Authentication is the act or process of establishing that something or someone is who or what it claims to be. In other words, it answers who you are. Can I prove that I am me in some way. For many of us this is done with a state issued driver's license or other form of state issue ID card. We provided enough documentation to the state to satisfy the requirement for identification and they, in turn, provide us with a card to use as proof. Computer based identity management is much the same. We provide information to the system to secure our identity, once logged in, we are give a token. Authentication does not imply authorization. I may be able to log in but I may not be able to do anything once I am there.
Authorization is the permission or power granted to you. You are sanctioned to perform certain tasks. It answers the question, what I can do. Authorization may only be granted after authentication occurs. Or, at least it should. I should not grant you permission to read a private document until I know who you are and that you have permission to read that document. In the example of a driver's license; it not only is a token for authentication, but it authorizes you to operate a motor vehicle.
Are there, or should there be, time limits on authentidation and authorization? The short answer is yes. Passwords should expire. Documents that are sensative today may not be so in ten years. In our driver's license example, they are generally valid for a limited time. Sometimes documents are time sensative. Like company financials right before quarterly earnings report. During the time prior to the report, a company does not want that information in the public. After the report is given, that information may be public knowledge. We call this time sensative information.
An example of what authentication and authorization may look like in the physical world. My child is in the military. If I want to visit them on base, I need to provide a state issued identification card and maybe some other proof of my identity to base security. This is authentication. I am proving to base security who I am. This, however, does not get me on base. To get on base, my child must vouch for me and base security will issue me a pass that allows me access. This is authorization. When I approach the gate with my state issued Id card, and my base issued pass, I identify who I am and that I have permission to enter the base. It does not give me permission to all of the base. Some places are off limits. That is because I do not have clearance, or need to know. I can visit base housing and the gym but I am not allow access to office buildings without further clearance.
To build a rock-solid information security program, one must start with a solid foundation. One of the most widely accepted principles is the CIA model. We are not talking about the Central Inteligence Agency here. No, in this case it is the Conficentiality, Integrity, and Availability model, CIA. Once the information requirements are know, then a security policy can be implemented.
First, let us discuss confidentiality. This requirement describes who should be allow to see the information. Not all information is public, nor should it be. A Internet facing web page would be considered public information. That is, after all why it is Internet facing. Some information is for general availability within an organization. That might be considered internal information. Trade secrets might not be generally known by everyone within the organization. It is specialty knowledge that a smaller sub-set of individuals need to know. Other data may be time sensative. That is, it should not be discussed openly now, but at known point in the future, that information is no longer a secret. Business financials are a good example. Quartly close reports should not be made public until the information is published.
The integrity requirement addresses the issue, how reliable is the information. This might be addressed through a change management control system or through some sort event logging that catches changes or change events in real or near real-time. It is sometimes important to know if information changed, what that change was, and/or maybe who made or authorized that change. Organizational financials or a good example where data integrity requirements may be high.
Confidentiality and integirty are meaningless if you do not have access to the data when you need it. This is where the availability requirement comes in. For very important information, having it stored on a highly available system with redundantcies, backup power, and mulitple network pathways might be in order. For the average end-users' home directory, maybe less redundancy, slower media, and less frequent backups. This translates into lower storage costs but still meets the requirements for everyday life. Infrequently access data may be sent to tier three storage. This may not have direct write access for end-users and be stored on much slower drives. It may not be as readily available as Tier-One or Tier-Two storage, but should be accessable in near on-demand.
The CIA model is a great starting point for your data classification policy. It helps identify who can access the data. Not all data is equal and not everyone should be privy to all information It also help you oultine who may authorize changes, how those changes are to occure, how changes are recorded, and when changes to the data may be made. Finally, the hardware portion of or program helps identify how the data is stored, how it is accessed, maybe even where it is stored. Either local data cener or some type of cloud-based service. Not all data is the same and it should not be treated the same.
It was a day like any other. I got up and took the dog for a walk, showered and drove to work. It was a day like any other. I was at work by 7AM US/Central time, reading email and checking server logs. I had coffee and chatted with coworkers and friends. Nothing about this morning indicated that the world, as I knew it, was going to change drastically.
One of my coworkers, Connie, came into my office asking if I heard about the plane crashing into the World Trade Center. I had not. I asked Connie if she had any details; she did not. Absent any information, I assumed it was a light aircraft that did not make altitude. American Airlines Flight 11 crashed into the North Tower at 7:46 AM US/Central time. As Connie retreated to her office, I asked which news site carried the story so that I could read up on it later. I never got the chance.
