Every organization must protect its valuable information resources. Failing to do so leaves the computer information systems open to threats that take advantage of vulnerabilities, and risks are realized. Loss of information often results in the financial losses and the continuity of operations.
Organizations must have a dependable information infrastructure that is both reliable and valid. Sound decisions are based upon the consistency and accuracy of information assets. An organization without its mission critical information is likely to fail.
Being able to depend upon the timely accessibility of information is crucial to information operations for both businesses and individuals. Access must be protected and restricted. There are two information security concepts that can be used to help. One is known as “Authorization” and the other is “Authentication”.
Let’s outline authorization first. Authorization generally implies the existence of an information security plan. Rules are spelled out, in great detail, that indicates who is authorized to access specific information and under what conditions. The information that is to be accessible is listed the business’ information inventory and is usually based upon the general principle of “need to know”.
Employees who have a need to know of a particular set or range of information are normally approved to have access. This consent is known as “authorization”. Computer networks are usually deployed to support a security policy that only allows authorized individuals to gain specific information.
The second method of controlling access to mission critical data and information is known as “authentication”. The process makes it possible to assure that the correct individual is attempting to access or use vital data. Authentication assures identity.
Authentication relies upon providing the system with:
1.) Something that the user knows such as a password
2.) Something that the user has such as a token and
3.) Something that the user “is” such as a biometric fingerprint or retina scan. A system that uses appropriate authentication methods would deny access to any person who fails to be properly identified.
Let’s review. Authorization grants access privileges on a need-to-know basis. Authentication tests the identity of the individual who is attempting to gain access. Authentication can be something you know, something you have or something you are.
Many organizations are operating with a minimal level of authentication in the form of password protection. Those who are may be without a password policy or fail to be aware of the characteristics of a robust password. A large number of businesses an organizations also fail to have a security policy at all. Such a plan would include and inventory of information assets and specify who has authorization to access information.
A prudent information infrastructure owner would be keenly aware of following security best practices. Strong authentication and authorization policies and practices would be implemented. Doing so, in today’s asymmetric threat environment, is a necessity. Failing to do so borders on being negligent.
You can learn more about securing your computer and information assets by visiting www.computer-security-glossary.org.
By Dr. William G. Perry
