Authentication and authorisation of clients is performed when clients call web APIs that facilitate access to data not authorised for release into the public domain.
Ensure authentication mechanisms are flexible and secure by supporting multiple authentication methods while phasing out weak or deprecated authenticators. For example, design authentication systems to support agile authenticator management, allowing users to adopt stronger authentication methods like hardware tokens or biometrics while smoothly deprecating insecure ones; Avoid reliance on email and SMS-based authentication, as they are classified as "restricted" by NIST 800-63 and may be removed from future security standards; Implement adaptive authentication to provide secure, user-friendly login experiences based on risk assessment; Continuously evaluate and update authentication strategies to align with evolving security best practices.
Identify and understand the types and sensitivity of data stored and processed by applications, ensuring that basic data protection measures are in place. Protect all data associated with an application based on the requirements of the most sensitive data it stores or processes. Prohibit propagation of unsanitized sensitive production data to lower (non-production) environments, focusing data protection policies on production environments. Implement security controls like encryption, backups, and controlled data sharing to prevent unauthorized access and mitigate risks.
| ID | Operation | Description | Phase | Agent |
|---|---|---|---|---|
| SSS-02-17-01-01-01 | Identify and Classify Data Elements | Identify all data elements processed and stored by the application. Classify these data elements based on their type and sensitivity level to ensure appropriate handling. | Preparation | Data Governance, Security Engineers |
| SSS-02-17-01-01-02 | Implement Controls to Protect Sensitive Data | Implement necessary controls to protect the most sensitive data, ensuring that data is handled according to its protection requirements. | Development | Security Engineers, IT Operations |
| SSS-02-17-01-01-03 | Prevent Propagation of Sensitive Data to Lower Environments | Implement controls to prevent the propagation of unsanitized sensitive data from production environments to lower (non-production) environments. This reduces the risk of exposing sensitive data during testing or development. | Development | DevOps Teams, Security Engineers |
| SSS-02-17-01-01-04 | Monitor Data Handling and Fate | Maintain awareness of how sensitive data is processed and handled, ensuring it is not inadvertently shared with external partners or improperly stored in backups or lower environments. | Post-deployment | IT Operations, Security Engineers |
| Industry framework | Academic work | Real-world case |
|---|---|---|
|
Information Security Manual (ISM-1817) OWASP Application Security Verification Standard OWASP SAMM: Software Assurance Maturity Model (OM-1-A) |