Ensuring security in distributed information systems: major aspects
DOI:
https://doi.org/10.30837/rt.2023.3.214.04Keywords:
distributed information system, security, confidentiality, sensitive, integrity, availabilityAbstract
Ensuring the security of distributed information systems is a critical task since these systems are used primarily to process and store large amounts of sensitive information such as financial data, medical records, personal data, etc. Information in the world is one of the most important resources of society, and without its protection, new information technologies can violate the private life of people and activities of various organizations. In the era of Big Data, the problem of protecting sensitive data is even more aggravated. And this is despite the large global security spending that organizations and companies around the world incur, including in order to meet the requirements of relevant laws and other regulations governing the activities of companies in modern conditions. To solve it, it is necessary to use a combination of legislative, organizational measures and software and hardware. Therefore, in the current situation, taking into account: (a) the current state of development of technologies of distributed information systems and its fleeting nature; (b) scientific and practical achievements in the field of information security; (c) the qualifications of attackers who are constantly improving the capabilities of malicious influence; (d) provisions and recommendations of various regulations-legal acts, information systems specialists in many cases, in order to ensure the reliable safe functioning of the latter, need appropriate knowledge of security issues. That is, knowledge of current modern methods, techniques and means of ensuring security. This paper is precisely aimed at providing such knowledge. It concisely presents a fairly wide range of issues related to the security of distributed information systems.
References
Dhanarani A., Evans R., Loumi H., Lowenthal R., Lopes P., Mesaros M., Schaeumer B., Wahl P., Williams A., Zaidi N. Oracle Database Security a technical primer. Fifth edition. 2023. 160 p.
Global Data Protection Index 2022 Key Findings. October 2022. URL: https://www.delltechnologies.com/asset/en-nz/products/data-protection/industry-market/global-data-protection-index-key-findings.pdf.
General Data Protection Regulation GDPR. URL: https://gdpr-info.eu/.
Заплатинський В. М. Логіко-детермінантні підходи до розуміння поняття «Безпека» // Вісник Кам’янець-Подільського нац. ун-ту ім. Івана Огієнка. Фізичне виховання, спорт і здоров’я людини. Кам’янець-Подільський : Кам’янець-Подільський нац. ун-т ім. Івана Огієнка, 2012. Вип. 5. С. 90–98.
Dictionary. URL: https://www.merriam-webster.com/dictionary/security.
Whitman M. E., Mattord H. J. Principles of Information Security. 6th ed. Cengage Learning, 2017. 656 p.
Stoneburner G. NIST Special Publication 800-33. Underlying Technical Models for Information Technology Security. URL: https://nvlpubs.nist.gov/nistpubs/legacy/sp/nistspecialpublication800-33.pdf.
NIST Special Publication 800-66 Revision 1. An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule. October 2008. URL: https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-66r1.pdf.
NISTIR 8074 Volume 2. Supplemental Information for the Interagency Report on Strategic U.S. Government Engagement in International Standardization to Achieve U.S. Objectives for Cybersecurity. December 2015. URL: http://dx.doi.org/10.6028/NIST.IR.8074v2.
ISO/IEC 27000:2018 Information technology. Security techniques. Information security management systems. Overview and vocabulary. URL: https://www.iso.org/standard/73906.html.
NIST Special Publication NIST SP 800-66r2 ipd. Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule: A Cybersecurity Resource Guide. July 2022. URL: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-66r2.ipd.pdf.
ISO/IEC 15408-1:2022 Information security, cybersecurity and privacy protection – Evaluation criteria for IT security. Part 1: Introduction and general model. URL: https://www.iso.org/obp/ui/ru/#iso:std:iso-iec:15408:1:ed-4:v1:en
Tanenbaum A. S., Van Steen M. Distributed systems principles and paradigms. Prentice Hall, 2002. 803 p.
Van Steen M., Tanenbaum A. S. Distributed systems. Third edition. Pearson Education, Inc. 2017. 596 p.
