From: A generic solution for web-based management of pseudonymized data
Security principle | STRIDE threat | Countermeasure (deployed) |
---|---|---|
Authenticity | Spoofing | (1) Non-delegated authentication, (2) TLS with server certificates, (3) Username/password policies, (4) Two-factor authentication,(5) IP-based filtering of requests, (6) One-time access tokens to avoid replay attacks, (7) Limit for login attempts, (8) Penetration testing, (9) Automatic logout after inactivity |
Integrity | Tampering | (1) Server hardening, (2) Penetration testing, (3) Intrusion detection system, (4) TLS with server certificates, (5) Software installation policies, (6) Audit trail, (7) Input validation, (8) Penetration testing |
Accountability | Repudiation | (1) Auditing and logging |
Confidentiality | Information disclosure | (1) Input validation, (2) TLS with server certificates, (3) Access restrictions to server hardware, (4) User training, (5) Encrypted backups, (6) Intrusion detection system, (7) Two-tier pseudonymization, (8) Client-side recombination of distributed data, (9) Encrypted tokens for communication between backends, (10) Penetration testing, (11) Site-based view, (12) Database encryption |
Availability | Denial of service | (1) Input validation, (2) IP-based filtering of requests, (3) Virtualization/sandboxing, (4) Redundant server hardware/raid, (5) Backups/disaster recovery plan, (6) Automatic OS updates, (7) Firewalls and virus scanners, (8) Intrusion detection system, (9) Secure server room including UPS and fire extinguisher |
Authorization | Elevation of privilege | (1) Role-based Access Control (roles: physician, study nurse, monitor, researcher, lab personnel), (2) Penetration testing, (3) User account management policies, (4) Distributed authorization |