When we are discussing accountability we need to define what that really means. An acceptable meaning would be to hold people accountable for their actions, to be able to trace all activities in the corporate environment back to the source of those activities. This means the is the ability to use identification, authentication, and authorization processes in order to know which user a given event is associated with and what permissions allowed them to carry it out.
It can be quite easy to criticize accountability and its associated auditing tools. It could be argued that implementing surveillance techniques is like having Big Brother watching over your every move. This might be true in certain instances - if people are monitored excessively, it is possible to create an unhealthy environment.
When people are held accountable, it can keep the corporate environment secure in several ways: it enables a principle called nonrepudiation, it deters those who would otherwise misuse resources, and it detects and prevents intrusions. The processes are used to ensure accountability and can also assist in the preparation materials for legal proceedings.
In digital security, non-repudiation means:
- A service that provides proof of the integrity and origin of data.
- An authentication that can be said to be genuine with high confidence.
Proof of data integrity is typically the easiest of these requirements to accomplish. A data hash such as SHA2 usually ensures that the data will not be changed undetectably. Even with this safeguard, it is possible to tamper with data in transit, either through a man-in-the-middle attack or phishing. Because of this, data integrity is best asserted when the recipient already possesses the necessary verification information, such as after being mutually authenticated.
Common methods to provide non-repudiation in the context of digital communications or storage are Message Authentication Codes (MAC), useful when the communicating parties have arranged to use a shared secret that they both possess, and Digital Signatures, a more powerful tool that provides non-repudiation in a publicly verifiable manner. Note that the goal is not to achieve confidentiality: in both cases (MAC or digital signature), one simply appends a tag to the otherwise plaintext, visible message. If confidentiality is also required, then an encryption scheme can be combined with the digital signature, or some form of authenticated encryption could be used. Verifying the digital origin means that the certified/signed data likely came from someone who possesses the private key corresponding to the signing certificate. If the key used to digitally sign a message is not properly safeguarded by the original owner, digital forgery can occur.