Authentication is the act or process of establishing that something or someone is who or what it claims to be. In other words, it answers who you are. Can I prove that I am me in some way. For many of us this is done with a state issued driver's license or other form of state issue ID card. We provided enough documentation to the state to satisfy the requirement for identification and they, in turn, provide us with a card to use as proof. Computer based identity management is much the same. We provide information to the system to secure our identity, once logged in, we are give a token. Authentication does not imply authorization. I may be able to log in but I may not be able to do anything once I am there.
Authorization is the permission or power granted to you. You are sanctioned to perform certain tasks. It answers the question, what I can do. Authorization may only be granted after authentication occurs. Or, at least it should. I should not grant you permission to read a private document until I know who you are and that you have permission to read that document. In the example of a driver's license; it not only is a token for authentication, but it authorizes you to operate a motor vehicle.
Are there, or should there be, time limits on authentidation and authorization? The short answer is yes. Passwords should expire. Documents that are sensative today may not be so in ten years. In our driver's license example, they are generally valid for a limited time. Sometimes documents are time sensative. Like company financials right before quarterly earnings report. During the time prior to the report, a company does not want that information in the public. After the report is given, that information may be public knowledge. We call this time sensative information.
An example of what authentication and authorization may look like in the physical world. My child is in the military. If I want to visit them on base, I need to provide a state issued identification card and maybe some other proof of my identity to base security. This is authentication. I am proving to base security who I am. This, however, does not get me on base. To get on base, my child must vouch for me and base security will issue me a pass that allows me access. This is authorization. When I approach the gate with my state issued Id card, and my base issued pass, I identify who I am and that I have permission to enter the base. It does not give me permission to all of the base. Some places are off limits. That is because I do not have clearance, or need to know. I can visit base housing and the gym but I am not allow access to office buildings without further clearance.
To build a rock-solid information security program, one must start with a solid foundation. One of the most widely accepted principles is the CIA model. We are not talking about the Central Inteligence Agency here. No, in this case it is the Conficentiality, Integrity, and Availability model, CIA. Once the information requirements are know, then a security policy can be implemented.
First, let us discuss confidentiality. This requirement describes who should be allow to see the information. Not all information is public, nor should it be. A Internet facing web page would be considered public information. That is, after all why it is Internet facing. Some information is for general availability within an organization. That might be considered internal information. Trade secrets might not be generally known by everyone within the organization. It is specialty knowledge that a smaller sub-set of individuals need to know. Other data may be time sensative. That is, it should not be discussed openly now, but at known point in the future, that information is no longer a secret. Business financials are a good example. Quartly close reports should not be made public until the information is published.
The integrity requirement addresses the issue, how reliable is the information. This might be addressed through a change management control system or through some sort event logging that catches changes or change events in real or near real-time. It is sometimes important to know if information changed, what that change was, and/or maybe who made or authorized that change. Organizational financials or a good example where data integrity requirements may be high.
Confidentiality and integirty are meaningless if you do not have access to the data when you need it. This is where the availability requirement comes in. For very important information, having it stored on a highly available system with redundantcies, backup power, and mulitple network pathways might be in order. For the average end-users' home directory, maybe less redundancy, slower media, and less frequent backups. This translates into lower storage costs but still meets the requirements for everyday life. Infrequently access data may be sent to tier three storage. This may not have direct write access for end-users and be stored on much slower drives. It may not be as readily available as Tier-One or Tier-Two storage, but should be accessable in near on-demand.
The CIA model is a great starting point for your data classification policy. It helps identify who can access the data. Not all data is equal and not everyone should be privy to all information It also help you oultine who may authorize changes, how those changes are to occure, how changes are recorded, and when changes to the data may be made. Finally, the hardware portion of or program helps identify how the data is stored, how it is accessed, maybe even where it is stored. Either local data cener or some type of cloud-based service. Not all data is the same and it should not be treated the same.
It was a day like any other. I got up and took the dog for a walk, showered and drove to work. It was a day like any other. I was at work by 7AM US/Central time, reading email and checking server logs. I had coffee and chatted with coworkers and friends. Nothing about this morning indicated that the world, as I knew it, was going to change drastically.
One of my coworkers, Connie, came into my office asking if I heard about the plane crashing into the World Trade Center. I had not. I asked Connie if she had any details; she did not. Absent any information, I assumed it was a light aircraft that did not make altitude. American Airlines Flight 11 crashed into the North Tower at 7:46 AM US/Central time. As Connie retreated to her office, I asked which news site carried the story so that I could read up on it later. I never got the chance.
