Abstract image of a woman sitting on books and studying on a laptop

Module 3 - Information Assurance Concepts.pdf

P
PercivalAdao7

The document discusses key concepts in information assurance, including defense in depth, the CIA triad of confidentiality, integrity, and availability, as well as nonrepudiation and authentication. It emphasizes the need for a layered defense strategy that adapts dynamically to threats and underscores the importance of effective user identification and authorization processes. Additionally, it addresses the distinctions between confidentiality and privacy, outlining the critical role of each in maintaining information security.

Technology
1 of 30
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
Module 3 Information Assurance Concepts
1 Discuss Defense in Depth in Information Assurance 2 Explain the CIS Triad 3 Discuss what is IAAA 4 Explain Nonrepudiation and Authentication Expected Learning Outcome:
Defense in Depth The 19th century military strategist Helmuth von Moltke is right, he could discourage even the best planner with his aphorism of “No plan survives contact with the enemy.” Once engaged, attackers have the advantage: They know what they are going to do and what their objective is. To provide an effective defense, each layer must be composed of multiple countermeasures of varying complexity, application, and rigor; this is defense-in-depth.
Defense in Depth Defense-in-depth provides an adequate information assurance posture, but it tends to be reactive. Defense must always be planned because it is the de facto deployment in response to the escalating sophistication of attack experiences. As former U.S. Defense Secretary Donald H. Rumsfeld stated, “You go to war with the army you have, not the army you might want or wish to have at a later time.” A defensive strategy cannot be expected to respond to unknown and potentially urgent risk situations such as last-minute patches and catch-up planning, but it can reduce the impact of such weaknesses. A proper defense-in-depth strategy may mean the difference between a difficult survivability and being put out of business.
Defense in Depth A correctly planned, dynamic, information assurance strategy becomes an essential emergent property of the system it protects. To provide defense-in-depth, the strategy and the program it defines cannot be static. Rick Dove, an expert on systems and artificial intelligence, proposes that defense-in-depth must provide parity with the agility of intelligent attacking systems. A defense-in-depth strategy must have six characteristics. • Self-organizing • Adapting to unpredictable situations • Evolving in concert with an ever-changing environment • Reactively resilient • Proactively innovative • Harmonious with system purpose
Defense in Depth Defense-in-depth is most appropriately defined as part of an organization’s security architecture. Smaller to mid-size organizations may not have the resources to develop fully an information assurance architecture and will therefore often rely on risk assessments to help find weaknesses in their security posture. The security architecture of an organization must develop defenses for every level of an application, system, or workflow using physical, logical, and technical countermeasures to slow the attack of an adversary. To slow the attackers, defenders must present numerous challenges through various dimensions of countermeasures.
Defense in Depth Defense-in-depth is most appropriately defined as part of an organization’s security architecture. Smaller to mid-size organizations may not have the resources to develop fully an information assurance architecture and will therefore often rely on risk assessments to help find weaknesses in their security posture. The security architecture of an organization must develop defenses for every level of an application, system, or workflow using physical, logical, and technical countermeasures to slow the attack of an adversary. To slow the attackers, defenders must present numerous challenges through various dimensions of countermeasures.
Defense in Depth Defense-in-depth relies heavily on the application of segmentation. Segmentation ensures that a single compromised element of a system cannot compromise the system as a whole. Segmentation also ensures the most efficient use of controls throughout the organization. Information and services require varying degrees of defensive protection depending on their value to the organization. Figure-1 illustrates the relationship between assets, impacts, and segmentation.
Figure 1. Defense-in-depth conceptual model
The CIA triad When dealing with information assurance and its subcomponent information security, you should be familiar with three primary security objectives—confidentiality, integrity, and availability—to identify problems and provide proper solutions. This concept is widely known as the CIA triad, as shown in Figure2. Confidentiality, Integrity, and Availability
Figure 2 CIA triad Confidentiality, Integrity, and Availability
Confidentiality Confidentiality and privacy are related terms but are not synonymous. Confidentiality is the assurance of data secrecy where no one is able to read data except for the intended entity. Confidentiality should prevail no matter what the data state is—whether data resides on a system, is being transmitted, or is in a particular location (for example, a file cabinet, a desk drawer, or a safe). Privacy, on the other hand, involves personal autonomy and control of information about oneself. Both are discussed in this chapter. The word classification merely means categorization in certain industries.
Confidentiality Assign an appropriate sensitivity categorization to information to maintain confidentiality. Different categorizations will address the degree of security controls needed. For example, a range of military classification (categorization in the military) includes unclassified, confidential, secret, and top secret. A military document classified (categorized) as top secret will require control mechanisms to eliminate threats that may expose the location or characteristics of an important asset.
Integrity People understand integrity in terms of dealing with people. People understand the sentiment “Jill is a woman of integrity” to mean Jill is a person who is truthful, is trustworthy, and can be relied upon to perform as she promises. When considering integrity in an information assurance perspective, organizations will use it not only from a personnel perspective but also from a systems perspective.
