Security Overview
When we talk about security from an I.T. standpoint we are really referring to three distinct aspects. These allow us to look at the very complex problem in a modular, or broken down and simplified manner. The three aspects of Security are:
Data Confidentiality- When we talk about confidentiality we’re talking about who’s eyes are able to view the data or who’s systems are able to copy it. This is a huge issue as confidentiality issues in data security don’t always manifest themselves as problems. Take for example, a few months back a couple of government employees were fired for viewing the records of Hilary and Obama. The system alerted the proper authorities when the files were accessed, but for every 1 system correctly configured like this there are 10,000 that are not. Confidientiality of data from a personal standpoint protects people from identity theft, but from a business standpoint it is the risk of losing competitive advantage, something many companies cannot afford to do.
Data Integrity - Data integrity is referring to the data being in the same condition as you left it. Essentially this is the ability to protect your data from being tampered with either intentionally or unintentionally. It seems to me when I first started to get into computers in the late 80’s that hackers and viruses were still content to wipe your system out and frustrate you to no end. Now, however they have moved more toward destroying the confidentiality of the data and leaving it intact, but that does not mean this aspect is to be overlooked. Integrity of data is checked through md5 checksums to ensure data is not alteredĀ en route to or from storage, or during transfers.
Data Availability - Availability of data refers to the data being available to you when you want to access it. I like to tell people I can guarantee them 100% that I can keep any system in the world from ever getting a virus, the only caveat is that I get to put it down in a basement, in a safe, with no internet connection. This is a silly example, but for the purpose of showing that availability of data requires us to venture out into that deep dark world of the internet. There are a lot of security measures that can be put into place to ensure that the systems containing the data and the systems transmitting the data are kept secure. Regular patch management should be monitored on server equipment, Yes, Linux AND Windows boxes. Security audits using port scanning are a great way to ensure that the devices making your service available (yeah we call em servers, and you thought us techs just made that up) remain that way.
I hope this brief overview of how security professionals view the dangers of networking helps you as a business manager or even in your personal life shift your view and take security a little more seriously. Let me leave you with a quote.
Richard Clarke, the special adviser to the president on cyber security once told a group of security experts at the 2002 RSA convention, “If you spend more on coffee than on IT security, then you will be hacked, What’s more, you deserve to be hacked.”