About twenty minutes later Connie came back to my office again. She was visibly shaken; almost to tears. A second plane crashed into the World Trade Center. THAT IS NOT AN ACCIDENT! I pulled up the FoxNews web site. At 8:03 AM US/Central, United Flight 175 crashed into the South Tower. I knew then we were under attack. I followed Connie out to the main space where many others started to gather to watch and listen to the news. We consoled each other. Some decided to walk up to the cafeteria to watch the new unfold on the televisions. We were all stunned. The news of the day just kept getting worse. Thirty minutes later, Flight 77 crashes into the Pentagon. We watched the screens as they the news media focuses on the World Trade Center attack. My heart dropped as we watch someone jump from the building rather than burn in the fires from the plane crash. As for me, stunned silence turns into anger at those that perpetrate a war on U.S. soil.
Everything was happening so fast. It was hard to comprehend everything that was happening. By 8:45AM US/Central, within an hour of the first plane crash, all U.S. airspace was shut down. We started hearing of flights coming in from overseas diverted to remote Canadian airfields. We hear of planes still in the air. We were not sure if we heard the news correctly when they told America that military jets were given permission to shoot down any plane that refuses to land. All planes were ordered to the ground. We hear of Flight 93. It is off the radar and air traffic controllers cannot contact or find them on radar. We prepare to hear of yet another disaster in the making. Flight 93 crashes in a field in Pennsylvania. We do not hear about the heroism of the passengers until much later. They fought back against the would-be terrorists and forced the plane to the ground where it would do no harm to others.
The South Tower of the World Trade Center fell at just before 9. I was astonished by this. When the North Tower fell less than thirty minutes later, I was in total shock and disbelief. By lunchtime, all U.S. airspace was clear of commercial and private flights. No civilian aircraft were allow to fly for three days. I did not hear until watching the news that evening, we were ordered to DEFCON 3.
Many of my coworkers, and I, stopped in our tracks that day. We were all stunned by the events of the day. By the time the South Tower came down, those with children, already left the office to pick up them up. Some brought their children back to the office while others opted to go directly home. We all watched our news feeds closely that day. There was not much, if any, work done that day. It was day full of emotion. There was a lot of crying and comforting, some hugging, and general discussion of where we go from here.
I just moved into a new house in the Winter of 2001. It was a new neighborhood and I did not have many neighbors yet. I did not expect my friends and neighbors from the old neighborhood to show up but Brian came by that evening with his wife and then one year-old baby. We sat outside and talked about the day. I lived near the one of the outer most beacons for our airports so air traffic overhead is common. This night was uncommon. There were no airplanes in the air overhead. From my back porch, unaided, I counted upwards of twenty-five planes in the sky on a normal day. On this day, there were zero. The quiet that evening was eery. There was some sort of spooky feeling to the night with no air traffic overhead. Not much in the way of highway traffic either. It was like the world stopped for a day. As it turned out, three. We all knew then that this was our Pearl Harbor, our Kennedy. We knew that September 11, 2001, is our generations defining moment.
9/11 Timeline from the World Economic Forum
THINK before you speek. Easy enough to say, but what does it mean? It is meant to remind that words matter. To THINK borfore you speek. Tell the truth, or at least what you honestly believe to be the truth. Aim to be helpful rather than hurtful. Be informative. No sense in telling everyone what they already know. Don't be superfluous and keep to the facts or core of the discussion. Always try to be kind with your words. The message loses its power if it spoken in animosity.
True Helpful Informative Necessary Kind
I have this hand-written sign hanging in my office next to my montor.
WAIT -- Why Am I TalkingAs someone who talks all day for a living, why would I have such a thing in such clear view of my daily activities? It is reminging me to shutup and listen. My fifth-grade English teacher, Mrs. Dunn, used to tell the class nearly every day that God gave us two ears and only one mouth to listen twice as much as we talk. When it comes to building customer relationships, I think that is very good advice.
Sometimes when I get into a groove explaining how our software works and why certain settings should be that way, I sometimes forget to ask the customer why they did it their way. So, occationally, I will look away from my montor and see my sign. It is a gentle reminder that my customer has something to say as well. I may shift gears and ask the customer questions about their environment to get a better understanding. It may not change the outcome but now my customer feels included in the conversation. Don't get me wrong, I definately have those "I know you are out there; I can here you breathing" moments. I find it is more productive to have a discussion, a dialogue, rather than a lecture.