Integrity In information systems, integrity is a service that assures that the information in a system has not been altered except by authorized individuals and processes. It provides assurance of the accuracy of the data and that it has not been corrupted or modified improperly. Integrity may be achieved by applying a mathematical technique whereby the information will later be verified. Examples of integrity controls are watermarks, bar codes, hashing, checksums, and cyclic redundancy check (CRC). A second form of integrity control manages the processes to enter and manipulate information. For example, a physician (and the patient) would want the integrity of medical records. The records should reflect the actual data from the laboratory, and once the data is stored, it should be stored so it is unchangeable outside defined processes.
Availability Availability is the service that assures data and resources are accessible to authorized subjects or personnel when required. The second component of the availability service is that resources such as systems and networks should provide sufficient capacity to perform in a predictable and acceptable manner. Secure and quick recovery from disruptions is crucial to avoid delays or decreased productivity. Therefore, it is necessary that protection mechanisms should be in place to ensure availability and to protect against internal and external threats. Availability is also often viewed as a property of an information system or service. Most service level agreements and measures of performance for service providers surround availability above all else. The availability of a system may be one of its most marketable properties.
CIA Balance The three fundamental security requirements are not equally critical in each application. For example, to one organization, service availability and the integrity of information may be more important than the confidentiality of information. A web site hosting publicly available information is an example. Therefore, you should apply the appropriate combination of CIA in correct portions to support your organization’s goals and provide users with a dependable system.
Nonrepudiation and Authentication The MSR model of information assurance describes additional services associated with nonrepudiation. Digital transactions are prone to frauds in which participants in the transaction could repudiate (deny) a transaction. A digital signature is evidence that the information originated with the asserted sender of the information and prevents subsequent denial of sending the message. Digital signatures may provide evidence that the receiver has in fact received the message and that the receiver will not be able to deny this reception. This is commonly known as nonrepudiation. In large organizations such as the U.S. government, efforts are in place to implement digital signatures through smartcards, mobile devices, and even biometric Nonrepudiation
Nonrepudiation and Authentication The term nonrepudiation describes the service that ensures entities are honest in their actions. There are variants of nonrepudiation, but the most often used are as follows: • Nonrepudiation of source prevents an author from false refusal of ownership to a created or sent message, or the service will prove it otherwise. • Nonrepudiation of acceptance prevents the receiver from denying having received a message, or else the service will prove it otherwise.
Nonrepudiation and Authentication The term nonrepudiation describes the service that ensures entities are honest in their actions. There are variants of nonrepudiation, but the most often used are as follows: • Nonrepudiation of source prevents an author from false refusal of ownership to a created or sent message, or the service will prove it otherwise. • Nonrepudiation of acceptance prevents the receiver from denying having received a message, or else the service will prove it otherwise.
Identification, Authentication, Authorization, and Accountability (IAAA) Identification, authentication, authorization, and accountability are the essential functions in providing an access management system. This service as described by the MSR model of information assurance is summarized as authentication but reflects the entire IAAA process. The overall architecture of an access management system includes the means of identifying its users, authenticating a user’s identity and credentials, and setting and controlling the access level of a user’s authorization. In addition, it should provide for logging and auditing the trail of a user’s activity in search of privilege violations or attempted violations and accounting for system resource usage.
Figure 3. Steps of IAAA
Authentication Authentication validates the identification provided by a user. In other words, it makes sure the entity presenting the identification can further prove to be who they claim. To be authenticated, the entity must produce minimally a second credential. Three basic factors of authentication are available to all types of identities. • What you should know (a shared secret, such as a password, which both the user and the authenticator know) • What you should have (a physical identification, such as a smartcard, hardware token, or identification card) • What you are (a measurable attribute, such as biometrics, a thumbprint, or facial recognition)
Authentication Authentication validates the identification provided by a user. In other words, it makes sure the entity presenting the identification can further prove to be who they claim. To be authenticated, the entity must produce minimally a second credential. Three basic factors of authentication are available to all types of identities. • What you should know (a shared secret, such as a password, which both the user and the authenticator know) • What you should have (a physical identification, such as a smartcard, hardware token, or identification card) • What you are (a measurable attribute, such as biometrics, a thumbprint, or facial recognition)
Authorization Authorization Once a user presents a second credential and is identified, the system checks an access control matrix to determine their associated privileges. If the system allows the user access, the user is authorized.
Accountability The act of being responsible for actions taken within a system is accountability. The only way to ensure accountability is to identify the user of a system and record their actions. Accountability makes nonrepudiation extremely important.
Privacy’s Relationship to Information Assurance As mentioned earlier, a security concept that is often confused with confidentiality is privacy. Privacy describes the control people have to regulate the flow of information about themselves selectively. In contrast, confidentiality requires that only an authorized party access information. This makes confidentiality one of the goals in information assurance but with a less personal emphasis. Despite the subtle difference, both concepts are interrelated. For example, identity theft could be a result of lack of privacy or failure in confidentiality.
Q. & A.
Asynchronous Activity Quiz No. 3
Thank You