Avizienis A., Laprie J. C., Randell B. Fundamental concepts of dependability. Department of Computing Science Technical Report Series. University of Newcastle upon Tyne. 2001. 21 p.
Laprie J. C. Dependability – Its Attributes, Impairments and Means // Randell B., Laprie J.C., Kopetz H., Littlewood B. (eds) Predictably Dependable Computing Systems. ESPRIT Basic Research Series. Springer, Berlin, Heidelberg. 1995. P. 3-24. https://doi.org/10.1007/978-3-642-79789-7_1
Chapple M., Stewart J. M., Gibson D. CISSP Certified Information Systems Security Professional Official Study Guide, 8th ed. Sybex, John Wiley & Sons, Inc.: Indianapolis, Indiana, 2018. 1050 p.
Chapple M., Stewart J. M., Gibson D. CISSP: certified information systems security professional official study guide. 9th Edition. Sybex, John Wiley & Sons, Inc.: Indianapolis, Indiana, 2021. 1248 p.
Pfleeger C. P., Pfleeger S. L. Security in Computing. 3rd edition. Upper Saddle River, NJ, USA: Prentice Hall, 2002. 746 p.
Pfleeger C. P., Pfleeger S. L. Security in Computing. Fifth Edition. Margulies. Prentice Hall. 2015. 944 p.
Swanson M., Guttman B. NIST 800-14. Generally Accepted Principles and Practices for Securing Information Technology Systems. URL: https://tsapps.nist.gov/publication/get_pdf.cfm?pub_id=890092.
Committee on National Security Systems (CNSS) Glossary. CNSSI No. 4009. 2022. URL: https://www.niap-ccevs.org/Ref/CNSSI_4009.pdf
Priscilla O. Top-Down Network Design. Cisco Press: Indianapolis, IN, USA. 2010. 447 p.
NIST Special publication 1800-10. Protecting Information and System Integrity in Industrial Control System Environments: Cybersecurity for the Manufacturing Sector. 2022. https://doi.org/10.6028/NIST.SP.1800-10.
FIPS PUB 200. Federal information processing standards publication. Minimum Security Requirements for Federal. Information and Information Systems. 2006. URL: https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.200.pdf.
Harini N., Padmanabhan T. R. 2CAuth: A new two factor authentication scheme using QR-code. International Journal of Engineering and Technology. 2013. 5(2). P. 1087–1094.
Velásquez I., Caro A., Rodríguez A. Authentication schemes and methods: A systematic literature review // Information and Software Technology. 2018. Vol. 94. P. 30–37. https://doi.org/10.1016/j.infsof.2017.09.012
O'Gorman L. Comparing passwords, tokens, and biometrics for user authentication. In Proceedings of the IEEE. 2003. 91(12). P. 2021–2040. https://doi.org/10.1109/JPROC.2003.819611
Ometov A., Bezzateev S., Mäkitalo N., Andreev S., Mikkonen T., Koucheryavy Y. Multi-Factor Authentication: A Survey. Cryptography 2018. 2(1). 1. https://doi.org/10.3390/cryptography2010001
Auditing Database Activity. URL: https://docs.oracle.com/en/database/oracle/oracle-database/12.2/tdpsg/auditing-database-activity.html#GUID-BF747771-01D1-4BFB-8489-08988E1181F6
Gollmann D. Computer Security. 3rd ed. Hoboken, NJ, USA: Wiley, 2011. 436 p.
Methods and systems for transparent data encryption and decryption. Richard James McCarty, Austin, TX (US); International Business Machines Corporation, Armonk, NY (US) – N 10/422,667. US Patent 7426,745 B2, 16 September 2008.
Stallings W., Brown L. Computer security principles and practice. Fourth Edition. 2018. 778 p.
Security management definition. URL: https://www.lawinsider.com/dictionary/security-management.
