Many folks think of "Web security" as little more than a leading-edge oxymoron. The Web's popular image, fueled by Hollywood and the medium's unsettling newness, is of a wild, wide-open information autobahn. Instant Web- security experts warn of viruses and on-line break-ins. News reports portray an Internet populated by hackers, data thieves and cyber-vandals. It seems scary enough to make any sensible business manager unplug the modems and seal up the firewall.
But like a lot of popular notions, it may be more virtual myth than real-world fact.
Technology-savvy businesses have discovered that with a common sense investment in appropriate on-line security technologies, the Web can be a highly secure and cost-effective place to do business.
Welcome to WebWorks, a new column dedicated to how business can and will use the World Wide Web. Regular DM Review readers know that for several years I wrote a column addressing the challenges of designing, building and utilizing complex databases. And while we will touch on DB-related topics in future issues, our new focus on Web-based information systems reflects the changing realities of how tomorrow's enterprise will connect, communicate and transact business.
In this and future articles, we will discuss the critical issues affecting why and how businesses are migrating to the Web. Because security remains a key concern and potential cyber-crime can present a very real threat, let's first address the fundamentals of creating a secure on-line environment.
The first and most basic level of on-line security is known to millions of computer users as the login name and password. Most login names are variations on the user's actual name, which is fine in most cases. The password constitutes the second hurdle, and it is here that many users and system administrators fail to enforce good security practices.
Too often, passwords are poorly chosen, carelessly communicated and changed with insufficient frequency. Users who employ common words or variations on their birth dates as passwords make it far easier for someone to crack and use their personal code. Basic hack programs can attack a system's password file, reverse algorithms and easily crack passwords composed of everyday words. A good password is a combination of alphanumeric, upper and lower case letters and special characters.
A new type of automated, time-dependent, single- use password technology recently entered the market. One such system, the SecurID Card from Security Dynamics, consists of a credit card-style token carried by each system user and server-level hardware and software access control technologies. SecurID generates a new, unpredictable access code every 60 seconds, thereby offering crackproof authentication-level security in an easy, one-step process from any terminal, PC, laptop or workstation.
For even greater security, Security Dynamics makes a SecurID PINPAD token, which asks users to login using an encrypted combination of the PIN and the SecurID token code. These encrypted authorization technologies provide a good first line of defense at the network, system, application or transaction level.
Authorization, the second level of a serious on- line security system, determines where within a network a particular user is allowed to go and what activities that user is allowed to do. All real operating systems have some type of authorization enforcement built in. DCE, Solaris and Microsoft NT offer Access Control Lists (ACLs). ACLs are established by system administrators and define the authorization rules for different objects that a user may need to access. Authorization rules are a combination of users, groups and types of permission. While users and groups are an age-old concept, ACLs bring a new level of granularity to permissions. Old-style UNIX permissions allowed for read, write and execute permissions for one owner, one group and all others. Windows permissions, basically MS-DOS, were simply read and write and had no secure permissions for users and groups. ACLs let you specify separate permissions for multiple users and groups. In DCE, permissions can be given to specific users and groups as well as effective users and groups. Types of permissions are broader and include read, write, execute, list, create, delete and administer. For example, if the object in question were a file or directory, an ACL would identify the users and groups and their respective permissions for the file in question.
The final level of security is privacy, which consists of increasingly sophisticated encryption algorithms used to scramble and protect the integrity of on-line data. Various levels of encryption are available, up to the current 128 DES ceiling. The longer the encryption key, the more difficult and expensive it is to crack the code and steal the information. The "good guys" trying to protect sensitive data, and the "bad guys" working to break privacy encryption codes, are locked in an escalating privacy "arms race." Government concerns regarding encryption technology must also be resolved to ensure continued advancement of Internet security.
These are the basics for any security strategy. They become increasingly important when the intranet is introduced, and your organization potentially has unknown entities trying to gain secure access to your services. At each level, an organization must consider the "value" of the information it needs to protect, and then make an informed ROI decision about just how much security is needed to protect those assets. In my next two columns, I will discuss the finer points of managing authentication, authorization and privacy, and how to extend these technologies beyond the enterprise to create a true Virtual Private Network.
Register or login for access to this item and much more
All Information Management content is archived after seven days.
Community members receive:
- All recent and archived articles
- Conference offers and updates
- A full menu of enewsletter options
- Web seminars, white papers, ebooks
Already have an account? Log In
Don't have an account? Register for Free Unlimited Access