More Related Content

PPTX
Information security
Rohit Gir
 
PPTX
security IDS
Gregory Hanis
 
PPTX
Module 2 - Information Assurance Concepts.pptx
Humphrey Humphrey
 
PPTX
Week 1&2 intro_ v2-upload
Vinoth Sn
 
PPTX
Strengthening Data Rooms Amidst Rising Cyber Threats
Home
 
DOC
Information security
Sanjay Tiwari
 
PPTX
Information security FundameFundamentals.pptx
atuexaminations
 
PDF
Data and database security and controls
FITSFSd
 
Information security
Rohit Gir
 
security IDS
Gregory Hanis
 
Module 2 - Information Assurance Concepts.pptx
Humphrey Humphrey
 
Week 1&2 intro_ v2-upload
Vinoth Sn
 
Strengthening Data Rooms Amidst Rising Cyber Threats
Home
 
Information security
Sanjay Tiwari
 
Information security FundameFundamentals.pptx
atuexaminations
 
Data and database security and controls
FITSFSd
 

Similar to Module 3 - Information Assurance Concepts.pdf (20)

PDF
CIA = Confidentiality of information, Integrity of information, Avai.pdf
annaielectronicsvill
 
PDF
Cyberwarfare
Space Defense Newsletter
 
PPTX
CNS Module 1 in cryptography and network security
bodamaddy
 
PDF
Cybersecurity Interview Questions and Answers.pdf
Jazmine Brown
 
PPTX
Introduction to Computer Security
Kamal Acharya
 
DOCX
Unit-4 cyber security new tools and methods
shivangisharma636228
 
PPTX
Advanced Operating System Principles.pptx
yuvapapa26
 
PPTX
Information Security introduction and management.pptx
daudevarist18
 
PDF
internet security and cyber lawUnit1
Royalzig Luxury Furniture
 
PPTX
Information Security Lecture One for Basic
hassankhan978073
 
PDF
Introduction to security
Mukesh Chinta
 
PDF
Cryptography and Network Security ppt . pdf
22cc005
 
PDF
Information security
Onkar Sule
 
PPTX
BCA-601N_final_1-1.pptx uuggjjgghjjhhjjj
survhiagrawal
 
PPTX
BCA-601N_final_1-1Finalsem6metworks.pptx
PareshLimbad1
 
PDF
A Proposed Model for Datacenter in -Depth Defense to Enhance Continual Security
Hossam Al-Ansary
 
