Basic Security Concepts
Three basic security concepts important to information on the Internet are
confidentiality, integrity, and availability. Concepts relating to the people
who use that information are authentication, authorization, and nonrepudiation.
When information is read or copied by someone not authorized to do so, the
result is known as loss of confidentiality. For some types of
information, confidentiality is a very important attribute. Examples include
research data, medical and insurance records, new product specifications, and
corporate investment strategies. In some locations, there may be a legal
obligation to protect the privacy of individuals. This is particularly true for
banks and loan companies; debt collectors; businesses that extend credit to
their customers or issue credit cards; hospitals, doctors' offices, and medical
testing laboratories; individuals or agencies that offer services such as
psychological counseling or drug treatment; and agencies that collect taxes.
Information can be corrupted when it is available on an insecure network.
When information is modified in unexpected ways, the result is known as loss
of integrity. This means that unauthorized changes are made to information,
whether by human error or intentional tampering. Integrity is particularly
important for critical safety and financial data used for activities such as
electronic funds transfers, air traffic control, and financial accounting.
Information can be erased or become inaccessible, resulting in loss of
availability. This means that people who are authorized to get information
cannot get what they need.
Availability is often the most important attribute in service-oriented
businesses that depend on information (e.g., airline schedules and online
inventory systems). Availability of the network itself is important to anyone
whose business or education relies on a network connection. When a user cannot
get access to the network or specific services provided on the network, they
experience a denial of service.
To make information available to those who need it and who can be trusted
with it, organizations use authentication and authorization. Authentication
is proving that a user is whom he or she claims to be. That proof may involve
something the user knows (such as a password), something the user has (such as a
"smartcard"), or something about the user that proves the person's
identity (such as a fingerprint). Authorization is the act of determining
whether a particular user (or computer system) has the right to carry out a
certain activity, such as reading a file or running a program. Authentication
and authorization go hand in hand. Users must be authenticated before carrying
out the activity they are authorized to perform. Security is strong when the
means of authentication cannot later be refuted - the user cannot later deny
that he or she performed the activity. This is known as nonrepudiation.
Internet FAQ top