Information Security has a number of foundational concepts, such as the Confidentiality, Integrity and Availability of information, information assets and services. In this article we’ll explore four key concepts that are good to understand to assist you in building and configuring secure systems and therefore protecting and improving the Confidentiality, Integrity and Availability of your organisation’s information assets.
There are four key concepts which are in loosely related pairs as follows: Separation of Duties and Two-Person Control and then (Principle of) Least Privilege and Need to Know.
Separation of Duties
The separation of duties endeavors to ensure that two duties that together allow a sensitive task to be performed are not held by a single person.
If such duties were held and actionable by a single person, there is a risk of compromise or abuse causing some undesirable outcome.
Let’s explore a simple example, in finance you might have an duty to bring a new supplier onto the system (i.e. a company who you formally deal with and can issue you invoices for goods or services). You would also have an duty to authorise payment to said suppliers (issue checks, make bank transfers etc.) for goods or services.
Now, can you see the possible issue? If both those duties were held and actionable by a single person, they could create a new supplier on the system (perhaps a friend or even themselves) and authorise and issue payment to that supplier (i.e. themselves) all without challenge by the system thus allowing abuse.
To avoid this, each duty being held by a different person would ensure that they could not create a supplier and authorise payment, meaning that unless the two persons colluded this particular attack it would not be possible. Of course two people might collude but this is is more unlikely and also potentially easier to detect.
Two-Person Control
When you think of two-person control, you probably think of the two soldiers in a nuclear missile silo turning keys; or is that just me from watching the film WarGames!
In reality that is exactly what it is. Two-Person Control endeavors to ensure that a single duty (task) that is sensitive requires two persons to action it.
Let’s illustrate this with an example. Say you have your organisation’s data backups which are stored on a disk based WORM (Write Once Read Many) vault system. When a particular archive reaches the end of its life it needs to be deleted from the system, if this duty was held only by a single person, they could potentially delete all of the backups unchallenged.
Two-Person control would mean that if a particular archive backup needs to be deleted it would require two persons to logon and authorise the deletion of a backup, thus reducing the risk that a rouge system administrator or single compromised credential (by a hacker) could act alone and cause data loss.
Need to Know
Need to Know is exactly that, does a person need to know (or need access to) a particular piece of information to do their job? If the answer is no, then they should not have access to it!
Let’s illustrate with an example. Say you have an HR department, there are two roles within the department a Senior HR Analyst who is responsible for keeping the personal data up to date (Name, Address, Next of Kin etc), making sure the payroll information (i.e. employee’s bank account details etc.) are correct and processing payroll. Then a Junior HR Analyst who is responsible for running reports of employee information, such as how many employees their are.
Need to know would mean that the Junior HR Analyst would only have access to the information in a very minimal way, i.e. to count the number of employees, they would not need to know the employee’s bank details to perform their job duties, so under Need to Know would not have access to this information.
Potentially if they did, the information is able to be seen by more than those who actually need it, therefore increasing the risk of compromise.
(Principle of) Least Privilege
Least Privilege or as it is often know the Principle of Least Privilege relates to Need to Know, sometimes you’ll see them used interchangeably, but this is missing the subtle difference.
If Need to Know is only having the minimal access to see/know information to complete their job, then the Principle of least Privilege is the having the minimal access to take action to that information to complete their job.
Subtle isn’t it? Let’s take our HR department example again. A Senior HR Analyst and a Junior HR Analyst, in this example the Senior HR Analyst needs to be able to Read and Update the employee information, such as Name, Address and Next of Kin within the HR database as part of their role.
While the Junior HR Analyst only needs read access to the HR database to verify the employee information is correct, but they don’t need to be able to alter (i.e. write access) to the data in the database.
The above is an example of the Principle of Least Privilege in action. The Senior Analyst needs Read and Write access to the HR database, but the Junior Analyst only actually needs Read access to complete their job’s duties. If the Junior Analyst had also been granted Write access to the HR Database even though they didn’t need it, the risk would exist that they could accidentally or deliberately change the data, therefore risking its integrity and availability.
Conclusion
Hopefully this article has given you a good grasp of these four key concepts of information security, if you have any queries or comments, just ask!