PPTX
information security (network security methods)
Zara Nawaz
 
PPTX
Information security ist lecture
Zara Nawaz
 
PPTX
Zero-Trust-Architecture-Reimagining-Network-Security.pptx
yash98012
 
PPTX
Cybersecurity carrer and scope in its field
MeghrajPatil11
 
CIA = Confidentiality of information, Integrity of information, Avai.pdf
annaielectronicsvill
 
Cyberwarfare
Space Defense Newsletter
 
CNS Module 1 in cryptography and network security
bodamaddy
 
Cybersecurity Interview Questions and Answers.pdf
Jazmine Brown
 
Introduction to Computer Security
Kamal Acharya
 
Unit-4 cyber security new tools and methods
shivangisharma636228
 
Advanced Operating System Principles.pptx
yuvapapa26
 
Information Security introduction and management.pptx
daudevarist18
 
internet security and cyber lawUnit1
Royalzig Luxury Furniture
 
Information Security Lecture One for Basic
hassankhan978073
 
Introduction to security
Mukesh Chinta
 
Cryptography and Network Security ppt . pdf
22cc005
 
Information security
Onkar Sule
 
BCA-601N_final_1-1.pptx uuggjjgghjjhhjjj
survhiagrawal
 
BCA-601N_final_1-1Finalsem6metworks.pptx
PareshLimbad1
 
A Proposed Model for Datacenter in -Depth Defense to Enhance Continual Security
Hossam Al-Ansary
 
information security (network security methods)
Zara Nawaz
 
Information security ist lecture
Zara Nawaz
 
Zero-Trust-Architecture-Reimagining-Network-Security.pptx
yash98012
 
Cybersecurity carrer and scope in its field
MeghrajPatil11
 
Ad

Recently uploaded (20)

PDF
Architecture types and enterprise applications.pdf
ChristopherTHyatt
 
PDF
Developing a website for English-speaking practice to English as a foreign la...
IAESIJAI
 
PPTX
Web Crawler for Trend Tracking Gen Z Insights.pptx
Actowiz Solustions
 
PDF
1 - Historical Antecedents, Social Consideration.pdf
tuazon2030627
 
PPTX
O2C Customer Invoices to Receipt V15A.pptx
ssuserbfa915
 
PPTX
Tartificialntelligence_presentation.pptx
ry7r52mzb4
 
PDF
Enhancing emotion recognition model for a student engagement use case through...
IAESIJAI
 
PPTX
observCloud-Native Containerability and monitoring.pptx
anupsingh76937
 
PPTX
Final SEM Unit 1 for mit wpu at pune .pptx
anishtilekar08
 
PDF
Unlock new opportunities with location data.pdf
Precisely
 
PDF
DP Operators-handbook-extract for the Mautical Institute
LeonelMejiaLarios
 
PDF
How ambidextrous entrepreneurial leaders react to the artificial intelligence...
IAESIJAI
 
PDF
TrustArc Webinar - Click, Consent, Trust: Winning the Privacy Game
TrustArc
 
PDF
Univ-Connecticut-ChatGPT-Presentaion.pdf
ry7r52mzb4
 
PPTX
Chapter 5: Probability Theory and Statistics
RandyFin
 
PDF
Video forgery: An extensive analysis of inter-and intra-frame manipulation al...
IAESIJAI
 
