08/22/2025 1

User Authentication Protocols

• User authentication is the first most priority while responding
to the request made by the user to the software application.
• There are several mechanisms made which are required to
authenticate the access while providing access to the data.
• Kerberos
• Lightweight Directory Access Protocol(LDAP)
• OAuth2
• SAML
• RADIUS
08/22/2025 2

Kerberos
• Kerberos is a type of protocol that is used to authenticate users.
• It validates the client and server during networking with the help of a
cryptographic key.
• It is designed to strongly authenticate the users during the reporting of
the application.
• All the proposals of Kerberos are available at MIT. The main use of the
Kerberos is in the product-based companies.
• Advantages
1. The various operating systems are supported by the Kerberos.
2. In Kerberos, the authentication key is shared very efficiently in
comparison to public sharing.
• Disadvantages
1. The client and service can only authenticate themselves with the help
of Kerberos.
2. When we use a soft or weak password, it always shows vulnerability.
08/22/2025 3

Lightweight Directory Access Protocol

• With the help of this protocol, we can determine the organization,
individual, or any other devices during the networking over the internet.
• It is also called a Directory as a service. Lightweight Directory Access
Protocol (LDAP) is the ground for Microsoft Building Activity Directory.
• Advantages
1. It is a type of automated protocol that is why it is very easier for the
organization.
2. All the existing software is supported by Lightweight Directory Access
Protocol (LDAP).
3. Multiple directories can be allowed in Lightweight Directory Access
Protocol(LDAP)
• Disadvantages
1. It requires the experience of deployment.
2. The directory servers are required to be LDAP-obedient for deployment.
08/22/2025 4

OAuth2
• OAuth2 is a type of authentication protocol for the framework. It provides
permission to the users which are coming through the HTTP servers.
• When the user makes a request to access the resources, suddenly, an API
call is created, and after that, the authentication token is generated.
• Advantages
1. It is a very simple type of authentication protocol, and it is very easy to
use.
2. It provides the code for server-side authentication.
• Disadvantages
1. It is a little bit difficult to manage the different sets of codes.
2. When we connect it to an affected system, it also shows some serious
effects.
08/22/2025 5

SAML
• SAML stands for Security Assertion Markup Language.
• It is based on an XML-based authentication protocol.
• It provides authorization between the service provider and the identity
provider.
• It is also a product of the OASIS Security Service Technical Committee.
• Advantages
1. The administrative cost is reduced for the end user with the help of SAML
(Security Assertion Markup Language).
2. It provides a single window for authentication for all the services.
• Disadvantages
1. It is fully dependent on the identity provider.
2. A single XML format manages all the data.
08/22/2025 6

RADIUS
• RADIUS stands for Remote Authentication Dial-In User Service.
• It is a type of network protocol that provides accounting, centralized authentication,
and authorization.
• Authentication confirms that users are who they say they are. Authorization gives
those users permission to access a resource.
• When the user makes a request to access all the resources, the RADIUS server
creates a temporary credential to access all the resources.
• After this, the temporary credential is saved on the local database and provides
access to the user.
• Advantages
1. It has a feature to provide multiple accesses to the admin.
2. It also provides a unique id for every session of the user.
• Disadvantages
1. The mechanism for initial implementation is very hard on hardware.
2. It has a variety of models that may require a special team which is cost-
consuming.
08/22/2025 7

Information Security Standards

• An information security standard is a series of documented
processes that define how to implement, manage, and monitor
various security controls.
• As well as providing a blueprint for mitigating risk and reducing
vulnerabilities, cybersecurity standards and
cybersecurity frameworks typically detail the necessary steps
for achieving regulatory compliance.
 08/22/2025 8

What are the 4 types of information

security?
• Application Security: identifying and addressing exploitable
vulnerabilities in web and mobile applications so malicious
actors can’t use them to breach a company’s network.
• Network Security: implementing the policies and controls to
protect the data and infrastructure within a company’s network
and prevent unauthorized access.
• Cloud Security: strategies and solutions to secure a company’s
off-site cloud deployment.
• Cryptography: various processes and techniques to better
secure data through encryption. Cryptography prevents
sensitive information from being decoded by cybercriminals in
the event of a data breach.
08/22/2025 9

