General security primitives and methods
As history has taught us, the security of a system should always be the number one priority of the system and security engineers.
Many researchers would agree that in order to build secure systems, we need to meet at least some basic security requirements by using the respective security countermeasures or mechanisms. A system’s security plan should therefore:
- Ensure the confidentiality, integrity and availability (CIA) of the data/information/service that it deals with
- Include authentication and authorisation mechanisms/techniques (eg access control, biometrics, etc) to verify the identity of potential users
- Consider system accountability
- Use encryption and hashing techniques for the data protection
Confidentiality, integrity and availability (CIA) triad
It is worth mentioning that every single computer system that processes data or information should be able to guarantee its confidentiality, integrity and availability. Let’s now explain what these three principles are:
Confidentiality refers to data privacy. This requirement should guarantee that the data is accessible only by authorised users.
Integrity refers to data modification. This requirement should guarantee the prevention of unauthorised data changes.
Availability refers to data access. This requirement should guarantee that all authorised users of the system can access the system’s data whenever they need it.
Authentication and accountability
To ensure the smooth and secure operation of a system, we also need to incorporate another two basic attributes in its security profile:
Authentication refers to the process by which a system tries to confirm the identity of the user who wants to access it.
Accountability involves the duties and responsibilities of the employees with respect to the assurance of the information/data. Thus, the security plan should clearly define the responsibilities of the staff when it comes to regular maintenance, inspection, etc.
To make sure that these two processes work in a desirable way and in accordance with the functioning requirements of the system, we can include authentication and authorisation mechanisms/techniques (eg access control, biometrics, etc) to enable identity verification of users.
Awareness and accountability
To further protect a system from a potential security breach, we need to make sure that the staff members involved in any of the system’s security processes are aware of the security risks that their role poses.
Furthermore, each staff member should be accountable for the duties and responsibilities defined by their post with respect to the assurance of the information/data security. Thus, a good security plan should consider these two factors by clearly defining the responsibilities of the staff when it comes to regular maintenance, inspection and other security processes of the system and by incorporating relevant training for the staff.
Encryption and hashing
Encryption and hashing are two essential methods that are commonly used in computer systems in order to secure the data that is exchanged, processed or stored during operation. We will recap the main concepts of cryptography and hash functions in the next step.
What problems might you encounter if you don’t apply these security primitives during the system development process?
© Coventry University. CC BY-NC 4.0