Information Technology Reference
In-Depth Information
1.2
Security in information systems
The use of computers in various fields of human activity has undoubtedly
brought great benefits. In all areas where the main resources are information
and the ability to process, computers are a useful and accurate storage and
processing devices.
But as far as technology grows up, new problems emerge. A new
instrument may be accepted only if the benefits that it offers are greater than
the risks arising from its use.
In case of computers, there are a number of new security problems that
should be adequately addressed and resolved.
A physical archive may be secured with bars on the windows and a security
guard at the door that allows the access only to authorized personnel, but a
database connected to the Internet introduces complex problems from a safety
point of view. For example, in some systems it is easy to build programs that
replace the login screen and steal passwords of other users; in a LAN is not
difficult to obtain copies of the messages that transit on the network.
To solve these problems it is necessary to adopt specific security policies
and implement the mechanisms applying them in some manner. It is
important to separate policies from mechanisms. The policies state what
needs to be done. Mechanisms determine how to realize them. A solution to
the problem consists of an adequate security policy that, through the use of
appropriate mechanisms, should ensure the protection of various resources
from illegal accesses.
We can say that the objects to defend, essentially, belong to two
conceptually separate categories but similar from an implementation point of
view: physical resources and information.
While the UC will radically change the way we behave and interact
between us and with IT systems, we must also take into account that this
innovation has its risks.
UC will have an impact on society as similar, if not more, as the advent
of the Web. But, like each innovation, it brings negative aspects also. It is
therefore necessary to identify instruments and policies for protection before
a critical mass of applications will be built and developed.
The traditional taxonomy identifies three main classes of security threats:
confidentiality, integrity and availability [2].
Privacy is violated when there is an unauthorized access to protected
information, like your medical records. Integrity is violated when there is an
unauthorized change of information, such as when someone changes a sum or
the beneficiary on a bank account. Availability is violated when the system is
unable to perform the function for which it was intended, as when someone
attacks a web site with the intent of turning it off.
