Figure 13 shows how enforcement technology acts as a set of walls and barriers that protect your assets. Although this is a very simple way to describe enforcement, think of it as a shield preventing your assets from being affected by unauthorized activity. Technologies that enforce security are typically implemented within the computing infrastructure. They become extensions to the network, server, and desktop computers. Part 2 of this book is dedicated to describing security technologies, including enforcement technologies. Here are some of the terms you will become familiar with:
Figure 13 Enforcement technology protects business assets with barriers.
Access Control. Access control is a generic term for a broad set of security technologies designed to restrict computer access so that only people with permission will be able to use the computer or get to the stored data. In this book, we will use the term access control to refer to the control mechanisms that are built into the computer operating systems (such as Microsoft Windows, UNIX, or MVS) by their vendors. Chapter 4, "Authentication, Authorization, Access Control," provides more information on access control.
Identification and Authentication (I&A). These two terms are frequently used interchangeably. Although technicians may wish to quibble, we will discuss all of the technologies that allow us to identify an individual under this heading. There are a lot of different approaches that can be used to identify people. When you type in an account name and a password, you are invoking an I&A system to grant you access to the computer or application. But this category also includes credit-card-sized electronic devices, known as smart cards, which can be used to store a stronger equivalent of an account and password combination. This category also includes a set of technologies known as biometrics. A computer set up for biometric authentication might allow you access based on your fingerprint, your voice, or simply the way you look. Unfortunately for the moment, you still have 24 passwords to remember. Chapter 4 provides more information on authentication.
Firewalls. A firewall is simply a filter that stops some network traffic from passing through, while allowing others to continue. If your organization is connected to the Internet, you almost certainly already have a firewall. If, for any reason, you suspect that you may not have a firewall, immediately turn to the chapter on firewalls, read it, and take action to correct the situation. A firewall is a mandatory filtering device that provides a minimal but necessary level of protection from Internet-based attacks. Firewalls are also used to isolate areas of a company that have differing security requirements from one another. A research department may have either very high or very low Internet connectivity requirements, depending on the industry being researched. The sales and marketing areas, on the other hand, typically need a moderate degree of access and reasonable security. An internal firewall separating sales from research is an expedient solution to these varying security needs. Chapter 5, "Firewalls," is dedicated to the topic.
Virtual Private Networks (VPNs). Messages traveling between computers can be intercepted and read. They may be altered without the changes being detected. When all of the computers and all of the communication links are inside our own organization, we tend to ignore those risks. When the internal environment becomes less stable or less secure, we may need to make the communications between computers more secure. When our workers start accessing computer systems from outside of our own facilities, we must ensure that communications are well secured. The dramatic increase in telecommuting has driven the use of VPN technology. VPN uses advanced encryption technology to make computer messages unintelligible while they are moving between computers. This also makes them impossible to change or forge without detection. Chapter 10, "Encrypted Communications," provides more information on VPNs.
Public Key Infrastructure (PKI). This is a means of enabling security across large, open systems, such as the Internet, such that users who have never met will be able to develop trust. PKI requires a broadly deployed infrastructure. Unfortunately, the ability to use bits and pieces of PKI from multiple vendors is still a challenge. In a fully realized PKI system, all users are fully identified in a guaranteed manner, and every message they send or application they use is clearly and completely associated with that individual. PKI is designed to scale up to millions of participants. You need to plan for PKI but it is still several years away from being fully realized. PKI is addressed in Chapter 9, "Public Key Infrastructure and Encryption."
Secure Sockets Layer (SSL). SSL is a slightly different subset of the requirements addressed by PKI. SSL is a Web security protocol that encrypts and authenticates Web communications and uses PKI as the basis of authenticating servers and clients. It works primarily with World Wide Web (WWW) servers and is well proven. It comes in multiple flavors, but the simplest implementation (SSL2) is the one most widely used. SSL3 is much more secure, in that both parties involved (the end user and the server) must prove who they are in order to start communicating, but it is much harder to manage. SSL is discussed in Chapter 10.
Single Signon (SSO). Everyone wants to get by with a single password. Every vendor has promised to make it happen. SSO is difficult or impossible because we have so many varied computer systems. Any company that uses only one type of computer can create an SSO environment. Very few companies qualify, due to the history of uncontrolled acquisition of computer systems. One subset of SSO is Web SSO. Because all Web servers are based on some common technology, we can create an SSO capability for all Web-based applications. But this capability is available only if it is designed into the applications. Chapter 12, "Single Signon," provides more information on SSO.