Thinking About Security
Security discussions often begin by considering the kinds ofthreats facing a system. I’d like to come at this issue from a slightly different angle by focusing first on what needs to be protected. Before you can address any security-related issue on your system, you need to be able to answer the following questions:
What are you trying to protect?
What valuable asset might be lost?
If you can answer these questions, you’ve gone a long way toward identifying and solving potential security problems. One way to approach them is to imagine discovering one morning that your entire computer system/network was stolen during the previous night. Having this happen would upset nearly everyone, but for many different reasons:
Because of the monetary cost: what is valuable is the computer as a physical object (loss of equipment).
Because of the loss of sensitive or private data, such as company secrets or information about individuals (one type of loss of data).
Because you can’t conduct business: the computer is essential to manufacturing your product or providing services to your customers (loss of use). In this case, the computer’s business or educational role is more important than the hardware per se.
Of course, in addition to outright theft, there are many other causes of all three kinds of losses. For example, data can also be stolen by copying it electronically or by removing the medium on which it is stored, as well as by stealing the computer itself. There is also ...