Chapter 3 - Application Environment and Security Controls Flashcards

1
Q

Application Environment and Security Controls

A

Applications typically require their own security controls, in order to manage and measure activities and events performed by the application. These security controls are required in order to control and verify the integrity of the application, often a necessary task in environments where applications control critical business processes that must be audited from time to time. Without these controls it would be impossible to be able to verify that the applications are operating properly.
The controls that are required by applications are:
- Authentication
- Authorization
- Audit logging

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Authentication

A
  • The role of authentication in verifying user identity.
  • Methods of authentication, including usernames and passwords.
  • Considerations for centralised authentication services like LDAP and Active Directory.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Authorisation

A

Authorization is a crucial aspect of access control within applications and systems. It serves two primary purposes:

  • Determining Access: Authorization helps decide whether an individual is allowed to access a particular application or system. In other words, it verifies if a user has the right to enter and interact with the application.
  • Defining Privileges: Authorization also defines what data and functions a user is permitted to access and perform within the application. It sets the boundaries of a user’s actions based on their role and permissions.

In practice, authorization is often implemented by having an application consult a user’s profile or permissions database. This profile outlines which functions and data a user can access. However, managing authorization for complex applications with numerous functions and a large user base can be challenging. This is where Role-Based Access Control (RBAC) comes into play.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Role-Based Access Control (RBAC)

A

RBAC is a method commonly used in larger applications to streamline and simplify access control. Here’s how it works:

  • Roles: Analysts and administrators define a set of roles, typically associated with specific job descriptions or responsibilities within the organization. For example, roles might include “Manager,” “Employee,” or “Administrator.”
  • Permissions: Each role is assigned a set of permissions or functions that individuals in that role are allowed to perform. These permissions specify what actions users can take within the application.
  • User Assignments: Users are then assigned to one or more roles based on their job roles or responsibilities. When a user is added to a role, they inherit the permissions associated with that role automatically.

By using RBAC, organisations can simplify access control management. Instead of defining permissions for each user individually, permissions are assigned to roles, and users are assigned to roles. This approach reduces administrative overhead, enhances security, and makes it easier to audit and manage access control in large applications

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Audit Log

A

An audit log serves as a chronological record of significant events and activities that occur within an application or system. It is essential for security, compliance, and troubleshooting purposes.

Recording Events: Audit logs should capture all significant events and transactions, ensuring a comprehensive record of actions taken. The specific events to be logged are determined during the requirements and functional specifications stage of the software development life cycle (SDLC).

  • Required Information: Each entry in an audit log typically includes:
    - Date and time of the event (with a clear time zone).
    - User identification (e.g., username or name).
    - User’s location (e.g., terminal ID or IP address).
    - Event name or description (e.g., “Update salary”).
    - Relevant data, such as changes made in a database.
  • Data Privacy Considerations: Some regulations, like the Payment Card Industry Data Security Standard (PCI DSS), restrict the inclusion of sensitive data like credit card numbers in audit logs due to privacy concerns.
  • Protection: Audit logs must be safeguarded against alteration, destruction, or tampering. Key characteristics include being resistant to changes, immune to erasure, and having a controlled initialisation process
How well did you know this?
1
Not at all
2
3
4
5
Perfectly