Last year I wrote a couple of pieces which talked about the security of transactions, addressing the user, the network and the data. It was part of a presentation I used in Barcelona to persuade some VCs to invest in Kinamik, who I was then with. I certainly thought it was along the right lines then, and I still think it's relevant, although I need to update the ideas.
Here's a copy of the table I referred to as my Transaction Security table:
|Network||Wireless, Load balancers||Firewalls, IPS, etc.||Anti-Virus, Change Control Mechanisms, Digital Signatures|
|Data||Access Controls||Encryption||Digital Signatures|
Most people involved in using IT of any kind will be familiar with authentication, entering usernames and passwords. Most of us will do this many times a day in fact. We need to do this, to make sure we are who we say we are, to prove our integrity. We need to be authorised to continue our journey in the network, to allow us into the areas we are permitted to view and use. The confidentiality of the network and data is at stake if authorisation is not in place. The network and data therefore needs to have access controls, to stop unauthorised access, or permit authorised access, this is availability.
I've spent a little time and space explaining this because it's not always obvious. Even if we work in a network environment, we don't often see user security, it is built in to applications, operating systems and devices. It is an integral part of being in the network, just as our identities are an integral part of us. User security needs to be like this, or we wouldn't want to use the technology.
OK, maybe this is too simple. I'll let you look at the network security parts for yourselves for the moment. The network is how we travel to the data, as users, so the concepts of C, I and A here are largely intuitive, much as we picture things on a network diagram. Tomorrow I'm going to continue with the network, then wrap up with the search for data nirvana so temptingly promised by the title.