As a young christian, I was not saved until I was 36, I did not know how to pray. I know to some of you that sounds like a silly problem. Afterall everyone knows how to pray. To be clear, there is no right way to pray. If you were like me and needed some guidance on how to get started then I will give you the same guidance I received.
My Sunday Schoot teacher broke it down for me like this P R A Y:
It was many years ago now. I was in my thirties. I broke my leg a few years before and I stopped drinking for a few months while I was in recovery but I went back to my old way afterwards. It sounds like I am saying the alcohol and tobacco use are forbidden by the Christian faith. It is not forbidden. I stopped using alcohol and tobacco for religious and health reasons.
Quitting alcohol was the easy part. I poured hundreds of dollars worth of alcohol down the drain and tossed the now empty bottles in the trash. I did not look back on that decision for seven years. It was quitting smokeless tobacco that was difficult for me. Throwing it away was easy. Working through the cravings that it left behind was difficult. Afterall, I used smokeless tobacco for over twenty years by the time I decided to quit. I fought those cravings for a very long time. It was difficult for me because everything that I did, seemed to revolve around my tobacco use. Everything seemed to be a reminder. The cravings were frequent at first, maybe every thirty to forty-five minutes. As I worked my way through the process, those cravings became further apart. Half-hours turned into one- or 2-hour increments. That led to 4 to 5-hour intervals. I was relieved when I could make it through a workday without a craving. Workdays became full days, then weeks, then months. At this point, I have not touched tobacco for over twenty years.
How did I do it? I used prayer. Every time I had a craving, I prayed to get through it. Right there, at my desk, I prayed. Over and over, I prayed. My prayer was always answered and I was able to make it through that craving. It was not always easy. I do not remember the number of cans of smokeless tobacco that I bought, never used, and threw away. That just shows my weakness in those times. I was able to eventually prevail. I share this because it worked for me. If you are having difficulty like this, it may work for you as well. Reach out to God and ask for His help.
When I was 18 years old, 1983-84, I worked for a national pizza chain delivering pizza. You may know which one, the had the thirty-minutes or it is free policy back then. It was the week leading up to finals for us seniors. We took finals early to prepare for the end of the year. I was one of the top five drivers for our store. Another, Michael was promoted to assistance manager so I guess technically he was no longer a driver.
It was a Wednesday night, I believe. The local Air Force base was graduating their class of Airmen as well. The store manager, Jim, told me when I walked into the door that he had a special assignment for me that day. The base called and ordered pizzas for the graduation class and that I was responsible for making the deliver. Even using two hot boxes in the back seat and an insulated bag in the front seat, it took me three trips to deliver all the entire order to base. Each deliver was about 30 minutes round-trip; getting to base, dropping off the order, and returning back to the store. It was a huge order and I was responsible to taking it all.
I was taking my last batch to base. It was getting late, maybe 10:00 PM or so. I pulled out of the parking lot just like any other run. I started down Avenue N. About the time I reached the cemetary a burnt orange 1981(is) Buick Reagle pulls up next to me. I did not think anything of it. I had my window down and listening to my music as I normally did. The passenger rolls down his window and said something to me. I did not originally understand so I turned of my radio. He once again shouted for me to pull over and that he wanted my pizza. I engaged my mouth in the best negociating I could muster at such a young age. That is when the gun appeared. It was time for evazive maneuvers. I slowed down and sped up to keep the passenger from getting a target lock on me or my car. I would slow down and get behind them. They, in turn, would copy. We jostled for possition most of the way down the road. I knw that I had to get away from these men.
I had an idea. As we were approaching the highway, I knew that I needed to be in the far right lane in order for this to work. I got myself into position. There were street lights so I felt pretty sure they were not going to make an attempt on me at the traffic light. My gamble paid off. They were on my left. They made not move while at the light, under the bright street lights. When the traffic light turned green, I floored my car; launching myself as quickly as I could across the highway. Much to may dismay, my perpetrators followed. We tracked down a narrow roadway until I reached South Chadbourne. This is my alternate path to the base south gate. The gate-gaurd there knew I was coming as I made two other trips that night already. Turning right onto Chadbourne, I once again floored my 1972 Plymouth and sped down the highway. I will admit that my heart was racing as fast as my engine. I did not look behind me as I was more concerned with what was in front of me at those speeds.
I reached the south gate and there was no sight of the Buick to be found. I stopped and checked in with the security detail at the gate. I informed them what was happening and asked for the nearest payphone. I made my drop and then called the store. I infomred Jim what was going on and that I wanted the police at the store once I returned from base. Once I arrived, I rushed into the store and made a money drop. I then talked to the police describing what I could. The report was filed overnight.
