Right now, no topic in IT is hotter than security. And with all the acronyms and buzzwords flying around—from IDS to social engineering to PKI—it's helpful to take a step back and examine some larger questions, such as:
- What do you need to secure and why?
- Whom do you need to secure things from?
- What methodology can you use to ensure the necessary level of security?
The last question is the one we'll be most concerned with in this article, but answering the first two questions will help us target the right solutions.
The what and why of security
The simple answer to "what" in the first question is that in IT, the primary thing you need to secure is information related to your organization. And unless you work for the government, where national security may be the biggest concern, the answer to "why" is that if you don't secure this information, it will cost your organization money by exposing trade secrets, customer data, and other confidential information, and/or it may lead to lost productivity and downtime.
The most basic answer to the second question—whom you're securing this data from—is everyone except those who are entitled to it as part of the services your organization performs. These days, you must generally distrust anyone who shouldn't be privy to this data. In particular, you need to protect against systems attackers of various flavors, from those involved in industrial espionage to hobbyists who like to break in to corporate networks so they can brag to others about how smart they are.
This leads us to our third question: What methods can you use to protect company data? The answer to this question naturally is ever-changing, as technologies advance and the ways in which people interact with those technologies evolve. But in the current Internet-connected world, the commonly accepted approach involves three processes: authentication, authorization, and encryption.
In the first part of the security equation, you want users to identify themselves and provide verification that they are who they say they are. The most common way to do this is by requiring a username and password. Unfortunately, as we all know, this is not a foolproof approach to verifying identity. Hackers can often find ways to guess passwords or use various attack methods to crack passwords.
As a result, IT departments employ various means to strengthen authentication mechanisms. The first is to train users how to select passwords that are secure and easy to remember. Once you teach your users how to set up good passwords, it's time to put a password policy in place. Then, you need to use your operating system(s) to enforce the password character requirements (such as six letters and two numbers) and the frequency in which passwords need to be changed. Windows, NetWare, and Linux/UNIX all have options for enforcing these kinds of policies.
Another problem is that most organizations have a variety of different types of systems, and many of those systems have their own username and password databases. Whenever possible, you should seek to integrate these systems so that they utilize the same authentication system, which will ease the burden on end users in terms of remembering usernames and passwords. If you maintain disparate systems, you should try to align usernames as well as password policies as much as possible.
One way of centralizing authentication is through the use of a Remote Authentication Dial-In User Service (RADIUS) server. This is a popular way of coordinating authentication and access policies by allowing remote access servers to authenticate users against a centralized database. It is also becoming a popular method for authenticating WLAN client systems on enterprise networks.
Keep in mind that no matter which protocol they use, usernames and passwords are software mechanisms for authentication. The next step in authentication technology is the integration of hardware mechanisms, which are not as easy for nefarious individuals to crack. The most common example of this comes in the form of smart cards, in which users have smart card readers at their workstations and swipe their card and enter their PIN, rather than (or in addition to) providing a username and password.
Similarly, companies such as Authenex and Aladdin are now offering two-factor authentication products in which users must supply a username/password and a USB token that contains a unique encrypted PKI-based key. Such a solution is obviously much more secure than a standard username and password.
Nevertheless, in the future, these mechanisms will likely be superceded on most networks by biometric authentication solutions, some of which are already widely available. Biometric solutions include retinal scans, facial geometry scans, fingerprint scans, and other formerly sci-fi technologies.
Once you authenticate that users are who they say they are, you want to provide them with access permission to the company resources necessary to perform their jobs. You also want to restrict them from accessing data that they have no need to use. This process of authorization is usually implemented in the form of user permissions in operating systems, devices, and applications.
As with usernames and passwords, it is best to have user permissions standardized (and centralized, if possible) across various technology platforms. In general, authorization and the technologies used to implement it are tightly bound to authentication, since a user must be identified before being authorized to have access to certain resources.
Although authentication and authorization are usually tightly integrated, encryption functions in its own sphere. It serves to complement authentication/authorization by protecting data between authorized entities, and it can work independently to protect resources in case authentication/authorization fails to protect those resources from unauthorized users.
What we commonly refer to in IT as "encryption" is actually a two-step process of encryption and decryption. Of course, encryption is the process of packaging sensitive data and decryption is the process of unpackaging it. Encryption converts data into coded ciphertext and then bundles it with an encryption key that is produced by an algorithm. Once the data reaches its destination, it can be decrypted using the proper decryption key. The strength of the encryption key determines how difficult it is for a criminal to break the encryption process without the decryption key. The stronger the encryption algorithm is, the more difficult it is to hack.
Currently, 128-bit encryption is the de facto minimum standard for strong encryption. However, stronger versions, including156-bit and 192-bit encryption, are beginning to make headway in ultrasecure environments.
Three common examples of how encryption is utilized are VPN for remote access, SSL for secure Web transactions, and EFS (Windows 2000's Encrypting File System) for locking down files and folders.
With VPN, remote users are authenticated and authorized to access remote systems, and then a secure "tunnel" is created by encapsulating and encrypting packets between the source and destination systems.
With SSL, confidential user data such as names, addresses, social security numbers, and credit cards are encrypted during data transfer between a user and a Web site to ensure secure communications.
When locking down files, as is the case in Windows 2000 with EFS, files and folders are stored in an encrypted form and can only be opened by valid users who have access to the decryption key. Special recovery agents can be created by the user who encrypts the file, which is especially valuable for securing highly confidential files even if a hard disk is stolen by a criminal. This can be a critical concern in the case of mobile laptop users who store sensitive files in their local machines.
Much of the current methodology for securing information revolves around the strategy of authentication, authorization, and encryption. In the future, new technologies we have not yet envisioned could revolutionize this methodology. However, for the time being, even advanced technologies such as biometric authentication are simply playing a supporting role in this threefold approach to security.
Understanding this underlying security paradigm and why it is used can help you grasp the larger questions of IT security and, ultimately, better design and manage a secure enterprise.