First of all, how to do with the information security enforcement? We have to find out which client observes the authorization rules and which breaks the rules. This introduce another information security pillar: auditability. Auditability refers to the ability for an auditor to examine all the information access activity.
For auditability, audit log is one of the many important tools. Will the system log all the information access activities? Will it record the activities in a timely base? Does the logging complete? Will it record the time and location of access? Does the audit log itself secured? How to ensure the confidentiality and integrity of the audit log? Will the audit log be altered deliberately?
When we find out some seem-to-be illegal access in the audit log, who is the suspect? This introduce another information security pillar: accountability. Accountability ensure that there should be a person accountable or responsible for those activities. For example, when the audit log discloses some unauthorized access done by an account, who is the person accounted for this activities? When all the colleagues of a department share one account, we cannot identify who is/are the real suspect(s) for that illegal access activity. In countries/regions using common law, the suspect can enjoy benefit of doubt in this scenario. Therefore, the suspect is likely not to be sentenced.
Moreover, when the illegal access is performed by a device, host or a system, who should be accountable?
When CCTV records serve the auditability issue, can we identify the person in the CCTV video without doubt? If not, no one is accountable even though there is a video recording some illegal activity.
Auditability provides evidences of illegal access. Accountability provides a suspect. Everything seems to be ready for the criminalization of the suspect. In many countries/regions using common law, besides evidence, a witness is also required. However, in the cyber world, such a witness may NEVER exist. The suspect can afterward deny everything he/she did. In this case, we introduce another pillar of information security: non-repudiation. Non-repudiation is the assurance that someone cannot deny something.
Non-repudiation has a very close relationship with other pillars. For example, when the suspect denies doing an illegal access activity, the audit log can show that it is done by which account and the accountability can relate the account to the suspect. When the suspect claims that the information received is empty, the integrity measures can guarantee that information is not. When the suspect claim that the illegal activity is done by someone else, using 2-factor authentication, digital certificate with trusted third party (e.g. certificate authority) can address this authentication issue. In short, all these techniques can help in this non-repudiation area.
In short, we use the pillars Auditability, Accountability and Non-repudiation to provide enforcement and criminalization of data access.
So far, 10 pillars are introduced. A summary will be given in the next blog The Hydra of Information Security.
Alvin SIU
2020-06-17
Copyright/Licence Information: All information and coding in this article is offered at no charge for NON-COMMERCIAL PERSONAL USE only. This blog and the coding is copyright. Reproduction of this blog and its coding in whole or in part in paper or digitally or in any other forms without the explicit written permission of the author is strictly prohibited. |
Disclaimer: All information in this article is distributed "as is" and is UNSUPPORTED. NO WARRANTY of any kind is expressed or implied. You use AT YOUR OWN RISK. The author will not be liable for any data loss, damages, and loss of profits or any other kind of tangible or intangible loss while using or misusing wholly or partly of the information. |
No comments:
Post a Comment