Thinking Security: The Seven Goals of Security
Author(s): Michael Kain, Posted on February 16th, 2016
This is the 13th blog in a series about security and how security is about how you think.
The first dozen blogs in this series have talked about many different threads in the security mindset from what we’re really trying to accomplish (to be secure) to how to be secure (assessment, policy, procedure, etc.). Now, I’d like to enumerate some of the real goals of security. These six goals and the secret seventh goal (which I’ll explain) are what we’re really trying to do with all that we think about.
Goal #1: Identity and Authentication
Obviously, this goal is about identifying every person or service. It also deals with validating that identity to the extent that we care about in that context. Think of it this way – if you’re going to let someone into your home, you probably want to validate them to who they are – but you may not care in some contexts, for example, the FedEx or post office delivery person. In that scenario, you’re just making sure that they are who they appear to be without really asking them for specific identification. There will also be cases where there is no identity or validation (when you or the other person are anonymous, like buying something from a food truck).
Goal #2: Access Control (also known as Authorization)
This goal is about what the identity can do within the scope. Think about visiting the White House. Visitors can be in the public areas of the White House (and you have to be screened to even get there). People with valid PRESS credentials can also be in the White House Press Room. Only people who have been validated and had their background check done and have the right job can be allowed into the secure areas of the White House, like the Oval Office.
Goal #3: Data Integrity
This goal is concerned with ensuring that data has not been tampered with or changed, whether it be in storage or in transit. Think of it this way: If you got mail that had been opened, you’d notice it pretty quickly. Doing this in a non-physical way (with computers and digital data) is tougher, but we have much stronger mechanisms.
Goal #4: Confidentiality
This goal is concerned that data is seen and interpreted only by the parties that are authorized to see it. Think of when you use your credit card at a store. You want to make sure that only the credit card issuer sees your actual credit card number and it’s logged on your receipt (but mostly hidden), but you want to make sure that the cashier or everyone else in the store doesn’t see it. This is a hard problem – it usually involves encryption and a secret key to ensure that only the right people can decrypt the data.
Goal #5: Availability
This is one of the more abstract goals of security – it is to ensure that the services are always ready for valid customers and that you can tell the valid users from the ones that are just trying to waste your time. Think phony phone calls to a 911 service. If there are more phony phone calls than operators that can handle them, then there is a possibility that someone could not get the emergency service that they need. This is called a Denial of Service (DoS).
Goal #6: Non-Repudiation
This is another abstract goal of security. To put it simply, it’s to make sure that each transaction occurs once and only once. Think buying something in a store with your credit card. You want to make sure that you only get charged once for the item (not two or more times) and the store wants to make sure that you are charged once (and don’t get it for free). If you return the item, they want to see your proof of purchase and make sure that it agrees with their proof of purchase (audit log) so that they can take back the item that you were sold but didn’t need. Then they’ll modify their log and your records to show that it was taken back.
As you see, this really involves a lot of other goals, but it does involve a lot of logging (also called auditing or audit records). To really be secure, we have to have a running record of everything happening so that we can examine it (either in real time or after something has happened) to see if everything was the way that it was supposed to be. Think of sending a package – there is a unique identifier on every package and it is tracked at every step of the way from the supplier to the destination so that you can see when it will show up or if it gets lost.
The Secret Seventh Goal
All of these six goals of security are found in most of the security solutions that are out there. But there is a secret seventh goal of security and that is TRUST. Trust in putting your confidential and sensitive information (what the financial industry calls PII for Personally Identifiable Information) in computer systems and companies. That’s really what we’re striving for here – whether it’s using your credit or debit card at a retailer or storing your data in a ClearPath Forward mission-critical server. It does the other six goals well so that you TRUST that your data is secure.
The next entries of this blog will expand these seven goals with more details and how they fit into the security mindset. They’ll show that security really is all about how you think.