Rose S., Borchert O., Mitchell S., Connelly S. Zero Trust Architecture. Special Publication NIST SP 800-207. 2020. https://doi.org/10.6028/NIST.SP.800-207.
Gartner. URL: https://www.gartner.com/en/about.
Gartner. Gartner Predicts 10% of Large Enterprises Will Have a Mature and Measurable Zero-Trust Program in Place by 2026. URL: https://www.gartner.com/en/newsroom/press-releases/2023-01-23-gartner-predicts-10-percent-of-large-enterprises-will-have-a-mature-and-measurable-zero-trust-program-in-place-by-2026.
Gartner Research. Market Share Analysis: Enterprise Network Equipment, Worldwide, 2022. URL: https://www.gartner.com/en/documents/4412099.
Bishop M. Computer Security: Art and Science. Second ed. Addison-Wesley, Reading, MA., 2019. 1383 p.
Bouch A. 3-D Secure: A critical review of 3-D Secure and its effectiveness in preventing card not present fraud. University of London. 2011. URL: https://www.58bits.com/thesis/3-D_Secure.pdf.
NIST Special Publication 1800-21. Mobile Device Security: Corporate-Owned Personally-Enabled (COPE). URL: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.1800-21.pdf.
Google Cloud documentation. Encryption in transit. URL:https://cloud.google.com/docs/security/encryption-in-transit.
Sommerhalder M. Hardware Security Module. In: Mulder V., Mermoud A., Lenders V., Tellenbach B. (eds) Trends in Data Protection and Encryption Technologies. Springer, Cham. 2023. P. 83–87.
Google Cloud. Default encryption at rest. URL: https://cloud.google.com/docs/security/encryption/default-encryption
Єсін В. І., Вілігура В. В. Основні категорії NewSQL баз даних та їх особливості // Радіотехніка. 2022. № 211. С. 37–66. https://doi.org/10.30837/rt.2022.4.211.03.
Sarbanes-Oxley Act of 2002. Public Law 107–204, Approved July 30, 2002, 116 Stat. 745. URL: https://www.govinfo.gov/content/pkg/COMPS-1883/pdf/COMPS-1883.pdf
Scholl M., Stine K., Hash J., Bowen P., Johnson A., et al. NIST Special Publication 800-66 Revision 1. An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule. 2008. URL: https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-66r1.pdf
Payment Card Industry (PCI) Data Security Standard. Requirements and Testing Procedures Version 4.0. 2022. URL: https://www.pcisecuritystandards.org/documents/PCI-DSS-v4_0.pdf
Nanda A., Feuerstein S. Oracle PL/SQL for DBAs: Security, Scheduling, Performance & More. O'Reilly Media, Inc., 2005. 454 p.
Advanced Security Guide. Introduction to Transparent Data Encryption. URL: https://docs.oracle.com/en/database/oracle/oracle-database/23/asoag/introduction-to-transparent-data-encryption.html#GUID-62AA9447-FDCD-4A4C-B563-32DE04D55952
Barker E., Kelsey J. NIST Special Publication 800-90A Revision 1. Recommendation for Random Number Generation Using Deterministic Random Bit Generators. 2015. http://dx.doi.org/10.6028/NIST.SP.800-90Ar1.
Needham R. M., Schroeder M. D. Using encryption for authentication in large networks of computers. Communications of the ACM. 1978. 21(12). P. 993–999. https://doi.org/10.1145/359657.359659
FIPS 186-5. Federal information processing standards publication (Supersedes FIPS 186-4). Digital Signature Standard (DSS). Category: computer security. Subcategory: cryptography. 2023. https://doi.org/10.6028/NIST.FIPS.186-5
Barker E., Chen L., Roginsky A., Vassilev A., Davis R., Simon S. NIST Special Publication 800-56B Revision 2. Recommendation for Pair-Wise Key Establishment Using Integer Factorization Cryptography. 2019. https://doi.org/10.6028/NIST.SP.800-56Br2
Cruz-Cunha M. M., Oliveira E. F., Tavares A. J., Ferreira, L. G. Handbook of research on social dimensions of semantic technologies and web services. Hershey, PA: IGI Global, 2009. 1180 p.
