Data confidentiality, availability, controllability and integrity are the main research contents of data security technology. The theoretical basis of data confidentiality is cryptography, and availability, controllability, and integrity are important guarantees for data security. Without the latter to provide technical guarantees, no matter how strong the encryption algorithm is, it is difficult to ensure data security. As an important carrier of information, data plays a very important role in information security. In order to be able to use data in a safe and controllable manner, a variety of technical means are required as guarantees. These technical means generally include various technical means such as access control technology, encryption technology, data backup, and recovery technology, and system restoration technology.
Organizations must determine the appropriate access control model to adopt based on the type and sensitivity of data they’re processing, says Wagner. There are 4 types of access control. Among the following 4 types of access control, role-based access control (RBAC) is the most common model today, and the most recent model is known as attribute-based access control (ABAC):
- Discretionary access control (DAC): With DAC models, the data owner decides on access. DAC is a means of assigning access rights based on rules that users specify.
- Mandatory access control (MAC): MAC was developed using a nondiscretionary model, in which people are granted access based on an information clearance. MAC is a policy in which access rights are assigned based on regulations from a central authority.
- Role-Based Access Control (RBAC): RBAC grants access based on a user’s role and implement key security principles, such as “least privilege” and “separation of privilege.” Thus, someone attempting to access information can only access data that are deemed necessary for their role.
- Attribute-Based Access Control (ABAC): In ABAC, each resource and user is assigned a series of attributes including the time of day, position and location, which are used to make a decision on access to a resource.
The access control strategy is a series of rules used to control and manage the access of subjects to objects. It reflects the security requirements of information systems. The formulation and implementation of the security policy revolve around the relationship between the subject, the object, and the security control rule set. In the formulation and implementation of the security policy, the following principles must be followed:
- Least Privilege: It means the subject’s power in accordance with minimizing the rights required by the subject when a subject performs an operation. It can restrict the subject’s authorization behavior to the greatest extent and can avoid the dangers from unexpected events, errors and unauthorized use of the subject.
- Least Leakage: It refers to the principle of minimizing the information that the subject needs to know when performing the task, and assigning the power to the subject.
- Multi-level Security Strategy: It refers to the data flow and permission control between the subject and the object are divided according to the top-secret, secret, confidential, restricted, and no-level security levels. The advantage is to avoid the spread of sensitive information.
LIFARS’ CISO as a Service is designed to address organizations’ information security leadership needs. Our CISOs are highly skilled at establishing, improving, and transforming Cybersecurity Programs focused on maximizing business values by minimizing risks and optimizing opportunities. LIFARS’ astute Information Risk Management leaders can discern security needs, design effective solutions and programs, and deliver results while steering through challenging organizational culture. Our over 20 years of security, risk, and compliance leadership experience encompassed various industries and globally dispersed organizations. Below are examples of some key areas delivered via LIFARS vCISOs:
- Information Risk Management
- Cybersecurity Strategy
- Cybersecurity Governance
- Cybersecurity Operations Management