Flylib.com

Books Software

 
 
 

Category list


Similar pages

Chapter 5. Basic Security Concepts


Buy on amazon.com >>
Petrocelli T
    << Previous page
    Table of contents
    Next page >>
     < Day Day Up > 

    Chapter 5. Basic Security Concepts

    In This Chapter:

    • Least Privilege

    • Defense in Depth

    • Diversity of Defense

    • Encryption

    • Typical Attacks

    • Key Points

    There are thousands of books on computer security. They range from broad overviews written for IT managers to how-to books for system administrators to academic tomes about encryption. What they have in common is a language and set of concepts about security. It is important to understand this language as it applies to data protection. Protecting systems from intruders reduces the chance that data will be destroyed or stolen. System security must be part of the data protection strategy.

    This chapter is designed to explain quickly some of this language and the key concepts. As one would expect, it does so from a data protection and storage point of view. The principles are, however, universal.


    Figure 5-0.


     < Day Day Up > 
     < Day Day Up > 

    Least Privilege

    Least privilege refers to the amount of access any user , host, or processor should have to system resources. It is always best to give just the least amount of access possible to accomplish the required tasks . If a server needs to see data on only one disk in a large array, it should be restricted to read access of that one disk. Because most end-users need to access the Internet only during working hours—say, between 7 a.m. and 7 p.m.—Internet access should be limited to that period. Other end-users may have different needs, and their access would differ accordingly .

    The downside of least privilege is that it can place inconvenient restrictions on people. In the example of Internet access, what happens if a person has to work a different shift and now needs access between 7 p.m. and 3 a.m.? Temporary changes themselves can lead to security problems if the temporary changes are not revoked in a timely manner.

    Least privilege is always preferred but not always practical. Compromises are inevitably made, but least privilege should be maintained as a policy.

     < Day Day Up > 
     < Day Day Up > 

    Security Posture

    All security plans have a posture or philosophy about security. The posture determines the approach to security throughout the organization. The two most common postures are referred to as Default DENY and Default ALLOW.

    In Default DENY, if something is not explicitly allowed, it is immediately denied . The default action for all security operations is to disallow access to a resource. Least privilege encompasses Default DENY. This is a more secure posture.

    Default ALLOW is the opposite ; it assumes that all things are allowed unless specifically denied. Systems are completely open except for specific instances where a resource is limited or closed off. End-users find Default ALLOW more convenient .

    Some plans mix the two postures. A posture of Default DENY may be assumed for inbound network operations and Default ALLOW for outbound ones. File servers may be subject to Default ALLOW, whereas database servers are subject to Default DENY. In practice, this is what usually happens. A balance is then achieved between the ability for end-users to get to resources they need versus keeping hackers out.

    Default DENY is still the better practice despite the limitations it places on end-users.

     < Day Day Up > 

    Buy on amazon.com >>
    Petrocelli T
      << Previous page
      Table of contents
      Next page >>

      Similar products

       
      flylib.com © Copyright 2008-2013. All Rights Reserved.
      if you may any questions please contact us: flylib@qtcs.net
      Privacy policy