Why companies need to meet information

security standards ?
• There are several key reasons why it’s in a company’s best interest to meet
information standards:
• Achieve regulatory compliance
• Adhering to information security standards results in companies
becoming compliant with the IT security regulations required by their
industry. Consequently, they can avoid the negative consequences of
not being compliant, such as financial penalties and legal trouble.
• Prevent cyberattacks
• Information security standards outline cybersecurity best practices so
aligning with them is an effective way for companies to approach their
information security needs. This is because meeting IT security
standards requires a company to implement the necessary measures,
processes, policies, and controls that will improve its cybersecurity
posture.
08/22/2025 10

Why companies need to meet information

security standards ?
• Increased awareness of risk
• Adhering to security standards requires a company’s security teams to
become more aware of cybersecurity best practices, definitions,
terminology, and, most importantly, the full extent of the cyber
threats they face. This reduces the chance of costly breaches due to
ignorance and reduces the need to undergo trial and error to
mitigate cyberattacks.
• Enhanced reputation
• Meeting information security standards displays your company’s
commitment to cybersecurity and ensuring data security – especially
when you receive certification for your efforts. This inspires confidence
with existing and potential clients, supply chain partners, etc., and
reassures them their information is secure when working with you.
 08/22/2025 11

Two primary information security

standards
• The two primary information security standards that companies strive to
meet are ISO 27001 and ISO 27002.
• They are issued by the International Organisation for Standardisation (ISO) –
an independent, international body that creates standards that cover
technology, manufacturing, management and more.
• ISO 27001 and 27002 are two of the key standards from the ISO 27000
Series, which consists of over 45 standards covering a wide range of
information security issues.
08/22/2025 12

ISO 27001
• ISO 27001 is an information security standard that outlines the requirements
for how a company should implement an Information Security Management
System (ISMS).
• An ISMS is a governance framework that contains a structured suite of
activities that allows a company to manage its information security risks.
• ISO 27001 specifies the controls and procedures you need to implement
within your ISMS to mitigate information security risks particular to your
company, as well as how to monitor and measure the ongoing efficacy and
performance of said controls.
• Companies that require comprehensive guidance on improving
their information security posture can significantly benefit from how ISO
27001 conveniently consolidates the required policies, processes, and
controls.
• A company can prove their compliance with the ISO 27001 standard through
audits and certification, which provided by ISO-accredited agencies.
08/22/2025 13

What is the difference between ISO

27001 and NIST?
• ISO 27001 and NIST Cyber Security Framework (CSF) are both information security
standards on which companies can base their cyber security policies and controls.
• Both help a company better mitigate the risk of cyberattacks and comply with
various data security legislation. Although they essentially help companies achieve
the same thing, there are a few key differences between ISO 27001 and NIST CSF:
• ISO (International Organisation for Standardisation) is an international non-
governmental body, while NIST (National Institute of Standards and Technology)
is affiliated with the US government. As a result, ISO certifications have wider
international recognition.
• It’s possible to get an ISO 27001 certification, including a third-party audit. At
the same time, there isn’t a certification for NIST CSF: companies are just to
utilise it as a set of guidelines.
• NIST CSF is free of charge, while you have to pay for the ISO 27001
documentation and certification.
08/22/2025 14

ISO 27002
• While ISO 27001 provides detailed guidelines on developing an ISMS, it
doesn’t actually formally mandate which specific information security
controls a company should implement. This is due to the required controls
will vary according to a company’s precise information security needs. This
is where ISO 27002 comes in.
• ISO 27002 complements ISO 27001 and details the information security
controls that a company might implement, as stated in ISO 27001.
Companies can implement whichever controls are most applicable to their
specific information security risks; ISO 27002 provides best practices in
selecting, implementing, and managing those controls – while accounting
for the company’s risk environment.
• The controls detailed in ISO 27002 are the same outlined in Annex A of ISO
27001 Annex A. While both ISO 27002 and Annex A previously contained
114 controls, the updated 2022 edition was reorganized into 93 controls,
with 58 updated controls, 24 merged controls, and 11 brand new ones.
08/22/2025 15

ISO 27002
• Similarly, while the 114 controls were divided across 14 domains, the 2022
update sees the 93 controls spread across the following four categories:
• Organizational
• People
• Physical
• Technological
• Additionally, unlike ISO 27001, you don’t need certification to prove
compliance. This is because ISO 27002 is an informative rather than a
normative standard like ISO 27001.
• In other words, ISO 27002’s purpose is to describe the required controls in
greater detail, rather than prescribe them, as is the case with ISO 27001.
08/22/2025 16

What problems do you face if you don’t meet IT security standards?

