IT Security: Some Notes

A few notes on the basics of IT Security:

Introduction to Security

Main Aspects of Security

Security is concerned with preserving the value of resources.

Valuing Data

The value of data is:

The extent to which it contributes to the goals of the one who owns that data

which is the same as

The costs to the enterprise of loosing that data

The cost of security must be weighed risk of that data being compromised.

risk = (likelihood of data loss) x (cost of loss of data)

Security and Value

Security consists of:

  1. Identifying a resource that has value.
  2. Maintaining that resource.
  3. Preventing misuse of that resource.

The identification of value is a business descision.

Maintaining Resources

Integrity of Data

Maintaining data integrity is the process of ensuring that data is in a state which is consistent with expectations, the domain modelled by the system (accuracy), other data and itself. Data integrity is primarily concerned with software measures and procedural measures.

Examples of measures:

  1. Data validation.
  2. Making sure that users know if changes to the data are permanent or temporary.
  3. Protecting data from concurrency issues.
  4. Atomic transactions.

Safety of Data

The main method for keeping data safe is reliable storage of that data. Reliability is enhanced by redundancy. A backup is a relatively cheap, easy way to ensure that data can be recovered to a specified state following loss or corruption of that data.

Backups can be full or incremental.

The rules of a worthwhile backup:

  1. Have a backup
  2. Be able to identify the backup
  3. Be able to restore the backup
  4. Keep the backup secure

Of course, a backup will not be used if users are unaware of data corruption or loss.

Safety of Systems

Disaster recovery is the restoration of a system (rather than just the data) following the system’s failure.

Requirements:

  1. A backup of data
  2. Duplicate hardware / software environment
  3. Defined and tested procedures for recreating the lost environment

Preventing Misuse of Data

Authentication

Actions on data are initiated by an agent. Validity of an action is often determined by the identity of an agent. The identification of an agent is often termed authentication.

In order to verify the identity of the agent, the system can request that the information provide information about:

  • Something the agent knows: e.g. a password.
  • Something the agent has: e.g. an identity card.
  • Something the agent is: biometrics.

Authorisation

Authorisation is the process of allowing / disallowing an authenticated agent (often a user) to perform a certain action.

The action may be as simple as allowing the agent to read the data:

  • Privacy: ensuring that only authorised agents can read the data.
  • Access: ensuring that all authorised  agents can read the data.

Enforcing Complicity

An often overlooked mechanism that could be used to ensure only appropriate actions are taken on data is to enforce rules that require two or more trusted individuals to authorise action on a resource.

For example, a safe that can only be opened if both keyholders are present.

One possibility rarely implemented is to have an operator initiate a request for change that must be approved by a business manager who has has no ability to initiate the request herself.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: