The process of encoding a message or information in such a way that only authorized parties can read it.
Encryption is important to our personal, business, community, and national security. Criminals, competitors, or hostile governments may seek to exploit weak or non-existent encryption to hack systems or steal data. Strong, well-managed encryption renders content unreadable to anyone who does not have authorized access.
A network security system built into hardware or software that monitors network traffic and controls incoming and outgoing traffic based on a set of rules.
Firewalls enable system administrators to monitor and control network traffic coming into and out of their systems. Firewalls provide a first line of defense against network-based cybersecurity attacks. They are also used to censor information by blocking traffic to and from certain sites.
The range of actions an authenticated user or device is allowed to take in a system.
A good society works like this: we expect promises to be kept, contracts to be honored, and a lost wallet to be returned. However, when applied to your IT infrastructure, such a mindset leaves your system wide open to an insider or an unhappy former employee. Privilege management gives you detailed control over the permissions given to each user and device.
Giving your house key to a neighbor so they can water your plants does not mean you want to allow them to look through your closets or bedroom drawers. However, most of us do not have the technical means to restrict access in this way; we either give access to the entire house, or we don’t give access at all. Giving your key to a neighbor relies on implicit trust. You trust that your neighbor will not try on your underwear or eat all your cookies.
To put it mildly, this is not an ideal trust model for your IT infrastructure; you need a model that relies on least privilege, which gives each user only the privileges needed to perform their job duties and nothing more.
In many organizations, the highest possible access rights are given to system administrators. Companies that blindly trust system administrators open themselves to unnecessary risk. It is safer to have fine-grained control over privileges and give each administrator only the privileges needed to carry out their assigned tasks. For example, an administrator responsible for the payroll database probably doesn’t need access to the customer database.
To do this you need to implement an access-level classification scheme and have procedures that support your daily operations. This approach eliminates the need to give users higher levels of access than they need. This would be the equivalent of putting a password on your underwear drawer, making it inaccessible to your neighbor who has only the front door key.
Privilege Gone Wild 2survey that shows 47 percent of employees say they have elevated privileges not necessary for their roles.
Emma Lilliestam is a Swedish software security tester. She has previously worked in Support and DevOps and is now a consultant for House of Test.
Term: Privilege
Website: emalstm.com
Twitter: @emalstm
The process of ensuring that an action was taken by a specific person or entity. In IT security, non-repudiation is the ability to validate that the contents of a message received can be verified as unchanged and also verified as having come from a specific person or entity.
When dealing with electronic transactions, it’s important to confirm with a high degree of certainty that actions or decisions were, in fact, taken by specific individuals or entities. Since hackers are getting better at impersonating identities, greater security measures must be implemented to ensure the integrity, accuracy, and authenticity of electronic transactions such as credit card purchases or digital signatures.
Business professionals need to be able to verify that actions, such as bank transfers, contracts, and credit card purchases, can be linked with a specific actor (person or entity). Non-repudiation methods help ensure the following:
In today’s digital world, it is becoming increasingly important to verify that specific actions were taken by specific individuals. For transactions, such as financial transfers, that require greater integrity, organizations need to implement and enforce security measures that ensure the authenticity and intent of each transaction. For transactions, such as product surveys, where there is little or no business need to reliably identify a specific actor, it is less important to take such measures.
Measures to ensure non-repudiation include: notarization, multi-factor authentication, audit trails, digital signatures, and forensic analysis (e.g., handwriting analysis)(Spacey 2016).
There are multiple technologies available to implement and enforce non-repudiation. Measures to authenticate identity play an important part in ensuring that individuals are, in fact, who they assert themselves to be. Digital certificates and encryption can secure a message and ensure that its contents are not altered during transmission.
In an expanding digital economy, the integrity of your business depends on your ability to prove that each critical transaction was verifiably executed by a specific, identifiable person or process.
John Falkl is an Architect Advisor at CVS Health. Prior to CVS, John was with IBM as the executive and IBM distinguished engineer responsible for service-oriented architecture (SOA) and application services governance, driving the convergence strategy for service governance and API
Term: Non-repudiation
Email: jfalkl@aol.com
LinkedIn: linkedin.com/in/john-falkl-808aa03