Computer Security: A Practical Definition
Security Domains
Computer Security is also frequently defined in terms of several interdependent domains that roughly map to specific departments and job titles:
Physical security -- Controlling the comings and goings of people and materials; protection against the elements and natural disasters
Operational/procedural security -- Covering everything from managerial policy decisions to reporting hierarchies
Personnel security -- Hiring employees, background screening, training, security briefings, monitoring, and handling departures
System security -- User access and authentication controls, assignment of privilege, maintaining file and file system integrity, backups, monitoring processes, log-keeping, and auditing
Network security -- Protecting network and telecommunications equipment, protecting network servers and transmissions, combating eavesdropping, controlling access from untrusted networks, firewalls, and detecting intrusions
This text is solely concerned with the latter two. System and network security are difficult, if not impossible, to separate in a system. Nearly every distribution in the past fifteen years has included a TCP/IP protocol implementation as well as numerous network services such as FTP, Telnet, DNS, and, more recently, HTTP.
A Practical Definition
In the spirit of practicality, I like the straightforward definition: "A computer is secure if you can depend on it and its software to behave as you expect." In essence, a computer is secure if you can trust it. Data entered today will still be there tomorrow in unaltered form. If you made services x, y, and z available yesterday, they're still available today.
These practical definitions circumvent an obvious element: a secure system should be hard for unauthorized persons to break into -- i.e., the value of the work necessary for an unauthorized person to break in should exceed the value of the protected data. Increasing attacker workload and the risks of detection are critical elements of computer security.
For the purposes of this article, I define "system security" as:
The ongoing and redundant implementation of protections for the confidentiality and integrity of information and system resources so that an unauthorized user has to spend an unacceptable amount of time or money or absorb too much risk in order to defeat it, with the ultimate goal that the system can be trusted with sensitive information.
|