.

The second pillar of the triad is data integrity. Data integrity ensure the accuracy and completeness of the data. To be precise, for example, when a person/party/process is authorized to access the data, the data must be presented in an intact state with nothing added, nothing loss and in the correct order. This is to prevent the data being modified or stolen in an unauthorized or undetected manner.

The final pillar of the triad is availability. Take for an example, if some authorized person is unable to access the information due to whatever reason, his/her authority is actually meaningless. He is effectively the same as an un-authorized person. So, this pillar is to guarantee that authorized person must be able to access the information at any time on his will.

Noted that this definitions just denote the concept, it does not specify how to do so. It does not specify what hardware, devices, software, tools, processes nor procedures to be applied to achieve the security requirements. For example, to achieve confidentiality, the information can be encrypted and only authorized person has the decryption key. Or, it can be locked inside a safe with the physical key held by authorized person. Both methods can guarantee confidentiality. In shorts, whatever methods/tools can be used to achieve the security requirements.

The first letters of Confidentiality, Integrity and Availability thus form the 'CIA' of information security. For years, many thinks that just 3 pillars, C.I.A., seems not enough. There should be some areas need to be addressed and taken into consideration.

As you can see, this CIA pillars are mainly from the INFORMATION point of views. These 3 pillars seems related to the 'state' of the information. The information should be kept in a 'confidential' state for presenting to authorized/unauthorized client. When given to that authorized client, the information should be in an 'integrity' state. At last, the information should always be in the 'available' state for the authorized client. In other words, these 3 pillars relate closely to the 'information', NOT so directly related to the CLIENT, the ultimate user of information security. The CIA pillars can only see the shadows of the clients in the definition. In the next blog The CDE of Information Security, I will introduce the consideration related to the client in the world of information security.

Alvin SIU
2020-06-17

Copyright/Licence Information: All information and coding in this article is offered at no charge for NON-COMMERCIAL PERSONAL USE only. This blog and the coding is copyright. Reproduction of this blog and its coding in whole or in part in paper or digitally or in any other forms without the explicit written permission of the author is strictly prohibited.

Disclaimer: All information in this article is distributed "as is" and is UNSUPPORTED. NO WARRANTY of any kind is expressed or implied. You use AT YOUR OWN RISK. The author will not be liable for any data loss, damages, and loss of profits or any other kind of tangible or intangible loss while using or misusing wholly or partly of the information.