from authenticity. We also look ATT authorization. So making sure that the subject is authorized to access the object but that the subject on Lee has the rights based on least privilege. And we've talked about the principle of least privilege. You're giving the
absolute minimum rights and permissions
to do your job. So we want to make sure that principle of Lise privileges always followed with authorization.
Ah, that needs to be addressed. I love the crowd operations. Love the crowd, acronym create, read, update and delete, but again making sure that based on job requirements and role within the organization, you have just the bare minimum permissions.
And we talked about some access control models. Dak Mac, and Are Back are back standing for role based access control.
One of the models, I did not mention his room back, which is rules based Access control. Rules based access control would be used, for instance, like on fire walls or any sort of filter rules based systems. Follow if then, logic. If traffic is coming from the 10 network than allow it
if traffic is coming from this network, then deny it.
So that idea, based on rules, would be another way that we control access and we require authorization before we authorize on entity a subject to access an object.
Okay, so some authorized authorization requirements might be
access to highly sensitive information is limited. Users with secret or top secret clearance on authenticated users will have re permission to public access page. You know, whatever those requirements are that meets your needs, we have to address the address authorization, accountability.
When we talk about accountability, we want to be able to trace an action
to a subject. Accountability in auditing go hand in hand.
And the success of auditing is really based on the identity of the subject, and action is gonna be map to the identity. So if you go back, you know, 10 15 years ago, in many offices, there would be one user account that everybody in the office would use, and this was in smaller offices. But you might have an office of 10 people
a single account, and I won't even address the fact that that single account usually had a minute administrative privileges. We won't even go down that trail. But the problem with users multiple users sharing the same account is we get no accountability, User. One is an account shared by 15 people.
So who was it that actually went and modified the registry?
We don't have that knowledge because we don't have separate identities. So identities air really important part to allow authenticate. I'm sorry to allow accountability and auditing.
So accountability requirements all failed. Log in. Attempts must be logged. There must be source. I d. There must be a time stamp. Um, lab. We could go back and add integrity requirements that say audit logs must be hash to guarantee no modification. So you can you know, you can
reference multiple requirements
at the same point in time. You know that accountabilities only accountability. If we can guarantee the integrity of the audit files.
How long must we retain those audit logs? How about overriding events? What happens if the log files get full again? These air, all requirements that we would address, all right, Authorization.
So, of course, authorization is what you are authorized to do what activities you can perform. And we've already talked about that a little bit. All right, those air, the core security requirements from there, we're going to talk about general requirements