The goal of a secure design is to enable a system that supports and enforces the necessary authentication, authorization, confidentiality, data integrity, accountability, availability, and
non-repudiation requirements, even when the system is under attack.
Authentication system designs should automatically provide a mechanism requiring re-authentication after a period of inactivity or prior to critical operations. System designers can reuse time-tested authentication mechanisms such as Kerberos instead of building a new one.
Authorization should be conducted as an explicit check, and as necessary even after an initial authentication has been completed. Authorization depends not only on the privileges associated with an authenticated user, but also on the context of the request. The time of the request and the location of the requesting user may both need to be taken into account.
Sometimes a user’s authorization for a system or service needs to be revoked, for example,
when an employee leaves a company. If the authorization mechanism fails to allow for such revocation, the system is vulnerable to abuse by authenticated users exercising out-of-date authorizations.
For particularly sensitive operations, authorization may need to invoke authentication. Although authorization begins only after authentication has occurred, this requirement is not circular. Authorization of a specially sensitive operation (for example, transferring
a sum of money larger than a designated threshhold) may require a re-authentication or
a higher level of authentication. Some policies require two people to authorize critical transactions (“two-person rule”). In such cases, it is important to assure that the two individuals are indeed distinct; authentication by password is insufficient
for this purpose.
Creating a policy that explicitly identifies different levels of classification is the first step in handling data appropriately. It is important to factor all relevant considerations
into the design of a data sensitivity policy. For data on which business continuity or life depends (for example, medical data), availability is critical and redundancy and backups to preserve data availability is mandatory.
Policy requirements and data sensitivity can change over time as the business climate
evolves, as regulatory regimes change, as systems become increasingly interconnected, and as new data sources are incorporated into a system. Regularly revisiting and revising data protection policies and their design implications is essential.