The security field has grown enormously over the years, covering all aspects of IT. There are many types of security such as physical, environmental, access control, video surveillance, network security, information security and more.
All security systems have a common goal—let only authorized people in and keep all others out. Although this sounds simple, the complexities of modern IT raises significant challenges for implementing security.
Basic Security Concepts
At the heart of all security systems are three basic concepts:- Confidentiality - This concept protects information from being disclosed to unauthorized people or systems. Encryption is used to enforce confidentiality for information both during transmission and while stored.
- Integrity - This concept protects information from unauthorized modification, whether intentional or inadvertent, and ensures the information is valid, consistent and correct. Examples of integrity breaches include virus/malware attacks, unauthorized user access, and malfunctioning processes. Several methods are typically used to enforce integrity.
- Availability - Although not normally thought of as a security concept, availability ensures users can access the information and services they are authorized to use at all times. This concept involves preventing service disruptions caused by failures of the underlying equipment, communication systems, and security systems.
Controlling Access
Business must protect information and resources from unauthorized access, and be able to recognize and manage threats to their confidential information. Security is concerned with controlling and managing access to information and resources, and is accomplished using authentication, authorization and accounting (AAA or triple-A) protocol.Authentication is the process of verifying the identity of the client (person or system) requesting access. Typically, single factor authentication is used in the form of a user name and a password. However, stronger secured access is obtained by presenting two or more authentication factors based on ownership (swipe card), knowledge (PIN), or inherence (fingerprints).
Authorization is the process of granting permission to access information and resources, and defining the actions that an authenticated user can perform. The recommended approach is to use the principle of least privilege, which grants no more access privileges than needed by the client to perform their work. The goal of authorization is to protect information and resources by restricting access to only the clients that should be authorized to use them.
Accounting is the process of tracking access and use of information and resources, including failed attempts to access and use them. At a high level, the user name or ID, access start and end times, information or resource accessed, and type of activity is captured. Although commonly used for capacity planning and charge-back purposes, the goal of the accounting process is to enforce security policies, procedures and standards. Intrusion detection systems (IDS) use real-time accounting data to detect attempted breaches.
Implementing Security
There is a lot involved when implementing security. The main point is that security is more effective if it is considered when designing a service rather than as an afterthought.Some points to consider when implementing security are:
- Security Policy (documented, distributed and enforced)
- Risk Management (assess vulnerabilities and threats)
- Regulatory Compliance (HIPAA, GLBA, PCI)
- Encryption Standards (AES, 802.11i, SSL/TLS, VPN)
- Physical and Environmental Security
- Communications and Operations Management
- Asset Management
- Access Control
- Business Continuity Management
In future articles, I'll explore specific security topics related to cloud computing, wireless networks and IT service management. For more information on implementing security in your organization, see ISO/IEC 27002 and Information Security Management System.
By Harry Hiles, HBH Technology LLC — 14 Jan 2009
An Introductory Overview of ITIL V3
0 Comments (click to view or add comments):
Post a Comment