The news stations picked up the story. I was, apparently, the first pizza driver in town to be held up at gunpoint. It started a chilling trend. My schoolmates teased me about the events but I was much too busy to bother with that. I had six finals to take in two days and my mind was totally focused on getting through that next set of hurtles. I passed my finals. For the life of me, I don't know how. We walked the isle and graduated that Friday night. I never did return to work at that store. I just couldn't. I was experiencing a type of PTSD I am sure. If I selpt at all, it was not well and I would wake from nightmares reliving the event in my mind. It was months later when I forced myself to go back to work. A delivery driver for a different national pizza brand. The difference was they were not open as late. They did not stay open past 9:00PM during the week. I felt I could deal with that. When I ran into some troubles, the store manager brought me to work inside, later to be promoted to store manager after the store changed ownership.
When I reached at 21, I purchased my first handgun. I literally walked down the street to Wal-Mart and bought the gun. I tought myself to shoot from magazine articles describing the various stances, thier advantages and disadvantages. Altimatley I settled on one that felt comfortable to me. I went to the gun range when I could afford it. I kept my weapon the store safe when at work as I closed the store and made the nightly deposit. In all my time as a gun owner (reaching 40 yeasrs soon), I have yet to pull my gun on anyone. I never had the need. I hope to keep it that way.
This story is a rememberance of events past. The events took place when I was about nine or ten years old and are the best recollection of events nearly 40 years past.
This time of year I am, and you are, likely asked why Christmas is special to you. For many there is the standards, the birth of our Lord, etc. I, however, have reasons more eathly as to why Christmas is so speacial to me. Being the youngest of six I have siblings much older than I. One is my eldest brother Ritchie. He joined the Army about the same time that we left Middletown, New York and moved to Johnstown. He did not move into the new house with us. At the time the Vietnam war was winding down, though I did not know that. I was a child and thought only of childesh things. My brother shipped out to Germany where he applied his trade. It seemed like forever since I saw him. Yet another Christmas was approaching and our family seemed to dwindle year by year.
Christmas Eve arrived. It was uneventful as ever. I had dinner with my parents and remaining three brothers. We watched the usual Christmas television shows, and I lay on the floor next to the dog near the fireplace. It was a lazy, uneventful evening at home. Bed time came for my brother Grant and me. We were still in elementary school and had early bed times. This gave my parnts time to stuff presents under the tree without the youngest two, at least, bothering them. Christmas morning rolled around and as you guessed, Grant and I were to the first up and down the stairs to inspect the windfall under the tree. Per our custom, we had to wait until after breakfast before we could open presents. Mom and Dad made bacon and eggs. We ate well and fidgeted much, I am sure. Grant and I returned to the front room to sort out presents and prepare for the grand opening. It was not yet quite light outside. The house was still quiet as we waited in the front room. There was a knock at the door. I thought it might be the neibor boys, Kevin and Brian. Still dressed in my pajamas I answered the door. It was brother Ritchie all the way from Germany. He put is finger to his lips as I opened the door. My dad was asking who it was. Ritchie sushed Grant as well as he walked towards the kitchen where Mom and Dad were still doing dishes. Ritchie dissapeared around the corner and all I heard were screams of joy. I am sure hugs were exchanged as Ritchie was welcomed home. The first time he set foot in the house since it was finished. Coffee was served, and another breakfast was made as Ritchie sat down to tell us all of his adventures.
This is the nearest I can remember from the story told of his journey home. Ritchie got permission for leave at the last moment. He caught a transport out of Germany though not a direct flight. He landed somrewhere in the United States Christmas Eve and had to make arrangements to catch a passenger flight to New York. Once in New York, he had to catch a puddle jumper to Albany, the closest airport at the time to where we lived. By this time it was growing dark, snow as starting to fall once again, and he could not find a ride from Albany to Johnstown. I picture Ritchie standing at the airport in his Dress Greens, dropping dimes to find a ride home to surprise everyone. A family seeing a stranded soldier at the airport offered him a ride. It was not really on their way to pass through Johnstown on the way to Buffalo. They stuffed his duffle in the back of the car and drove him to the door of our home. There was much rejoicing as the prodigal son returned.
This is the image of Christmas that carry in my heart and mind every year around this time. Decorations and presents under a tree are just trimmings. Being with family, celebrating the love and joy that comes from that fills me. Like the story of the Prodigal Son my brother went to a far off land. He returned unnaounced to open arms and a place at a familiar table.