If I asked you how do any security mechanism works?

Well any security mechanism generally works on IAAA.

  • I – Identification
  • A – Authentication
  • A – Authorization
  • A – Accountability

if you are new to Information Security, make sure to read this article first

Let me give you an example to explain all of these.

Think about a standard login page. Now there are 2 fields, the username field, and the password field, so think about it. What is the username? Username is your identity. It means who you are. That’s the main question right here. Any security mechanism needs to identify an identity.
So by entering a username, you define your identity and you answer the question that Who You Are?

The second element of this concept is the authentication. It is that password field. So you’re saying that you are Geetika, but how will you prove that identity?  You need to have authentication, you need to authenticate that thing. It may be authenticated using a password, pin or may be a fingerprint scan, Iris Scan or any other Authentication Factor. So you know there are different types of authentication mechanism, we may be studying them in some other Domain of CISSP later, but for now, just understand to make sure that the identity claim is valid, we authenticate.

After authenticate what happens? You are given some rights and some data, information, etc. Here the concept of confidentiality and maybe the integrity is coming into the play. You have been granted some rights. So now you are authorized user.

Because you now have ability to make changes and take action, any secure system also makes you accountable for them.  So here the concept of non-repudiation takes place.

Non-Repudiation is not denying from the facts which results in establishment of your accountability. Now to have non-repudiation, you also need auditing.

Let’s say you have logged into an account, but how can we prove that you logged in and you were authorized.

We need a way to confirm and prove things. Which may include things like having Logging Systems.

So for example, if you are going out of your home, a security guard my write down that, this is the time, this is the date, this is the car number and you are going outside of the home or you are coming inside the home. This is the logging part. He is making logs, which further makes auditing possible.

Anyone can just review logs by auditing, which establish your non-repudiation leading you accountable for actions, you took when you authorized, because you authenticated your identity.

You think you have grasp this concept thoroughly ? Let’s check your knowledge

So I hope it was very clear, easy and fun. Let’s continue the journey in the next chapter

This article is a part of my Last Week CISSP Book on Amazon
Also check my Free Infosec Courses on http://sagarbansal.com/courses