1 / 14

Security by Design

Security by Design. A Prequel for COMPSCI 702. Perspective. “ Any fool can know. The point is to understand.” - Albert Einstein “Sometimes it's not enough to know what things mean, sometimes you have to know what things don't mean.” - Bob Dylan

edric
Télécharger la présentation

Security by Design

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Security by Design A Prequel for COMPSCI 702

  2. Perspective • “Any fool can know. The point is to understand.” - Albert Einstein • “Sometimes it's not enough to know what things mean, sometimes you have to know what things don't mean.” - Bob Dylan • “Life can only be understood backwards; but it must be lived forwards.” - Søren Kierkegaard

  3. Definitions • For the purposes of this class, a security service is a service that is designed to offset the potential loss of confidentiality, integrity, and/or availability, through the utilization of one or more security mechanisms and protocols. • It is in this context that the security services of authentication, access control, integrity, confidentiality, non-repudiation, auditing and availability will be considered. • Security services are enacted through the use of security mechanisms and protocols. • Overlap of security services may occur in the same mechanism and/or protocol

  4. Definitions • Authentication • Authentication techniques establish trust in a principal and its credentials by verifying the claimed identity. • For effective authentication, the credentials need to be a unique form of identification that is difficult to counterfeit. • In distributed, networked computing environments it is necessary that people, computers, and services confirm each other’s identities before initiating data transfers or granting access to files and processes.

  5. Definitions • Access Control • Access control involves the enforcement of privileges based on the system’s access control policy. • The function of access control is to limit the actions or operations that a legitimate user of a computer system can perform. • The use of access control extends to the execution of system commands by both subjects (people) and objects (programs) in an effort to prevent a breach of the system’s security policy. • Policies are high-level guidelines that determine how accesses are controlled and access decisions determined.

  6. Definitions • Integrity • Integrity means that the data is unaltered based on its original state. Integrity can also be defined as data that has had no unauthorized changes. • During electronic storage and transmission, data can be corrupted or destroyed through error or malicious intent. • Integrity services seek to maintain the integrity of stored and transmitted data with the assistance of other security services and mechanisms in an effort to prevent corruption and tampering.

  7. Definitions • Confidentiality • Confidentiality is said to describe the state in which data is protected from unauthorized disclosure. • Confidentiality services seek to maintain the privacy of stored and transmitted data with the support of other security services and mechanisms such as encryption using a secret or public/private key.

  8. Definitions • Non-Repudiation • A non-repudiation service makes entities accountable for their actions by providing non-refutable evidence that an action took place by the entity. • Evidence can come in the form of proof of origin, proof of original content, proof of delivery, and proof of original content received. • The first two forms of evidence protect the receiver and the last two protect the sender. • A non-repudiation service collects evidence in a manner that the entities cannot repudiate their actions at a later date, and retains that evidence in a secure manner.

  9. Definitions • Audit • Audit services provide monitoring functions through the use of logs so that an examination of past activities and events may be conducted. • An audit policy establishes what activities and events are to be recorded and under what conditions. • Security auditing services are concerned with monitoring, recording, and maintaining security-relevant events so that in the event of a security breach they can be utilized to secure future transactions. • This includes the protection of the logs so that the data is not modified or deleted through unintentional or deliberate acts.

  10. Definitions • Availability • Availability services ensure that a system is operational and functional at any given moment. • Usually provided through redundancy • High availability systems aim to remain available at all times, preventing service disruptions due to power outages, hardware failures, and system upgrades. • Ensuring availability also involves preventing denial-of-service attacks, such as a flood of incoming messages to the target system essentially forcing it to shut down.

  11. The Bigger Picture Security Services & Mechanisms Perceived Safe Zone Theoretical Safe Zone • Intrusion Detection Systems - Highly developed Non-Repudiation systems • Server transaction logs - Database transaction logs - Certificate Authorities • Secret Key and Public / Private Key - Secure Socket Layer (SSL) • Transport Layer Security (TLS) - IPv6 - Internet Protocol Security (IPSec) • Hash Product (MD5, SHA-1, RIPEMD-160) - Digital Certificate - IPv6 • Capacity Planning / Scalable Bandwidth - Server / Site Mirroring • Packet Filtering and Blocking - Distributive Operations • Public Key Infrastructure and X.509 - Kerberos • Global Directory Services (X.500) - Tokens • Reference Monitor - Access Control Lists • PKI - Digital Certificates - HMAC

  12. User Privacy (secrecy) User Features Security Design Data Usage (transparency) The Bigger Picture Competing Interests

  13. What I am looking for from YOU • View the activities of this class from a security services’ perspective. • Evaluate what “secure” means in this context • Select security mechanisms and protocols based on this perspective • Identify what security services and mechanisms are lacking in development environments, and… • Discover new ways of securing applications

  14. Questions?

More Related