INFORMATION ASSURANCE

AND SECURITY 2
(Key Principles of Secure
Systems)
Mary Joy M. Velasco, MIT,LPT,DIT(CAR)
KEY PRINCIPLES OF SECURE SYSTEMS

01 02 03
LIST OF KEY ASPECTS BENEFITS AND
FUNDAMENTAL IMPLEMENTATION
PRINCIPLES
Introduction

Designing secure systems involves several key

principles that ensure data integrity, confidentiality,
and availability
Principle of Least
Privilege(PoLP)
Lesson1
1. Least Privilege
• Grant users and systems the minimum level of access—
or privileges—necessary to perform their functions. This
limits potential damage from accidents or malicious
actions.
• Least Privilege is a fundamental concept in information
security and access control. It dictates that users, systems,
and processes should be granted the minimum access or
privileges necessary to perform their required functions
 Key Aspects of Least Privilege

• User Accounts and Roles

• System and Process Permissions
• Temporary Elevation of Privileges
• Segregation of Duties
• Regular Review and Adjustment
 1. User Accounts and Roles

• Users should only have access to the essential information

and resources for their job roles.
• Role-Based Access Control (RBAC) can be used to assign
privileges based on job functions.
 2. System and Process Permissions

• Applications and processes should run with the least

privileges required for their tasks.
• This reduces the risk that an exploit of a particular
service could compromise the entire system.
 3. Temporary Elevation of Privileges
• Users or processes should be able to temporarily
elevate their privileges when necessary, but this
elevation should be restricted in scope and time.
• For instance, a user might temporarily gain
administrative access to perform a specific task but
revert to lower privileges once the task is completed.
 4. Segregation of Duties

• Critical tasks should be divided among multiple users or

systems to ensure no single point of failure or compromise.
• This segregation helps prevent insider threats and fraud by
requiring collusion for malicious activities.
5. Regular Review and Adjustment

• Regularly audit and review access controls and

privileges to ensure they remain aligned with
current roles and responsibilities.
• Remove unnecessary privileges promptly when
they are no longer needed.
Benefits of Least Privilege
• Minimized Attack Surface
• Damage Containment
• Improved Stability and Reliability
• Regulatory Compliance
 1. Minimized Attack Surface
• Limiting privileges reduces the number of potential
entry points for attackers.
• Fewer privileges mean fewer opportunities for
malware to exploit.
2. Damage Containment

• If an account or process is compromised, the damage

is limited to the scope of the privileges granted.
• For example, a user with limited access cannot modify
system settings or access sensitive data outside their
domain.
 3. Improved Stability and Reliability
• Reducing the number of users and processes with high-
level privileges decreases the risk of accidental changes
that could destabilize the system.
• It also helps in maintaining the integrity of the system by
reducing the likelihood of errors.
 4. Regulatory Compliance

• Many regulations and standards (such as GDPR, HIPAA,

and PCI-DSS) mandate the implementation of least
privilege to protect sensitive information.
• Adhering to this principle helps organizations stay
compliant with legal and regulatory requirements.
Implementing Least Privilege
• Access Control Lists (ACLs)
• User Account Management
• Privileged Access Management (PAM)
• Continuous Monitoring and Auditing
1. Access Control Lists (ACLs)

• Define and enforce permissions for users and

groups based on their roles and responsibilities.
2. User Account Management
• Create and manage user accounts with appropriate
privileges.
• Use temporary accounts or just-in-time access for
short-term needs.
 3. Privileged Access Management (PAM)
• Utilize PAM tools to control and monitor access to
critical systems and data.
• Implement just-in-time access, session recording,
and auditing for privileged accounts.
4. Continuous Monitoring and Auditing

• Regularly review logs and access records to detect

and respond to any unauthorized or unusual
activities.
• Perform periodic audits to ensure that access
controls are enforced correctly.
How does the principle of least privilege (PoLP)
work?
• The principle of least privilege works by limiting
the accessible data, resources, applications and
application functions to only that which a user or
entity requires to execute their specific task or
workflow. Without incorporating the principle of
least privilege, organizations create over-privileged
users or entities that increase the potential for
breaches and misuse of critical systems and data.
• The principle of least privilege as executed within
Zero Trust Network Access (ZTNA) 2.0 (ZTNA 2.0)
eliminates the need for administrators to think
about the network architecture or low-level
network constructs such as FQDN, ports or
protocols, enabling fine-grained access control for
comprehensive least-privileged access.
Where to Start a PoLP Implementation
• VPN technology replacement is a good starting
point for implementing the principle of least
privilege within your organization. Replace legacy
remote access outdated VPN technologies with a
more modern ZTNA 2.0 solution to overcome
performance bottlenecks and simplify
management.
Activity I
Activity 2
• What do you think are the things the needed to be
protected?
• Is it worth protecting for?
• Based on your own understanding define Secure
System.