Authority Based Security with SpiderOak

Authority — Who can do what with the data in question.

Identity — To be able to understand authority, you then need to have a grasp on identity. You can’t apply rules on authority if you don’t know to whom they’re being applied.

Confidentiality — The primary use of authority is to control access to data. If your system doesn’t handle keeping data confidential, all the rules in the world can’t help you.

Integrity — You need to make sure that rules in the system don’t get modified by malicious actors, or even the data itself getting corrupted or modified.

Availability — Data is going to be there when you need it.

A security model based on a Distributed approach, by it’s very nature, enforces better data security while also reducing the risk of security breaches and compromised data.

This is represented in the graphic here. The traditional, Centralized approach allows IT services and staff to manage all aspects of the access to your data when all they are truly responsible for is the Availability of the IT infrastructure — typically meaning the uptime of the server. A Distributed approach, however, enforces a separation of the IT activity from the cryptographic activity of keeping your data secure.

To improve our overall security posture, our end goal has to be to reduce the complexity of our security approach and to place trust only where it absolutely has to be placed. A Distributed approach provides the technical tools to properly secure and manage the Authority, Identity, and Integrity/Confidentiality layers of the model.

The job of infrastructure is to provide availability, additionally, authority is misassigned and should be removed to decrease attack surface.

Cryptography allows us to minimize trust to only the components which have a mission need for it.

You may also like