… not only for business critical data!

[1] Need-to-know principle / Principle of least privilege

[2] Principle of Separation-of-duties

[3] Data isolation principle / You can’t attack what you can’t see

[4] Zero Trust Model / Bring the users to the data

This four elementary security design principles should be applied always to secure business critical data.

From my point of view all systems should be designed such that at least principles [1] and [2] can easily implemented. This will make the world a somewhat safer place.

The basic security design principles in a nutshell

[1] Need-to-know principle (N2K) / Principle of Least Privilege

‘Every program and every privileged user of the system should operate using the least amount of privilege necessary to complete the job.’

Saltzer, Jerome H., 1974, “Protection and the control of information sharing in multics”. Communications of the ACM 17 (7): 389.

Translated into a working instruction, this means:

Grant users only those privileges to data, programs, services, systems and networks which are essential to that user’s work!           

[2] Principle of Separation-of-duties (SoD)

‘Separation of duty, as a security principle, has as its primary objective the prevention of fraud and errors. This objective is achieved by disseminating the tasks and associated privileges for a specific business process among multiple users.’

Botha, R.A. ; Eloff, J.H.P., 2001, “Separation of Duties for Access Control Enforcement in Workflow Environments”, IBM Systems Journal , Volume: 40 , Issue: 3 , Page(s): 666 – 682

The main purpose of the SoD is to ensure that users could not override security measures by granting themselves administrative rights.
Privileged access for example should be granted always with close reference to the SoD principle. Employees with authorized access to sensitive data must never have administrative privileges on systems in the company network, including all IT infrastructure systems, such as directory services.

By strict application of the Need-to-Know (N2K) principle and the principle of Separation-of-Duties (SoD) we will get some more control over the interactions between users, data, systems and applications. Both principles should be applied to all parts of the People, Processes and Technology (PPT) program.

[3 ] Data Isolation Principle (DIP) / You can’t attack what you can’t see!

The basic idea of the Data Isolation Principle (DIP) is to move business critical data from the company network into a separated, trusted Core Data Services Network (CDSN).

In preparation of the isolation process the authorizations of all employees should be reviewed. Employee access to the data in the CDSN should be granted on a need-to-know basis. In addition allow access from well-known computers, applications and during working hours only. An authorization and exception process should be implemented with strict consideration to the principle of Separation-of-Duties.

[4] Zero Trust Model (ZTM) / Bring the users to the data

The Zero Trust Model (ZTM) lowers the risk that comes from the computers (endpoints) in the network used to access the CDSN. Forrester’s Zero Trust Model could be summed up in a single phrase:

Never trust a personal computer trying to access your data from whatever network!

The company internal network should be treated in general as not trustworthy, not just when a company owned computer, which was operated outside the company network, is re-connected.

Application or desktop virtualization shows the direction how to mitigate this risk. Provide the applications used to manage the data in the CDSN through e.g. terminal services, restrict access to the CDSN to network connections initiated on the terminal services and reject all sessions from other computers.

Access to the applications installed on the terminal services is of course granted with regards to the N2K and the SoD principle.

Last change: 11 June 2014