Security is a concept everyone is familiar with. We prevent unwanted people from entering our houses and cars using locks and alarm systems. Computer security is no different.
To illustrate computer security, look at most modern office buildings. There are two basic ways a company can enforce security, and a third hybridized method. The first way is accomplished by placing security guards at the front door and at every door within the building that access needs to be restricted. Employees are assigned an identification card. When the employee wishes to enter the building or a door, the guard examines the ID. First, the guard verifies that the employee is who the person on the ID card is. This is authentication -- verification of a person's identity. Next, the guard checks a list of "allowed people". If the employee is on the list, he is permitted access. Changes in employee access is achieved by the addition or removal of his name from a particular guard's list.
There are two basic ways to secure something: a guard or a key. |
Another method is assigning a keyring to each employee. This keyring will hold one key for each door the employee has access to. When an employee's access Employees are given identification cards and/or a ring of keys to the office's doors. If an employee's access changes, a key needs to be added or removed from his keyring. This is unwieldly, as sweeping changes in access to a particular room would require tracking down each employee (some of who may have quit) that has a key.
Therefore, the previous method can be improved by hybridizing it with the first method. This is accomplished by placing a guard in the building's lobby. Each day, an employee checks in with the guard, and the guard then hands the employee a keyring with access keys. The guard checks a list to determine which keys the employee should have. At the end of the day, the employee turns the keyring back in. This way, only one guard is needed, and sweeping changes in security can be accomplished by altering the lobby guard's list.
The first method of placing guards at each access point has an analog in the Internet world: access control lists. The keyring example is analogous to capabilities. These are explained further in the access matrix section.
With the keyring method, there are issues with someone stealing someone's key -- this problems also exists on the Internet. The main hurdle is authentication, as if someone can steal a powerful person's identity (eg, his keyring) their access is greatly increased.
This site will proceed to educate about these concepts as they relate
to the Internet. Another issue that arises on the Internet is in the
security of communication. When you download a file, how do you verify
it's actually from the claimed person? How about communication of corporate
secrets -- how is this information kept secret, when transmitted over the
Internet?