Lampson B. W. Protection. ACM SIGOPS Operating Systems Review. 1974. 8(1). P. 18–24.
Lampson B. W. Dynamic protection structures. Proceedings of the November 18-20, 1969, fall joint computer conference. 1969. P. 27–38.
Graham G. S., Denning P. J. Protection: principles and practice. Proceedings of the May 16-18, 1972, spring joint computer conference. 1971. P. 417–429.
Harrison M. A., Ruzzo W. L., Ullman J. D. Protection in Operating Systems // Communications of the ACM, 1976. 19(8). P. 461–471.
Weissman C. Security controls in the ADEPT-50 time-sharing system // Proceedings of the November 18-20, 1969, fall joint computer conference. 1969. P. 119–133.
Hartson H. R., Hsiao D. K. A Semantic Model for Database Protection Languages // Proceedings of the second international conference on Systems for Large Data Bases. 1976. P. 27–42.
Lipton R. J., Snyder L. A linear time algorithm for deciding subject security // Journal of the ACM (JACM). 1977. 24(3). P. 455–464.
Hoffman L.J. Modern Methods for Computer Security and Privacy. Englewood Cliffs, NJ, USA: Prentice-Hall. Inc., 1977. 268 p.
Вілігура В. В. Аналіз формальних моделей управління доступом і особливості їх застосовності для баз даних // Радіотехніка. 2021. Вип. 205. С. 53–70. https://doi.org/10.30837/rt.2021.2.205.05.
Вілігура В. В., Горбенко Ю. І., Єсін В. І., Рассомахін С. Г. Використання формальних моделей безпеки в захищених базах даних // Фізико-математичне моделювання та інформаційні технології. 2021. № 32. С. 70–74. https://doi.org/10.15407/fmmit2021.32.070
Bell D. E., LaPadula L. J. Secure Computer Systems: Unified Exposition and Multics Interpretation (MTR-2997 Rev. 1). Bedford, Mass.: MITRE Corp., 1976. 129 p.
Sandhu R.S., Coyne E. J., Feinstein H. L., Youman C. E. Role-based access control models // IEEE Computer. 1996. № 2. P. 38–47.
NIST. Attribute Based Access Control. URL: https://csrc.nist.gov/Projects/Attribute-Based-Access-Control.
Hu V. C., Ferraiolo D., Kuhn R. Guide to Attribute Based Access Control (ABAC) Definition and Considerations. NIST Special Publication 800-162. 2014. URL: https://nvlpubs.nist.gov/nistpubs/specialpublications/NIST.sp.800-162.pdf.
Hu V. C., Kuhn D. R., Ferraiolo D. F., Voas J. Attribute-Based Access Control // Computer. 2015. Vol. 48. No. 2. P. 85–88. https://doi.org/10.1109/MC.2015.33.
Servos D., Osborn S.L. HGABAC: Towards a Formal Model of Hierarchical Attribute-Based Access Control // Cuppens, F., Garcia-Alfaro, J., Zincir Heywood, N., Fong, P. (eds) Foundations and Practice of Security. FPS 2014. Lecture Notes in Computer Science. Springer, Cham. 2015. Vol. 8930. P. 187–204.
Biswas P., Sandhu R., Krishnan R. Label-based access control: An ABAC model with enumerated authorization policy // Proceedings of the 2016 ACM International Workshop on Attribute Based Access Control (ABAC '16). Association for Computing Machinery, New York, NY, USA. 2016. P. 1–12. https://doi.org/10.1145/2875491.2875498.
Servos D., Osborn S. L. Current research and open problems in attribute-based access control // ACM Computing Surveys (CSUR). 2017. 49(4). P. 1–45. https://doi.org/10.1145/3007204.
