Security Terminology

Security has many aspects that can be categorized into the following areas:

• Authentication

• Authorization

• Confidentiality

• Integrity

• Non-repudiation

• Auditing

Each of these categories is discussed in this section.

Authentication

Authentication means identifying a client as a valid user of the system. Identifying a client has two components:

• Initially confirming the client's identity

• Authenticating the client each time it accesses the application

At its simplest level, initial identification requires a user to simply register with an application without any additional identification. More often, a third party, such as the Human Resources department or manager in a company, identifies a user. At its most complex level, usually associated with military systems, identification requires background checks to confirm a user's identity. Identified users are registered with the system and granted access to some or all of the facilities provided by the system (see the “Authorization” later in this chapter).

Registered users of an application must identify themselves each time they use the application. The most common form of authentication is to give each user a unique name (typically an account or login name) and a password associated with that account. Users simply have to provide their account names and passwords to gain access to the application.

The information identifying a client is usually called the user credentials. The most commonly encountered forms of user credentials are as follows:

• Account name and password

• Swipe cards

• Smart cards

• Physical identification systems (biometrics), such as fingerprints and retinal images

• Digital certificates

Authentication is like the entrance gate to a modern theme park. As long as you have a ticket, you are allowed into the park--you have been authenticated. But authentication does not necessarily allow you to use all of the rides and facilities in the park. The means by which you are allowed access to different parts of the theme park is called authorization.

Authorization

Authorization involves controlling access to capabilities of an application according to the authenticated user's identity. Authorization differentiates between different categories or types of users, and grants or denies them access to different parts of the system.

Using the theme park analogy again, you may only be authorized to use certain rides. Rides may have height, weight, or age restrictions that authorize access to some users and deny access to others.

Confidentiality

Another aspect of security relates not to controlling access to functionality but to ensuring that data is only seen by authorized users. In other words, the data remains confidential. Maintaining confidentiality is not just a question of authorizing access to the data but also of ensuring unauthorized access either cannot occur, or if it does, that the data remains “secure.” In practical terms, confidentiality is usually achieved by encrypting the data and ensuring that only authorized users can decrypt and access the data.

Integrity

Ensuring data integrity means preventing deliberate or accidental attempts to modify the data in an unauthorized manner. Applying authorization correctly solves most of the data integrity problems concerned with accessing data on a server.

To ensure integrity, data transferred across the network must not be changed or corrupted as it is transferred. The user must be sure that the data they receive is the data that was transmitted. Techniques, such as encryption, checksums, and message digests (see the “Messages Digests and Checksums” section later in today's lesson), help ensure data integrity across networks.

Integrity also means that any changes made to a system are not lost, such as might occur when a server crashes. Good auditing practices (see the “Auditing” section) help prevent the loss of changes to persistent data.

Non-Repudiation

Non-repudiation means being able to prove a user did something, even if the user subsequently denies it. A simple example is to consider a user with online banking facilities. A fraudulent user could transfer money to another bank account and then try to claim this was a spurious transaction and a fault of the banking system. With good accounting processes, the bank can prove this was not the case.

Auditing

Auditing is familiar to database users and has the same meaning in security--providing a record of activity. Good auditing is an adjunct to supporting non-repudiation and integrity. Remember, audit records must themselves be kept secure.