Security has been a topic of due importance right from the very early days when internet did not even exist. Computer came into existence in the early 1950s and for nearly 2 decades it remained a fairly centralized system housed in a single large room which was adequately secured and entry to which was restricted to few privileged ones. Normally, there would be a computer operator who would collect all processing jobs from users, process them and deliver the results back to the user. So, essentially, in the 1950s users did not have direct access to the computer and security concerns were minimal.
The 1960s saw the emergence of the more powerful second generation of main-frame computers. Computer systems were still centralized. However, users were provided direct access through interactive terminals. Thus, a large number of users, some remotely located, could simultaneously access the centralized mainframe computer in time sharing mode. While mostly computers in those days were used for scientific and engineering computations, some organizations such as banks used these computers for keeping record of bank transactions and for carrying out financial calculations. And that gave birth to the early day hackers. These smart breed of programmers would write a hack to steal away very tiny amounts of money from other's accounts and accumulate them in their own account. These amounts would be a fraction of a penny and hence would go un-noticed. They took advantage of a very basic functionality of computing – the floating point arithmetic, as banks would round off money to the nearest penny. While individual account holders did not suffer any loss of money, the bank as a whole did.
It was at this time that system designers and developers realized the need for incorporating security in their applications because access to the centralized computers was no longer confined to their own premises.
Today, we have a super-giant global network of networks – the Internet or the world wide web. Now every computer, be it a centralized server or a user's computer, is vulnerable. The rapid development in software and hardware technology has resulted in rapid increase in the processing power of computers and hence a rapid increase in development and deployment of variety of applications to take care of day-to-day business processes. As a consequence, today, the internet hosts a horde of mission critical applications for organizations of all sizes and scale. The overall stakes are significantly higher and so, have encouraged the growth of a large population of hackers and people with criminal intent. Security is thus a major concern today, as lack of it can bring an organization down overnight.
Technology advancement has also led to development of multiple types of hacking and attack methods and techniques, forcing organizations to take a holistic approach towards security. Further, the technology behind computers and the environment in which they operate, viz. the Internet, is not static. Technological changes are rapid thereby creating newer vulnerabilities. People with criminal intent are fast at finding loopholes in newer systems and devising newer means of breaking it. Organizations need to gear up to assess and re-assess their security deployments to keep pace.
For effective security implementation, organizations need to first understand the threats involved, keeping in mind that they can only control those computer systems and that part of the network which they own and which is in their own direct control. Once you have identified the assets that require protection, viz. your own computers, hosted software and your part of the internet, the next step is to identify and examine the threats that your assets are subjected to. In this introductory article I will only discuss the identification of threats. In subsequent articles I will elaborate further on the threats and associated implementation methods to protect from them.
There are all kinds of security prevention methods available for implementation, but each have a cost associated with it and many require hiring and retaining trustworthy and knowledgeable technical personnel. Hence, we have to be practical in our implementation approach and must understand how much is enough and where we should draw the line. Before, we look into the threats let me get down to a non-technical example to help you understand how much is enough for you. The appropriateness of your security deployment would depend largely upon what you are trying to protect.
To what extent we will secure our house would depend on several factors, such as:
Below are some of the obvious security measures that one would take:
This list can be endless. But can you afford it all? You need to strike an appropriate trade-off. If you ponder a little deep into the above listed security measures you will realize that all of them can become useless if a thief equipped with modern equipment invades your house. He can easily shoot your dog with a pistol. He can wear an insulated suit and pass through your electric fence. He can bring in a gas welding machine and break open your lock, and so on. The question to ask is – how much the thief would invest in to break into your house, would depend upon how much bounty is available for him if he succeeds.
There could perhaps be a cheaper alternative to the above – put all your valuables in your bank locker.
I guess, the message would be clear now. Take a holistic approach to security keeping in mind the stakes involved, how much you can afford, and whether there are affordable alternatives.
There are essentially 3 broad areas of concern when your own network (which you can trust) is attached to the rest of the internet which you cannot trust.
Your entire security strategy will revolve around the above environmental threats, with the objective to minimize the posed threats. The threats themselves can be broadly classified into 5 fundamental components and each component can be addressed with suitable security deployment schemes. These components are -
Before allowing any user to enter into your system, the first component of security is to authenticate him so as to ascertain his identity and ensure that he is indeed who he claims to be. The identity can be ascertained by asking user to simply feed in a password or some other form of unique access key. In a more elaborate high security system, it could be ascertained by collecting user’s bio-metric data such as his fingerprint, voice or eye data, and matching the same with his data already stored in your system. Collection of authentication information has to be done securely as well, so that this information is not stolen away during the process.
