The entire internet has a variety of security threats, starting with social networking sites and Web2.0 sites as targets for hacking, followed by a botnet that will continue to breed. Faced with this, how do we build a more secure system that involves escalating security threats across all corners. As an enterprise how to stand in a safe angle to set up, rather than piecemeal. In a way, we should look at what happened and find the problem from a deeper level.
Recognize the five key core elements
To realize the information system security, the most basic starting point is to understand the key core elements in the security system, then, around these elements in the system in every aspect of the system and the operation of security protection. So here's the first five key elements of security.
Certification (authentication). Authentication is the most fundamental element of security. The purpose of the information system is for users to use, but only for authorized users, so the first thing to know is the identity of the caller. Users can be people, equipment and related systems, regardless of what kind of users, the first element of security is to authenticate them. The result of authentication is three kinds: objects that can be authorized to use, objects that are not authorized to use, and objects that cannot be confirmed. In the information system, for each possible entry must take the certification measures, the failure to take the certification measures of the entrance must be completely blocked, so as to prevent every security loophole. After the identity of the visiting object is authenticated, the unauthorized object must be denied access, the authorized object will go to the next security process, and the unidentified object will take the corresponding steps for the purpose of visiting. For example, the use of public web and the reception of mail, although not fully authenticated to visitors, but also can not be shut out.
Authorization (Authorization). Authorization is to grant legitimate users the right to use the system resources and to monitor the illegal use behavior. Authorization can be a specific object authorization, for example, a user or a device can use the specified resource. Authorization can be to authorize specific objects, to authorize a group of objects, or to authorize a role based on an object. Authorization is also an important part of the discovery and management of illegal use, in addition to the granting of a right. Despite the use of various security technologies, illegal use is not entirely avoidable, so it is important to detect illegal use and take immediate security measures. For example, when a virus invades an information system, the consequences can be very serious without timely detection and security measures.
Secrecy (confidentiality). Authentication and authorization are the basis of information security, but it is not enough for light to have these two. Confidentiality is to ensure that information is not "viewed" by illegal users during transmission and storage. A typical example is when a legitimate user uses the information through the network, and the information may be illegally "intercepted" and lead to a leak during transmission. In general, information is easier to store by authentication and authorization than to "shut out" unauthorized users. However, the data in the transmission process is not or difficult to do this, therefore, encryption technology has become an important means of information security.
Integrity (Integrity). If information is compromised as a serious security issue, then the information is changed more severely during storage and transmission. For example, a sends a file and instruction to B. In the course of its transmission, C intercepts and modifies the information and transmits the modified information to B, so that B thinks that the content that is modified by C is the content transmitted by a. In this case, the integrity of the information is compromised. An important aspect of information security is to guarantee the integrity of information, especially the integrity of information in the process of transmission.
Undeniable (non-repudiation). Both the use of authorization and the unauthorized use of the post should be well documented. For unauthorized use, it must be an unauthorized user who cannot deny or deny it, which should be the last important aspect of information security.