About twenty minutes later Connie came back to my office again. She was visibly shaken; almost to tears. A second plane crashed into the World Trade Center. THAT IS NOT AN ACCIDENT! I pulled up the FoxNews web site. At 8:03 AM US/Central, United Flight 175 crashed into the South Tower. I knew then we were under attack. I followed Connie out to the main space where many others started to gather to watch and listen to the news. We consoled each other. Some decided to walk up to the cafeteria to watch the new unfold on the televisions. We were all stunned. The news of the day just kept getting worse. Thirty minutes later, Flight 77 crashes into the Pentagon. We watched the screens as they the news media focuses on the World Trade Center attack. My heart dropped as we watch someone jump from the building rather than burn in the fires from the plane crash. As for me, stunned silence turns into anger at those that perpetrate a war on U.S. soil.
Everything was happening so fast. It was hard to comprehend everything that was happening. By 8:45AM US/Central, within an hour of the first plane crash, all U.S. airspace was shut down. We started hearing of flights coming in from overseas diverted to remote Canadian airfields. We hear of planes still in the air. We were not sure if we heard the news correctly when they told America that military jets were given permission to shoot down any plane that refuses to land. All planes were ordered to the ground. We hear of Flight 93. It is off the radar and air traffic controllers cannot contact or find them on radar. We prepare to hear of yet another disaster in the making. Flight 93 crashes in a field in Pennsylvania. We do not hear about the heroism of the passengers until much later. They fought back against the would-be terrorists and forced the plane to the ground where it would do no harm to others.
The South Tower of the World Trade Center fell at just before 9. I was astonished by this. When the North Tower fell less than thirty minutes later, I was in total shock and disbelief. By lunchtime, all U.S. airspace was clear of commercial and private flights. No civilian aircraft were allow to fly for three days. I did not hear until watching the news that evening, we were ordered to DEFCON 3.
Many of my coworkers, and I, stopped in our tracks that day. We were all stunned by the events of the day. By the time the South Tower came down, those with children, already left the office to pick up them up. Some brought their children back to the office while others opted to go directly home. We all watched our news feeds closely that day. There was not much, if any, work done that day. It was day full of emotion. There was a lot of crying and comforting, some hugging, and general discussion of where we go from here.
I just moved into a new house in the Winter of 2001. It was a new neighborhood and I did not have many neighbors yet. I did not expect my friends and neighbors from the old neighborhood to show up but Brian came by that evening with his wife and then one year-old baby. We sat outside and talked about the day. I lived near the one of the outer most beacons for our airports so air traffic overhead is common. This night was uncommon. There were no airplanes in the air overhead. From my back porch, unaided, I counted upwards of twenty-five planes in the sky on a normal day. On this day, there were zero. The quiet that evening was eery. There was some sort of spooky feeling to the night with no air traffic overhead. Not much in the way of highway traffic either. It was like the world stopped for a day. As it turned out, three. We all knew then that this was our Pearl Harbor, our Kennedy. We knew that September 11, 2001, is our generations defining moment.
9/11 Timeline from the World Economic Forum
THINK before you speek. Easy enough to say, but what does it mean? It is meant to remind that words matter. To THINK borfore you speek. Tell the truth, or at least what you honestly believe to be the truth. Aim to be helpful rather than hurtful. Be informative. No sense in telling everyone what they already know. Don't be superfluous and keep to the facts or core of the discussion. Always try to be kind with your words. The message loses its power if it spoken in animosity.
True Helpful Informative Necessary Kind
I have this hand-written sign hanging in my office next to my montor.
WAIT -- Why Am I TalkingAs someone who talks all day for a living, why would I have such a thing in such clear view of my daily activities? It is reminging me to shutup and listen. My fifth-grade English teacher, Mrs. Dunn, used to tell the class nearly every day that God gave us two ears and only one mouth to listen twice as much as we talk. When it comes to building customer relationships, I think that is very good advice.
Sometimes when I get into a groove explaining how our software works and why certain settings should be that way, I sometimes forget to ask the customer why they did it their way. So, occationally, I will look away from my montor and see my sign. It is a gentle reminder that my customer has something to say as well. I may shift gears and ask the customer questions about their environment to get a better understanding. It may not change the outcome but now my customer feels included in the conversation. Don't get me wrong, I definately have those "I know you are out there; I can here you breathing" moments. I find it is more productive to have a discussion, a dialogue, rather than a lecture.