Confidentiality and access control
In continuation to my earlier post, this will continue to discuss how access control can help in establishing confidentiality.
Data confidentiality is about protecting data against unintentional, unlawful, or unauthorized access, disclosure, or theft.
Access control is identifying one individual based on his/her identity and providing the necessary permissions to perform what he/she is entitled for.
Some examples in real-life:
- Assume you are in bank, you want to access your locker. You need to show your identity and validating against bank record by bank officials. The entire transaction is logged for auditing. Only when you are entitled to go to the locker room and having the keys to your locker you are allowed.
- You are working in manufacturing facility, where there is record room, warehouse, manufacturing, quality control lab etc., you will be provided door access only to what you are entitled to.
In information technology world access control requires 3 things Subject, Object and management of their relationship this is represented in the figure given below.
From the above picture the following are the critical aspects to understand:
- Subject would need to have access to objects which can also be termed as resources.
- Use Cases:
2.1 Users might need to access computers, files and network connections to access resources such as Internet, Servers, etc.,
2.2 One computer might be requiring access to another computer. Example:File sharing, Network Sharing
2.3 Programs might need access to file. Example: Microsoft Excel might need to have read permissions to read an employee master spreadsheet.
3. Access control is established through the combination of Authentication and Authorization.
4. Confidentiality is established when we have clear controls laid out with the help of access control on what is allowed and what is not.
5. Access control is always logged for any action of violation.
How confidentiality is violated ?
There various ways confidentiality is compromised. Here some of the major threats which prevails:
- Capturing network traffic
- Stealing of passwords
- Access to critical information using Social Engineering
- Port Scanning in computer/networks
- Shoulder Surfing
- Escalation of privileges, etc.,
- Human error
An examples of violation of confidentiality which could happen are:
- Allowing some one to have access to critical information when you leave the computer display left open without locking it or switching it off while you are not at your workplace.
- Leave printed papers on printers with critical information left printed on the printer unattended
Hope this gives a quick introduction to the subject of confidentiality. In the next post will look at the next principle Integrity of the CIA Triad.