“Oh no! My system’s been compromised!!!” Maybe you have said these words or something similar yourself or you have heard your system administrator scream them in frustration littered with more colorful language. Maybe you have been lucky up to this point and have not heard these words at all. Chances are, you likely have or will with the increasing number of viruses, mal-ware, and system intrusions and the large number of highly publicized data theft incidents on the Internet. This makes system security a paramount skill for any system administrator and a necessity for all businesses. Before anyone can dive into the technical details of system security, systems administrators and executives alike should be able to answer the follow questions: What is system security? How much security should I use? And, what are the limitations of system security?

So, what is system security? Systems security is much like the security we are used to in everyday life like keys, locks, security alarms, security guards, etc. Basically, system security is a set of impediments purposely placed to restrict access to sensitive or critical data to only those who have proper permission to access it. Think of data as your jewelry at home and system security as the doors, locks, alarm system, and safe that keep that jewelry protected.

• System security is comprised of several layers which include physical, network, pre-system, operating system, software, application, and backend.

• The physical layer of security is much like the locks and keys everyone is used to. This layer of security ensures that only authorized personnel can physically access the system.

• Network security ensures the network itself is secure and cannot be listened in on or tapped into.

• Pre-system security includes physical hardware that sits between the system being secured and the end user. These solutions include technologies liked firewalls and Intrusion Detection Systems (IDS) which prevent harmful attempts to access data from happening before the system is even reached.

• Operating System security includes maintaining security patches, using proper file security, and maintaining secure passwords and usernames.

• Software security includes virus scanners, mal-ware scanners, and software firewall solutions. These technologies should be active scanning solutions that continually monitor the system for unauthorized access.

• Application security is the level of security in specific applications running on a system. For example, if you have code in your website application that allows a hacker to upload and execute programs, then all the previous levels of security would be thwarted. Solutions in this area require application security specialists as well as third party application scanning and testing.

• The final layer is backend security which ensures that access to and from the backend systems such as databases is secure.

Next, how much security should I use? The first thing you should know is that any system can be compromised. This is true in the physical world where any safe can be cracked and any physical object stolen with right amount of resources. Since security is only intended to make it more difficult to access data, the amount of security used is based on the need to secure that data. The higher the sensitivity and criticality of the data, the greater the need for security measures. The goal is to make it not worth the effort to the intruder to access the data. However, you can be over-secure. Some systems administrators think that no matter the data, all security measure should be taken.  This is analogous to installing re-enforced metal doors and bared windows with high tech surveillance equipment and 24-hour guard service at every house that has a single dollar bill in it. Obviously, this is not cost effective and makes it a real pain to get into your own home. But, you must also be careful not to be under-secure. You don’t want you leave the Mona Lisa behind a child-lock door. The right amount of security to use can be tough to determine but it should place an appropriate number of impediments in front of the data for the level of sensitivity and criticality without hampering the ability of those who need to access or administer the data.

Finally, what are the limitations to system security? Microsoft TechNet released an article entitled “10 Immutable Laws of Security” which can be found at http://technet.microsoft.com/en-us/library/cc722487.aspx . This article outlines the laws of security which also outlines security’s limitations. One major law is that weak passwords trump strong security. This means that if you use dictionary words for passwords or if you keep them laying out in the open for people to see, no amount of security measures will keep someone out of the system. A second notable law is that security is only as strong as your system administrator is trustworthy. System administrators have unparalleled access to systems and if they are untrustworthy they can let others in intentionally or unintentionally. The final and my most favorite law is that technology is not a panacea. Basically, you can’t only rely on technology solutions to maintain security. Antivirus programs could miss one, IDS systems could go down leaving the system vulnerable, or a security application may crash. No solution is perfect, but a mixture of technology and good systems administration can greatly ensure your data is safe.

It is important that executives and systems administrators alike be able to understand these security concepts first before purchasing and implementing security solutions for their systems. A basic understanding of what security is, how much you should use, and what its limitations are can go a long way in saving a company time and money and saving a system administrator long hours and headaches. While the only 100% secure system is one that doesn’t exist, with the right amount of security your data can be reasonably protected.

Related Posts

• Secure Social Society?

Tags: security, systems administration

This entry was posted on Monday, May 11th, 2009 at 4:25 pm and is filed under Industry, Technology. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.