PPTX
MicrosoftCybserSecurityReferenceArchitecture-April-2025.pptx
SilvioHayashi
 
PDF
NewMind AI Weekly Chronicles – August ’25 Week III
NewMind AI
 
PPTX
Group 1 Presentation -Planning and Decision Making .pptx
MatthewLewis227954
 
PDF
Hybrid horned lizard optimization algorithm-aquila optimizer for DC motor
IAESIJAI
 
Architecture types and enterprise applications.pdf
ChristopherTHyatt
 
Developing a website for English-speaking practice to English as a foreign la...
IAESIJAI
 
Web Crawler for Trend Tracking Gen Z Insights.pptx
Actowiz Solustions
 
1 - Historical Antecedents, Social Consideration.pdf
tuazon2030627
 
O2C Customer Invoices to Receipt V15A.pptx
ssuserbfa915
 
Tartificialntelligence_presentation.pptx
ry7r52mzb4
 
Enhancing emotion recognition model for a student engagement use case through...
IAESIJAI
 
observCloud-Native Containerability and monitoring.pptx
anupsingh76937
 
Final SEM Unit 1 for mit wpu at pune .pptx
anishtilekar08
 
Unlock new opportunities with location data.pdf
Precisely
 
DP Operators-handbook-extract for the Mautical Institute
LeonelMejiaLarios
 
How ambidextrous entrepreneurial leaders react to the artificial intelligence...
IAESIJAI
 
TrustArc Webinar - Click, Consent, Trust: Winning the Privacy Game
TrustArc
 
Univ-Connecticut-ChatGPT-Presentaion.pdf
ry7r52mzb4
 
Chapter 5: Probability Theory and Statistics
RandyFin
 
Video forgery: An extensive analysis of inter-and intra-frame manipulation al...
IAESIJAI
 
MicrosoftCybserSecurityReferenceArchitecture-April-2025.pptx
SilvioHayashi
 
NewMind AI Weekly Chronicles – August ’25 Week III
NewMind AI
 
Group 1 Presentation -Planning and Decision Making .pptx
MatthewLewis227954
 
Hybrid horned lizard optimization algorithm-aquila optimizer for DC motor
IAESIJAI
 
