Principal

From MgmtWiki
Jump to: navigation, search

Full Title or Meme

An entity represented as a running process in a computer system.

Context

Principals are distinct from Users or Subjects in that it only exists as a running process within a digital computer. It will often have a link to a user, but not always

Problems

Usages of the terms related to the subject of an interchange are not consistent, even within a single document, so caution is advised.

Solutions

  • Access = Crispin Cowan defined a principal in the context of a “security principal”? A principal is any active entity in system with access privileges that are in any way distinct from some other component it talks to. Corollary: a principal is defined by its domain of access (the set of things it has access to). Domains of access can, and often do, overlap, but that they are different is what makes a security principal distinct. Peer identities that are at the same level, but distinct identities, are distinct security principals, such as separate apps in iOS, Android, and the Windows App Store. Conversely, processes on the Windows desktop all run as the same identity and have no protection from one another, and thus are all a single security principal.[1]
  • Responsibility = The other major purpose of the "security principal' is in the security event logs kept about accesses or changes to the computer system. The primary purpose of the log is to assign responsibility when breaches occur. It allows the identification of the individual (or at least the individual account) that created a problem, either with the running of the computer or with the change or exfiltration of information from the computer system. See the wiki page on Security Event Token.

References

  1. Alternate terms for the Principal are Consumer, User, and Subject which terms have different connotations.
  2. In the ISO glossary a PII Principal is what the GDPR calls a data Subject. The ISO terminology is NOT observed in this wiki.
    1. https://www.leviathansecurity.com/blog/the-calculus-of-threat-modelinglink title