About security

Security is all about how to reduce the impact of either intentional or unintentional damage.

Damage is something most of us try to avoid. If you're a car lover, there are actions you take to prevent your car from being stolen, like attaching a wheel lock, setting the car alarm, and locking doors. To prevent unintentional damage to your car, you might park it in your garage, away from traffic.

In addition, security includes the actions taken once damage has, or is believed to have, occurred. If your car is stolen, you call the police. If your car door gets "dinged," you have a body shop fix it.

Planning for security includes asking questions like "What if this happens?" or "How do I prevent that from happening?" Security also includes answering the question "Do I really want to go through all this work in order to be more secure?" Security does not always cover all possibilities, and this can be a conscious decision. It is possible to break an encrypted session's code and decrypt the data illicitly. However, that is highly improbable. Is highly improbable good enough? It would be nice to answer yes, but the truth is: it depends.

The context of security

Prior to dealing with the implementation of security, a significant amount of planning is required. Generally, a large organization will create (and continually update) a security policy document. A security policy document is an executive-level document that includes such information as:

The classification of security levels for the company's data
How different data is to be classified within these levels
Processes and procedures relating to all security aspects of an organization (physical, legal, administrative, and more)

In tandem with, or as a result of, a security policy, hosts and networks will have a classification. For example, most z/OS hosts will be in secure physical locations with strict authorization requirements for employee access. Some data on such a z/OS host would most likely be considered highly secure and could be placed without any encryption on disk. If the data was to be transferred between two z/OS hosts within that secure physical location, the data transfer would most likely be classified as highly secure.

If that data were to move outside onto the organization's network, the data would now likely be considered in a lower security context. Then, if the data were placed onto a workstation at a user's home office, the classification of the data would still have not changed. However, most would agree that its context was now an insecure, or certainly less secure, one.

So, if a question is asked "Should I be using such-and-such a security measure with my data?" the answer is "It depends." With a security policy in place, an organization is equipped to determine those dependencies and make a recommendation.

Elements of security

A car owner takes several measures to improve security. A steering wheel lock is intended to render the car unusable. Analogous to that is the encryption of data, which renders the data unusable. Parking the car in a garage reduces the likelihood of physical damage to the vehicle, which is analogous to physical site security. Activating the car alarm constitutes a security monitoring system, usually referred to as intrusion detection services within a network context. Locking the vehicle is intended to enforce authentication: if you don't have the right key for the car, you aren't authorized to access it. Finally, in the event of a security breach, there must be an action plan in place: for a stolen car, call the police; for stolen data, call your manager and the database guy.

Table 1 lists some elements of security.

Table 1. Elements of security
Elements of security	Concerns
Identification	Who are you and can you prove your identity?
Authorization	Who is allowed to access this network, data, or system?
Monitoring and auditing	Has the system, network, or data been accessed, and is this access potentially dangerous?
Data confidentiality and integrity	Can this data be viewed or altered without permission?