Ad

Module 3 - Information Assurance Concepts.pdf

  • 2. 1 Discuss Defense in Depth in Information Assurance 2 Explain the CIS Triad 3 Discuss what is IAAA 4 Explain Nonrepudiation and Authentication Expected Learning Outcome:
  • 3. Defense in Depth The 19th century military strategist Helmuth von Moltke is right, he could discourage even the best planner with his aphorism of “No plan survives contact with the enemy.” Once engaged, attackers have the advantage: They know what they are going to do and what their objective is. To provide an effective defense, each layer must be composed of multiple countermeasures of varying complexity, application, and rigor; this is defense-in-depth.
  • 4. Defense in Depth Defense-in-depth provides an adequate information assurance posture, but it tends to be reactive. Defense must always be planned because it is the de facto deployment in response to the escalating sophistication of attack experiences. As former U.S. Defense Secretary Donald H. Rumsfeld stated, “You go to war with the army you have, not the army you might want or wish to have at a later time.” A defensive strategy cannot be expected to respond to unknown and potentially urgent risk situations such as last-minute patches and catch-up planning, but it can reduce the impact of such weaknesses. A proper defense-in-depth strategy may mean the difference between a difficult survivability and being put out of business.
  • 5. Defense in Depth A correctly planned, dynamic, information assurance strategy becomes an essential emergent property of the system it protects. To provide defense-in-depth, the strategy and the program it defines cannot be static. Rick Dove, an expert on systems and artificial intelligence, proposes that defense-in-depth must provide parity with the agility of intelligent attacking systems. A defense-in-depth strategy must have six characteristics. • Self-organizing • Adapting to unpredictable situations • Evolving in concert with an ever-changing environment • Reactively resilient • Proactively innovative • Harmonious with system purpose
  • 6. Defense in Depth Defense-in-depth is most appropriately defined as part of an organization’s security architecture. Smaller to mid-size organizations may not have the resources to develop fully an information assurance architecture and will therefore often rely on risk assessments to help find weaknesses in their security posture. The security architecture of an organization must develop defenses for every level of an application, system, or workflow using physical, logical, and technical countermeasures to slow the attack of an adversary. To slow the attackers, defenders must present numerous challenges through various dimensions of countermeasures.
  • 7. Defense in Depth Defense-in-depth is most appropriately defined as part of an organization’s security architecture. Smaller to mid-size organizations may not have the resources to develop fully an information assurance architecture and will therefore often rely on risk assessments to help find weaknesses in their security posture. The security architecture of an organization must develop defenses for every level of an application, system, or workflow using physical, logical, and technical countermeasures to slow the attack of an adversary. To slow the attackers, defenders must present numerous challenges through various dimensions of countermeasures.
  • 8. Defense in Depth Defense-in-depth relies heavily on the application of segmentation. Segmentation ensures that a single compromised element of a system cannot compromise the system as a whole. Segmentation also ensures the most efficient use of controls throughout the organization. Information and services require varying degrees of defensive protection depending on their value to the organization. Figure-1 illustrates the relationship between assets, impacts, and segmentation.
  • 9. Figure 1. Defense-in-depth conceptual model
  • 10. The CIA triad When dealing with information assurance and its subcomponent information security, you should be familiar with three primary security objectives—confidentiality, integrity, and availability—to identify problems and provide proper solutions. This concept is widely known as the CIA triad, as shown in Figure2. Confidentiality, Integrity, and Availability
  • 11. Figure 2 CIA triad Confidentiality, Integrity, and Availability
  • 12. Confidentiality Confidentiality and privacy are related terms but are not synonymous. Confidentiality is the assurance of data secrecy where no one is able to read data except for the intended entity. Confidentiality should prevail no matter what the data state is—whether data resides on a system, is being transmitted, or is in a particular location (for example, a file cabinet, a desk drawer, or a safe). Privacy, on the other hand, involves personal autonomy and control of information about oneself. Both are discussed in this chapter. The word classification merely means categorization in certain industries.
  • 13. Confidentiality Assign an appropriate sensitivity categorization to information to maintain confidentiality. Different categorizations will address the degree of security controls needed. For example, a range of military classification (categorization in the military) includes unclassified, confidential, secret, and top secret. A military document classified (categorized) as top secret will require control mechanisms to eliminate threats that may expose the location or characteristics of an important asset.
  • 14. Integrity People understand integrity in terms of dealing with people. People understand the sentiment “Jill is a woman of integrity” to mean Jill is a person who is truthful, is trustworthy, and can be relied upon to perform as she promises. When considering integrity in an information assurance perspective, organizations will use it not only from a personnel perspective but also from a systems perspective.
  • 15. Integrity In information systems, integrity is a service that assures that the information in a system has not been altered except by authorized individuals and processes. It provides assurance of the accuracy of the data and that it has not been corrupted or modified improperly. Integrity may be achieved by applying a mathematical technique whereby the information will later be verified. Examples of integrity controls are watermarks, bar codes, hashing, checksums, and cyclic redundancy check (CRC). A second form of integrity control manages the processes to enter and manipulate information. For example, a physician (and the patient) would want the integrity of medical records. The records should reflect the actual data from the laboratory, and once the data is stored, it should be stored so it is unchangeable outside defined processes.
