What Does Security Mean?

Security is designing and implementing ways to protect important corporate assets. The definition of assets can cover a wide range of physical items like corporate data or Web pages, but also may include others things like a company s reputation. Defining application security is a process that includes infrastructure deployment issues, business requirements, and even legal requirements. It is important to remember that it is an ever evolving and never ending part of the development process.

The definition of a secure infrastructure contains a variety of individual elements that work together to create a secure infrastructure. Each of these smaller interdependent pieces composes the core of what security is about. Below is a list of these concepts that you should keep in mind when designing secure applications:

Authentication: Authentication address the question of who are you. This is the process that any application or operating system uses to determine the unique identity of a security principal. Authorization includes challenge response, Kerberos, or even custom-designed security schemes that can be implemented to answer this question.

Authorization: Authorization addresses the question of what an authenticated principal is able to do. This process determines the specific resources and operations an authenticated client is permitted, within the scope of the application or operating system. Authorized resources include Web Services, databases, and InfoPath. Within these resources, authorization is extended to include smaller elements like the individual properties and methods .

Accountability: Accountability addresses the question of what you did when accessing a resource. This process provides a tracking mechanism or event log of what actions occurred. By definition, this is the end result of the completion of a security-restricted action.

Data Integrity: Data integrity addresses the question of whether data is protected from unauthorized modification. This becomes an extremely important concern as data passes across enterprise borders or unfamiliar networks. Many times, this is a common scenario for the use of digital signatures and even cryptography to ensure that the data isn t viewable or modifiable.

System Availability: System availability address the question of whether systems are highly available for legitimate authenticated users. A complete discussion about this topic is beyond the scope of this book and extends to protecting specific infrastructure assets from Denial of Service Attacks (DOS) and other common attacks that attempt to spoof or overwhelm a system.