OASIS eXtensible Access Control Markup Language (XACML) TC. URL: https://www.oasis-open.org/committees/tc_home.php?wg_abbrev=xacml
International Committee for Information Technology Standards, Information technology – Next Generation Access Control – Functional Architecture (NGAC–FA), ANSI/INCITS 499-2018, American National Standards Institute, New York, January 30, 2018. 57 p.
INCITS 565-2020. Information technology – Next Generation Access Control (NGAC). American National Standard for Information Technology. April, 2020.
Ferraiolo D., Chandramouli R., Hu V., Kuhn R. A Comparison of Attribute Based Access Control (ABAC) Standards for Data Service Applications. NIST Special Publication 800-178. 2016. URL: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-178.pdf. http://dx.doi.org/10.6028/NIST.SP.800-178.
Hu V. C., Ferraiolo D. F, Chandramouli R., D. Kuhn D. R. Attribute-Based Access Control. Artech House. 2017. 280 p.
Shirey R. Internet Security Glossary. Version 2. 2007. №. rfc4949. URL: https://datatracker.ietf.org/doc/html/rfc4949.
Stouffer K., Pease M., Tang C.Y., Zimmerman T., Pillitteri V., Lightman S., Hahn A., Saravia S., Sherule A., Thompson M. NIST Special Publication NIST SP 800-82r3. Guide to Operational Technology (OT) Security. 2023. https://doi.org/10.6028/NIST.SP.800-82r3.
Scarfone K., Hoffman P. Special Publication 800-41 Revision 1. Guidelines on Firewalls and Firewall Policy. 2009. URL: https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-41r1.pdf.
Cheswick W. R. Bellovin S. M., Rubin A. D. Firewalls And Internet Security: Repelling The Wily Hacker. 2nd ed. Addison-Wesley Professional. 2003. 464 p.
Mukkamala P. P., Rajendran S. A survey on the different firewall technologies // International Journal of Engineering Applied Sciences and Technology. 2020. 5(1). P. 363–365.
Goralski W. The illustrated network: how TCP/IP works in a modern network. Morgan Kaufmann. 2017. 899 p.
Next-generation Firewalls (NGFWs). URL: https://www.gartner.com/en/information-technology/glossary/next-generation-firewalls-ngfws.
Malecki F. Next-generation firewalls: Security with performance // Network Security. 2012. Vol. 2012. Issue 12. P. 19–20.
What is a next-generation firewall (NGFW)? URL: https://www.cloudflare.com/learning/security/what-is-next-generation-firewall-ngfw/.
What are Network Firewalls? URL: https://www.gartner.com/reviews/market/network-firewalls.
A Leader Positioned Highest in Ability to Execute. URL: https://www.fortinet.com/solutions/gartner-network-firewalls.
What is a cloud firewall? URL: https://www.cloudflare.com/learning/cloud/what-is-a-cloud-firewall/.
Wool A. Trends in firewall configuration errors: Measuring the holes in Swiss cheese // IEEE Internet Computing. 2010. 14(4). P. 58–65. https://doi.org/10.1109/MIC.2010.2910.1109/MIC.2010.29.
Downloads
Published
How to Cite
Issue
Section
License
Authors who publish with this journal agree to the following terms:
1. Authors retain copyright and grant the journal right of first publication with the work simultaneously licensed under a Creative Commons Attribution License that allows others to share the work with an acknowledgement of the work's authorship and initial publication in this journal.
2. Authors are able to enter into separate, additional contractual arrangements for the non-exclusive distribution of the journal's published version of the work (e.g., post it to an institutional repository or publish it in a book), with an acknowledgement of its initial publication in this journal.
3. Authors are permitted and encouraged to post their work online (e.g., in institutional repositories or on their website) prior to and during the submission process, as it can lead to productive exchanges, as well as earlier and greater citation of published work (See The Effect of Open Access).