Thursday, November 02, 2006

What Security Means

Security means that the systems have the properties of confidentiality, integrity, and availability, that users are authenticated and authorized correctly, and that transactions are non-repudiable.

The following explains each property.
  • Confidentiality - Data is only available to the people intended to access it.
  • Integrity - Data and system resources are only changed in appropriate ways by appropriate people.
  • Availability - Systems are ready when needed and perform acceptably.
  • Authentication - The identity of users is established (or you’re willing to accept anonymous users).
  • Authorization - Users are explicitly allowed or denied access to resources.
  • Nonrepudiation - Users can’t perform an action and later deny performing it.

The following maps threats to the properties that guard against them.

  • Spoofing - Authentication
  • Tampering - Integrity
  • Repudiation - Non-repudiation
  • Information disclosure - Confidentiality
  • Denial of service - Availability
  • Elevation of privilege - Authorization

Adopted from Threat Modeling: Uncover Security Design Flaws Using The STRIDE Approach.

0 Comments:

Post a Comment

<< Home