In this video, you will learn to discuss the various types of security services and the technical implementation of security policies. Look at some security services in terms of security or just jump into the definition of security services. By the way, this security services and this attack classifications come from a great textbook called Network Security Essentials, Application and Standards written by William Stallings. Considered to be one of the classic books in security repertoires. So certainly would think that a sufficiently advanced security professional would have this textbook on their shelf. So when we talk about security services right? So a service is a processing or communication service that's provided by a system. This would be the enterprise, the IT infrastructure. It's designed to give a specific kind of protection to a system resource. Security services are technical implementation of security policies. We've talked about access control in an earlier module, with that and the security services that implement the security policies are implemented by the security mechanisms. So in this context, the security mechanisms are the security enforcement points that we talked about in Module 1. The security service, enhancing the security of data processing systems and information transfers of an organization. So there's some nuances here right? So we're going to improve using security services. The business process of the enterprise, and we're going to protect the movement of information of an organization. So that means internal movement, database to server means external movement for example to a business partner. Purpose of security infrastructure is to provide defensive mechanisms against a security attack. So obviously security services are designed to enhance our ability to counter the security attacks that are presented against the enterprise. Security services can engage and it's a one-to-many relationship between a service and a security enforcement point. This makes sense that an implementation of a technical policy can engage more than one element of a security enforcement. So often replicates capabilities in the real world. So we think about how information moves securely. We've got signatures and dates, protection from disclosure, that's why we put things in an envelope. We make sure they're not going to be destructed or destroyed or modified. We can provide authenticity through notorization or witnesses signatures plus the non-repudiation part of that can be accomplished from notorization or licensing. Takes a look at a couple of definitions and these pull out one from ITU, the International Telecommunications Union. That's the United Nations governing body for standards worldwide. X.800. A service provided by a protocol layer of communicating open systems which ensures that adequate security of the systems or of data transfers. So this means we think about the OSI protocol stack, runs from applications to presentation sessions through network transfer protocols down to the physical part of that. That these layers, right, communicate with similar layers that's the communicating to open systems right, in another enterprise or another part of the enterprise and protects the information of both the receiver, the transmitter, and the communication transcripts inside that. Now, legalese right, this request for comment 2828 another standard document that's maintained by the ITU or processing or communication service provided by assistant to give a specific kind of protection to system resources, more clear to be sure. So once again the 2828 a little more clear, right. Talks about implementing the services that are implemented by security enforcement point those of a specific kinds of protections and the implementation of the security policies. So let's dive into some definitions of some specific security services that's found in the X.800 document. Now remember, we had talked about this a little bit earlier that X.800 is an artifact of the ITU, the International telecommunications Union. Which is not a worker's right, it is an associations chartered and staffed by the United Nations to provide international standards for computer and network communications, fairly solid document. So Stallings talks about five security service categories, and the 14th specific services that are in there. So highlighted with these six elements right here. There's classic security services which we'll traditionally discussed. You notice that these things are written at a very high level, I'd like to think about them written at the level of the US constitution subject to legal interpretation. So the top one right, is authentications is concerned with ensuring that a communication is authentic. In fact, it's correct from Alice to Bob and that it is measurable, right? There's some version of this called peer entity authentication which provides corroboration of the identity rather of appear in an association. So that means Bob and Alice can authenticate each other. So Alice sends a message to Bob, and along with that goes, "Hi Bob, I'm Alice," and Bob can read the message and say, "Yes, in fact you are Alice," that is pure entity authentication. Data origin right, is a collaboration of the source of the data. So that Bob can actually look at the message and say, "Yeah, so Alice actually sent that." So we can authenticate Alice and authenticate that the message had come from Alice. You can see those two powerful points of the authentication side. So access control moving down the list right, is the ability to limit and control access to host systems and applications via communication. So this means in our contacts right, computer networks not front doors to houses in such, that the correct individuals or are identified. They are authenticated right, their identification assertions are validated and then they're authorized. So the three steps for access control, "Hi I'm John." Yes, you are John, identification. Authentication is the affirmation of identification and then the authorization is, and you are approved John to do the following three things. So that is a role-based access control model. There's volumes of content that's on the Internet and within IBM about how to implement an arm back or role-based access control system. So the third element, data confidentiality ensures that the messages are received as sent with no duplication, insertion, modification, reordering, replay or loss. So the loss part of that right, is that the message is not destroyed. Reordering right, so then if the messages are describing a sequence of events that they are common in the correct sequence. There'd be a lot of disruption if those in fact are changed and that modification side that the payload of the message is changed. This is the example of let's not meet at 1.00 PM for lunch but let's meet at 11.30. Insertion. No new modifications and duplication that we're not sending duplicate messages to confuse Alice or Bob. So the non-repudiation phase of this right, is that both Alice and Bob in a message transaction can't deny that the transaction occurred. We've talked about this a little earlier about message transmission. Alice sends Bob a message. Alice can prove that Alice sent the message and Bob received it. Bob can prove that Alice sent the message and he received it. So there's no ambiguity error of not being able to authenticate a transaction. It's extremely important within financial services or for banking and for insurance that we need to be able to remove any capability of saying I didn't do that right? So identification, authentication, confidentiality all of that simply with that. We talked about availability a little bit earlier on this, that the resources accessible and usable. So we talked about the availability right, that the capability or the service capability being provided by the enterprise is available that it's there. That it responds in a timely manner. Because if you can think that if you put a response in and you've got a response back the next day, that's not timely at all. So that is part of the availability part of that.