Access Control entails implementation of mechanisms so that a user to whom you have granted access, is limited to only carry out the tasks he is supposed to and no more. This is done by differentiating users based upon the identity they provided while authenticating. For instance, if your sales agent logs into your ERP system, he is allowed only to create sales order and process customer invoices only for those sales orders that he created. He is not allowed to access other parts of the sales system or other sub-systems such as accounts, HR or purchase. On the other hand, if your vendor logs in to submit a quote, he will only be able to do that and not have even view access to any other parts of the system.
Even for your own internal users, access control needs to be implemented. For instance, if your accountant logs in, he is allowed access to the accounts system but not sales, purchase and HR. Further, if he is not your chief accounts officer, he will have limited access to only creating vouchers and will not have access to generating balance sheets or viewing financial reports.
This logical method of access control helps protect your system from unauthorized modification or manipulation, thus ensuring system integrity. It also helps maintain confidentiality of classified information.
The access scheme must further be secure enough so that attempts by any unscrupulous user to by-pass security can be foiled. Additional security scheme can be deployed to debar access from certain geographic zones. For instance, if you are sure that all users of your erp system will be located only within India, you may block access attempts from all other geographic zones. Yet, further security tightening can be done by allowing access to your system only during your business hours. Likewise, there are several other criteria based security schemes that can be deployed. More such examples may include – transaction specific limited time access, access restriction to keep a check on total number of users logged in a given time, etc.
Integrity relates to the data that flows in and out of your system. Suitable security schemes are deployed to ensure that data being received into your system or data flowing out of your system is not altered, distorted or corrupted en-route. Integrity also relates to ensuring that un-authorized access to your system does not result in deliberate destruction of data stored in your server in files and databases. When procuring third party software, care needs to be taken to buy only from reputed and trust-worthy vendors and not from rogue developers. The latter may secretly deploy a software, which may cause harm to your system data.
Protection of data integrity from user mistakes is also to be kept in mind and certain procedural control schemes can be devised such as two-person control, where one person acts as the doer and the other person acts as the checker. Data validation procedures need to be built in as well.
Privacy, or confidentiality, entails implementing mechanisms to ensure that data flowing in and out of your system is not readable by anyone other than who it is intended for, especially if it is classified information. Privacy applies to all types of data, be it emails, files, or online transaction data. To understand this, let us take an example of a physical letter that is enclosed in an envelope and sent by post, vis-à-vis an open post card. Data transmitted through the internet is like open postcards. Anyone can read it.
Your competitor may join hands with a hacker and pry on your network to capture important business information such as a price quote being sent out to your customer. Thieves may keep a tab on data flowing through your network to extract sensitive information such as credit card data. Imagine a situation where you are selling an e-book online. The e-book is delivered through the same network. This book data will flow through the network while being delivered to the end customer. Any hacker can make a copy of the same if the book is not suitably encrypted before transmitting.
The security scheme deployed must assure that any transaction that takes place can subsequently be proved to have taken place and it should also be possible to prove who were the entities involved in the transaction. This is achieved by logging user’s identity and mapping it with the associated transactions. For instance, if you have 5 accountants making voucher entries into your erp's accounting system, it should be possible for you to know which voucher was created by whom, and modified by whom and at what time, so that accountabilities can be fixed. The fear associated with accountability will also compel users to take extra care while working on your system.
While designing your system of computers, software and network, you will need to work around the above five components of security threats with due diligence so that you can build a robust system that takes care of all of the above.
A secure system will provide your business with powerful competitive advantages and will result in streamlined execution of business processes with lesser issues and minimized losses on account of technology. Further, once your customers develop the perception that by doing transactions on your network, they have the assurance of security, hesitation to transact will be less and this will directly impact your business with a positive bottom line.
CEO, Computer Solutions
Rajeev Kumar is the primary author of How2Lab. He is a B.Tech. from IIT Kanpur with several years of experience in IT education and Software development. He has taught a wide spectrum of people including fresh young talents, students of XLRI, industry professionals, and govt. officials.
Rajeev has founded Computer Solutions & WebServicesWorldwide.com, and has hands-on experience of building variety of web applications and portals, that include - SAAS based ERP & e-commerce systems, independent B2B, B2C, Matrimonial & Job portals, and many more.