2. Information Security

With the advent of Internet almost two decades ago, Information Systems found themselves open the outside world, with exposure to the good, bad and ugly. As systems left their “monolithic” initial state, and became connected, they had to be able to face threats that came from outside.

Some of the basic aspects that become ubiquitous are the need to manage identities and access rights. However, those basics hide complexities that involve various aspects among which :

·        Managing Identities within systems, which involves :

o   Managing authentication secrets, such as passwords or certificates or pin codes.

o   Using Strong authentication techniques, such as physical device possession, biometrics …etc.

·        Managing Identities across systems, which in turn involve :

o   Different techniques of authenticating identities.

o   Different techniques of transferring identities between systems.

o   Sometimes having to map identities between systems, and manage password or other secret synchronization between those systems. These techniques are commonly known as Single-Sign-On (SSO).

o   Sometimes having to work with identities that come from different systems or even different organizations, with the responsibility of managing each set of identities done by different teams of organizations. This technique is commonly known as “Identity Federation”.

o  

·        Managing Authorization within systems, which in turn involves, among other things :

o   Access Control Lists, to control identities that have access to each information or resource.

o   Role based authorization, to base authorization on membership to an application role.

o   Profile based Roles and authorization.

o   Machine and zone based security through hardware or software.

o   Intrusion and unwanted behavior detection through hardware and software.

o  

Beyond those basics, especially with the growing legal imperative to protect data, other concerns are becoming more common, such as:

·        Managing exchange of confidential information, which involves :

o   Securing the channel, preventing a “man in the middle” from discovering and accessing the information.

o   Securing the information, preventing an unauthorized recipient from  viewing the information

o   Authenticating the sender, preventing a spoof from sending information as if he was someone else.

o   Ensuring non-repudiation by ensuring the user cannot deny having sent information at the time he sent it.

·        Managing the confidentiality of stored data, preventing unauthorized access as well as protecting it from users that have administrative rights over the system.

·        Managing the secrets used to secure the information.

·        Preventing malevolent input from causing the system to execute unauthorized actions or give access to information that shouldn’t be accessed.

·        Resisting to other forms of malevolent actions that can make the system bypass its built-in security.

Some systems go even beyond all the above, into dealing with critically confidential information. Many government agencies that work with state secrets, or even organizations that work with heavily guarded trade secrets, need to rise to a different level of security all together.

Achieving adequate levels of security requires knowledge, methodology as well as skills going from architecting secure systems, to building adequate implementations.

 Malek Kemmou has worked on these various aspects ever since the beginnings of Internet, and has helped secure systems and solutions throughout these years. He has worked at various levels of security requirements, from securing enterprise applications, through architecting secure critical web sites and portals, to working with government security agencies and departments that require exceptionally high levels of security. In the recent years, with the advent of biometrics and the capture of highly confidential personal information, he has helped secure both the storage and exchange of such data.

He has, for over ten years, trained and coached developers and IT professionals on various security aspects, including but not limited to, secure development techniques, Authentication and Authorization techniques, Patterns and Best Practices, Cryptography, Strong Authentication, Non-Repudiation Techniques, …etc.

news