The 'Big Three' of Cybersecurity Principles

Where valuable data can be found, hackers will seek to infiltrate, extract, and extort it.

Regardless of why hackers do this, it should be no surprise that data is the target!

In an age where the global economy revolves around digital technology, data is the most valuable commodity on the market.

In order to keep that very data secure, we ought to follow these three security principles...

Role Based Access Control (RBAC)

Role-based access control, sometimes referred to "role-based security", is a mechanism that restricts system access.

With RBAC, employees' job roles should correlate with the levels of access that they have, and this should be used in conjunction with Resource Classification.

Employees are therefore only allowed to access the information necessary to effectively perform their job duties, which protects sensitive data.

Examples of Roles

Because many large organizations allocate their staff into different departments / teams, access can be set-up to coincide with responsibilities of these groups.

Roles can be based on several factors, such as responsibility (e.g. Security), ?authority (e.g. Manager), ?job competency (Junior), ?etc…

Let's create an example: ?"Bob" has the job title "Senior Security Manager" and is therefore may be connected to three different groups/roles.

Each of these roles may grant different access permissions to resources, individually allowing access to READ different datasets, ALTER a resource, or CONTROL a function.

Zero Trust

This security model is based upon the principle “Never trust, always verify” and establishes strict access controls, wherein verification is required for every access request.

Every user and device must be authenticated before being granted access to any resources

Examples of this include Privileged Access Management (PAM), ?Multi-Factor Authentication (MFA) and One Time Passwords (OTP) and these may also use biometrics.

Least-Privilege

This principle limits user access to the absolute minimum level that is required to perform their job functions, and only allows users to access the resources they need, when they need them.

By limiting user access, organizations can prevent unauthorized access to sensitive data and systems, reducing the risk of data breaches and cyber attacks.

For example, a hospital receptionist will need access to book appointments for patients, but should not have access to view their case files.

The similarities (and differences)

• Both?strategies are designed to ?protect access points? and? control access to systems.
• Both?strategies were also designed to minimize risk or cybersecurity breaches to systems by following practices of trust removal? and/or ?access limitation.

Zero Trust uses the "trust no one" concept, seeing every user as a potential threat, justifying the need for verification and authentication of all users;

Conversely Least Privilege doesn't necessarily authenticate, it just restricts access to "only what you need" and "only as long as you need it".

Follow every principle

In an ideal world, all three principles will be followed:

• With Zero Trust, users won't be trusted by default, only being allowed access once they are verified and authenticated.
• With RBAC, users will be connected to groups that correlate with their responsibility, authority and competency (e.g. Trainee Database Administrator).
• With Least Privilege, each group that the user is connected to, will have the absolute minimum access required, and access will only last as long as is deemed necessary.

Further Reading...

If you are interested in reading more, I am uploading three articles onto LinkedIn that will cover Security topics, coinciding with October being Cyber Security Awareness Month!

I will also be publishing two further articles throughout November.

These will cover a range of topics, including those listed below:

Security: The Collective Concern

• Explaining why security must be all of our concern
• Defining important terms, and contextualising them within the Circle of Risk
• Outlining practices that will aid in maintaining security

"What's a 'Cyber Kill Chain' and why should I care?"

• Expanding on each step of the Cyber Kill Chain, and the equivalent strategy employed by APTs
• Explaining everything from Targeting / Reconnaissance to Exfiltration / Command and Control
• Describing the best countermeasures for each step of the chain

"Who are your cyber threats? Knowing your Keyser S?ze"

• Expanding on the different types of Threat Agents
• Explaining the difference between cyber-enabled and cyber-dependent crime
• Outlining which countries most cyber threats come from
• Defining what an Advanced Persistent Threat is
• Describing the danger of insider threats
• Clearing up the difference between white-hat (ethical) and black-hat (unethical) hackers

"The value of data: What have you got to lose?"

• Elaborating on the societal perception of data (understanding its perceived worth)
• Explaining the role of data brokers in the modern world
• Exampling the cost of a data breach (from an IBM report)
• Outlining the financial penalties from GDPR and DORA