  • 16. Availability Availability is the service that assures data and resources are accessible to authorized subjects or personnel when required. The second component of the availability service is that resources such as systems and networks should provide sufficient capacity to perform in a predictable and acceptable manner. Secure and quick recovery from disruptions is crucial to avoid delays or decreased productivity. Therefore, it is necessary that protection mechanisms should be in place to ensure availability and to protect against internal and external threats. Availability is also often viewed as a property of an information system or service. Most service level agreements and measures of performance for service providers surround availability above all else. The availability of a system may be one of its most marketable properties.
  • 17. CIA Balance The three fundamental security requirements are not equally critical in each application. For example, to one organization, service availability and the integrity of information may be more important than the confidentiality of information. A web site hosting publicly available information is an example. Therefore, you should apply the appropriate combination of CIA in correct portions to support your organization’s goals and provide users with a dependable system.
  • 18. Nonrepudiation and Authentication The MSR model of information assurance describes additional services associated with nonrepudiation. Digital transactions are prone to frauds in which participants in the transaction could repudiate (deny) a transaction. A digital signature is evidence that the information originated with the asserted sender of the information and prevents subsequent denial of sending the message. Digital signatures may provide evidence that the receiver has in fact received the message and that the receiver will not be able to deny this reception. This is commonly known as nonrepudiation. In large organizations such as the U.S. government, efforts are in place to implement digital signatures through smartcards, mobile devices, and even biometric Nonrepudiation
  • 19. Nonrepudiation and Authentication The term nonrepudiation describes the service that ensures entities are honest in their actions. There are variants of nonrepudiation, but the most often used are as follows: • Nonrepudiation of source prevents an author from false refusal of ownership to a created or sent message, or the service will prove it otherwise. • Nonrepudiation of acceptance prevents the receiver from denying having received a message, or else the service will prove it otherwise.
  • 20. Nonrepudiation and Authentication The term nonrepudiation describes the service that ensures entities are honest in their actions. There are variants of nonrepudiation, but the most often used are as follows: • Nonrepudiation of source prevents an author from false refusal of ownership to a created or sent message, or the service will prove it otherwise. • Nonrepudiation of acceptance prevents the receiver from denying having received a message, or else the service will prove it otherwise.
  • 21. Identification, Authentication, Authorization, and Accountability (IAAA) Identification, authentication, authorization, and accountability are the essential functions in providing an access management system. This service as described by the MSR model of information assurance is summarized as authentication but reflects the entire IAAA process. The overall architecture of an access management system includes the means of identifying its users, authenticating a user’s identity and credentials, and setting and controlling the access level of a user’s authorization. In addition, it should provide for logging and auditing the trail of a user’s activity in search of privilege violations or attempted violations and accounting for system resource usage.
  • 22. Figure 3. Steps of IAAA
  • 23. Authentication Authentication validates the identification provided by a user. In other words, it makes sure the entity presenting the identification can further prove to be who they claim. To be authenticated, the entity must produce minimally a second credential. Three basic factors of authentication are available to all types of identities. • What you should know (a shared secret, such as a password, which both the user and the authenticator know) • What you should have (a physical identification, such as a smartcard, hardware token, or identification card) • What you are (a measurable attribute, such as biometrics, a thumbprint, or facial recognition)
  • 24. Authentication Authentication validates the identification provided by a user. In other words, it makes sure the entity presenting the identification can further prove to be who they claim. To be authenticated, the entity must produce minimally a second credential. Three basic factors of authentication are available to all types of identities. • What you should know (a shared secret, such as a password, which both the user and the authenticator know) • What you should have (a physical identification, such as a smartcard, hardware token, or identification card) • What you are (a measurable attribute, such as biometrics, a thumbprint, or facial recognition)
  • 25. Authorization Authorization Once a user presents a second credential and is identified, the system checks an access control matrix to determine their associated privileges. If the system allows the user access, the user is authorized.
  • 26. Accountability The act of being responsible for actions taken within a system is accountability. The only way to ensure accountability is to identify the user of a system and record their actions. Accountability makes nonrepudiation extremely important.
  • 27. Privacy’s Relationship to Information Assurance As mentioned earlier, a security concept that is often confused with confidentiality is privacy. Privacy describes the control people have to regulate the flow of information about themselves selectively. In contrast, confidentiality requires that only an authorized party access information. This makes confidentiality one of the goals in information assurance but with a less personal emphasis. Despite the subtle difference, both concepts are interrelated. For example, identity theft could be a result of lack of privacy or failure in confidentiality.