Security Controls
Overview
Security is a foundational design principle of the Secure Controlled Guns and Ammunition Inventory Management System (SCGAIMS). Given the sensitive nature of firearms and ammunition inventories, the system incorporates multiple security controls intended to strengthen accountability, prevent unauthorized access, improve auditability, and support security governance objectives.
The security architecture was developed in direct response to deficiencies identified during investigations into inventory accountability failures and unauthorized access incidents involving controlled assets.
The security controls implemented within SCGAIMS focus on:
- Identity Assurance
- Access Control
- Accountability
- Auditability
- Data Integrity
- Secure Development Practices
- Secret Management
- Operational Governance
Security Objectives
SCGAIMS was designed to support the following security objectives:
Confidentiality
Protect sensitive inventory and operational information from unauthorized disclosure.
Integrity
Prevent unauthorized modification of inventory records, investigations, and audit information.
Availability
Ensure authorized users can access system resources when required.
Accountability
Associate all significant actions with authenticated users.
Non-Repudiation
Provide evidence of user actions through audit records.
Traceability
Maintain complete visibility into inventory movement and transaction history.
Identity and Access Management
Overview
Identity and Access Management (IAM) controls regulate access to SCGAIMS resources by ensuring users are authenticated and authorized before performing operations.
The system utilizes Auth0 as its centralized Identity Provider (IdP).
Auth0 Integration
Auth0 provides:
Identity Management
Authentication
Role Assignment
Permission Management
Future MFA Support
Benefits
The use of a centralized Identity Provider:
- Reduces credential management complexity
- Supports secure authentication
- Enables centralized user administration
- Improves governance and oversight
Authentication Controls
Current Implementation
Auth0 environment configured with:
SCGAIMS API
SCGAIMS Web Application
Roles
Permissions
Users
Future Authentication Features
Planned enhancements include:
Multi-Factor Authentication (MFA)
Users will be required to provide an additional verification factor before access is granted.
Examples:
Authenticator Applications
Push Notifications
One-Time Passwords
Step-Up Authentication
High-risk operations may require re-authentication.
Examples include:
Issue Inventory
Return Inventory
Resolve Investigations
Authorization Controls
Role-Based Access Control (RBAC)
SCGAIMS implements a Role-Based Access Control model.
Permissions are assigned to roles rather than individual users.
Administrative Role
Capabilities include:
Manage Inventory
View Audit Logs
Resolve Investigations
System Administration
Supervisor Role
Capabilities include:
Review Investigations
Review Transactions
Audit Oversight
Officer Role
Capabilities include:
Issue Inventory
Return Inventory
Operational Activities
Security Benefits
RBAC supports:
- Least Privilege
- Separation of Duties
- Reduced Insider Risk
- Improved Accountability
Principle of Least Privilege
The Principle of Least Privilege (PoLP) is applied throughout the system.
Users receive only the permissions necessary to perform their operational responsibilities.
Benefits
Reduced Attack Surface
Improved Accountability
Reduced Misuse Risk
Improved Security Governance
Separation of Duties
SCGAIMS separates operational responsibilities across different user roles.
Examples include:
Officers
Issue and Return Inventory
Supervisors
Review Investigations
Administrators
Manage System Configuration
This reduces opportunities for unauthorized activity and strengthens oversight.
Inventory Validation Controls
Purpose
Inventory validation prevents invalid inventory transactions from being processed.
Issuance Validation
Before inventory is issued the system verifies:
Inventory Exists
Inventory Availability
Valid Quantity Requested
Return Validation
Before returns are processed the system verifies:
Associated Issue Record Exists
Returned Quantity Provided
Transaction Integrity
Benefits
Improved Inventory Accuracy
Reduced Data Errors
Improved Accountability
Discrepancy Detection Controls
Purpose
Discrepancy controls detect situations where returned inventory does not match originally issued inventory.
Logic
The system evaluates:
Quantity Issued
vs
Quantity Returned
Example
Issued: 120 rounds
Returned: 100 rounds
Result:
Discrepancy Flag = True
Security Benefits
Improved Accountability
Early Anomaly Detection
Improved Auditability
Improved Oversight
Investigation Controls
Purpose
Discrepancies are managed through investigation workflows.
Investigation Lifecycle
Open
Review
Resolution
Closure
Security Benefits
Formal Accountability Process
Documented Findings
Operational Oversight
Historical Retention
Audit Logging Controls
Overview
Audit logging is one of the most significant security controls within SCGAIMS.
All significant business operations generate audit records.
Logged Activities
Examples include:
Inventory Issued
Inventory Returned
Investigation Resolved
Inventory Updated
Administrative Activity
Audit Attributes
Audit records may contain:
User Identifier
Action
Timestamp
Target Entity
Additional Details
Benefits
Audit logs support:
Accountability
Investigations
Compliance Reviews
Forensic Analysis
Security Monitoring
Data Integrity Controls
Relational Database Design
SCGAIMS utilizes PostgreSQL with relational constraints.
Integrity Mechanisms
Primary Keys
Foreign Keys
Referential Integrity
Validation Rules
Benefits
Improved Consistency
Data Quality
Relationship Integrity
Reduced Data Corruption
Database Security
PostgreSQL Platform
SCGAIMS stores operational data in PostgreSQL hosted through Supabase.
Security Features
Managed Infrastructure
Access Restrictions
Cloud-Based Availability
Administrative Controls
Secret Management
Purpose
Sensitive credentials are never hardcoded within the application source code.
Environment Variables
The system utilizes environment variables for secure