• Increased risk of security breaches: as security standards outline

best practices for mitigating cybersecurity risks and keeping
information secure, not meeting them puts you at risk of suffering a
costly breach.
• Legal trouble: not adhering to IT standards can result in you being
non-compliant with industry or governmental regulations, which may
result in litigation against your company – especially in the event of a
data breach. Also, your company may be hit with restrictions that
significantly affect your day-to-day operations.
08/22/2025 17

What problems do you face if you don’t meet IT security standards?

• Fines: in addition to legal trouble, your company can be hit with,

often stiff, financial penalties for failing to achieve compliance. Also,
with some IT standards, like GDPR (General Data Protection
Regulation), you may be required to compensate any parties affected
by a resulting breach.
• Reputational damage: while a company can overcome legal trouble
and financial setbacks, reputational damage is more difficult to
repair. If your clients don’t feel their data is secure with your
company, they’ll look elsewhere. Similarly, if your company’s poor
security reputation precedes you, gaining the trust necessary to
attract new clients will be challenging.
08/22/2025 18

Other information security standards

GDPR
• The General Data Protection Regulation (GDPR) is an IT security standard
concerned with data privacy for citizens in the European Union (EU).
Although GDPR is European legislation, it applies to any organisation that
collects and stores data from EU citizens, regardless of where they’re based.

• GDPR contains seven principles that provide an overarching framework for

information security:
• Lawfulness, fairness, and transparency
• Purpose limitation
• Data minimisation
• Accuracy
• Storage limitation
• Integrity and confidentiality (security)
• Accountability
08/22/2025 19

Other information security standards

FINRA
• As opposed to being an IT security standard, the Financial Industry Regulatory Authority (FINRA
is a government-authorised, non-profit organisation that regulates US-based broker-dealers
and exchanges. A crucial part of their oversight is ensuring companies have strong
cybersecurity measures to protect their clients’ sensitive data.
• To successfully register with FINRA, each financial services firm is evaluated on areas including:
• Technology governance
• Risk assessment
• Technical controls
• Access management
• Incident response
• Supplier management
• Data loss prevention
• System change management
• Branch controls
• Employee training
• To help the companies under their purview achieve compliance, FINRA provides several
resources, including their Cybersecurity Checklist and a Checklist for Compromised Accounts.
08/22/2025 20

Other information security standards

HIPPA
• The Health Insurance Portability and Accountability Act (HIPPA) is for
companies in the US healthcare industry, with particular emphasis on
information security standards dealing with how they protect confidential
patient records and medical data.
• However, HIPPA doesn’t just apply to companies that directly provide
healthcare but to any associated company that handles personal healthcare
information.
• This includes law and accountancy firms, data storage and disposal
companies, and even transcription services.
08/22/2025 21

Other information security standards

PCI DSS
• The Payment Card Industry Data Security Standard (PCI DSS) details how
companies should handle and store credit and debit card information.
• PCI DSS was created by the Payment Card Industry Security Standards
Council (PCI SSC), which consists of the five major credit card companies:
Visa, MasterCard, American Express, Discover, and JCB International.
• Any company that processes card transactions must adhere to PCI DSS, and
the consequences of not doing so include fines, paying compensation to
victims, and litigation.
• The PCI DSS consists of six control categories for companies to implement:
1. Build and maintain a secure network and systems
2. Protect cardholder data
3. Maintain a vulnerability management program
4. Implement strong access control measures
5. Continuously monitor and test networks
6. Maintain an information security policy
08/22/2025 22

Summary
• Several factors determine which cybersecurity standards and frameworks
your company needs to adhere to.
• This includes your industry, where you operate, and, most importantly, the
size and complexity of your attack surface and the particular risks to which
your company is exposed.