Sunday, 27 April 2008

Continuing the search for data nirvana

It's a while since I wrote about data integrity (actually, I wrote about it a couple of days ago, but not in detail). I will assume that everyone is familiar with the CIA triad before reading on. [If not, please look it up.]

Last year I wrote a couple of pieces which talked about the security of transactions, addressing the user, the network and the data. It was part of a presentation I used in Barcelona to persuade some VCs to invest in Kinamik, who I was then with. I certainly thought it was along the right lines then, and I still think it's relevant, although I need to update the ideas.

Here's a copy of the table I referred to as my Transaction Security table:

Access Controls
Wireless, Load balancers
Firewalls, IPS, etc.
Anti-Virus, Change Control Mechanisms, Digital Signatures
Access Controls
Digital Signatures

Most people involved in using IT of any kind will be familiar with authentication, entering usernames and passwords. Most of us will do this many times a day in fact. We need to do this, to make sure we are who we say we are, to prove our integrity. We need to be authorised to continue our journey in the network, to allow us into the areas we are permitted to view and use. The confidentiality of the network and data is at stake if authorisation is not in place. The network and data therefore needs to have access controls, to stop unauthorised access, or permit authorised access, this is availability.

I've spent a little time and space explaining this because it's not always obvious. Even if we work in a network environment, we don't often see user security, it is built in to applications, operating systems and devices. It is an integral part of being in the network, just as our identities are an integral part of us. User security needs to be like this, or we wouldn't want to use the technology.

OK, maybe this is too simple. I'll let you look at the network security parts for yourselves for the moment. The network is how we travel to the data, as users, so the concepts of C, I and A here are largely intuitive, much as we picture things on a network diagram. Tomorrow I'm going to continue with the network, then wrap up with the search for data nirvana so temptingly promised by the title.

No comments: