INTRO VIDEOS CLOUD COMPUTING DIRECTORY GLOSSARY ABOUT THE AUTHOR PRESS CONTACT SITE MAP
Computer security involves safeguarding computing resources, ensuring data integrity, limiting access to authorised users, and maintaining data confidentiality. Effective computer security therefore involves taking physical security measures (to ensure hardware and media are not stolen or damaged), minimising the risk and implications of error, failure or loss (for example by developing a resilient back-up strategy), appropriate user authentication (for example by employing strong passwording), and possibly the encryption of sensitive files.
We live in a world where "information wants to be free" and in which people are getting used to having access to whatever information they want anytime, anywhere and from a wider and wider range of computing devices. Unfortunately, in terms of the security and control of the resources to which computers permit access, this can prove quite a problem. Indeed, many users unfortunately often view security and control measures as inhibitors to effective computer use.
The following provides a practical overview of computer security issues. As with the rest of this site, the focus is largely on personal computing. There is also some coverage of UK data protection legislation.
You can also gain an overview of computer security by watching my Explaining Computer Security video.
The range of means by which the security and integrity of computing resources can be threatened is very broad, and encompasses:
Given the breadth of the human reliance on computer technology, physical security arrangements to try and ensure that hardware and storage media are not compromised by theft or unauthorised access are more important today than ever before. And yet surprisingly they still often not taken seriously enough. Indeed, the number of high-profile instances of CDs, DVDs, hard disks and laptops going missing from government offices in the United Kingdom over the past year is quite staggering.
Not least due to advances in mobile and cloud computing, computing resources are more vulnerable to theft than ever before. Twenty or more years ago, most computer equipment and data lived in a secure IT "glass house" well out of the reach of the casual thief, and with the hardware involved of little or no street value anyway. However, this is obviously no longer the case.
Personal and business data is now stored across a wide range of organisational, cloud vendor and personal locations, more work is conducted at home than since the rise of the modern city, and IT departments therefore have a right to be nervous. At the very least, physical computing security measures -- such as external building safeguards and the control of access to areas of a building where computers are located -- should be subject to regular formal updating and review. Most large organizations -- particularly in the public sector -- have a horror story or several to tell of computer equipment that has "walked". Many such stories suggest that people who walk out of buildings with computer equipment under their arm are rarely challenged (and sometimes even assisted!). Locking-down computer equipment and/or ensuring adequate door and window security at all computer locations should today just be pure common sense.
Physical security also needs to be particularly carefully considered in semi-public locations (such as many open plan offices). For example, it needs to be considered how easy it would be for somebody to gain access to a PC, insert a USB memory stick, and walk away with valuable or sensitive data.
Large corporate data centres in which the computer equipment is located in an air conditioned room typically have fire control systems that will hermetically seal the location and put out a fire using an inert gas. In smaller companies and domestically this clearly is not an option. However, whilst computers themselves may be at risk from fire (and indeed the cause of a fire!), back-up media can be protected in a fire safe, and/or via off-site storage. The physical security of storage media against the threats of fire, flood and other forms of damage is discussed further in the following section.
Alongside theft, fire and flood, the other most significant threat that can damage computer equipment and/or the data held on it comes from power surges (voltage spikes) or power outages (brown-outs or black-outs). Many hard disk failures in particular are thought to be linked to power surge or outage issues of which users are often unaware. To protect against this very real but often ignored threat to computer equipment and data, a power surge protector and/or uninteruptable power supply (UPS) unit can be employed. Surge protectors are relatively cheap and protect against voltage spikes. They are today often built into multi-socket outlets with an insurance guarantee included for the connected equipment.
For even greater protection, a UPS unit includes a rechargeable battery that will continue to power a computer and key peripherals during a mains power brown-out or black-out. Software is usually also used to permit a controlled shut-down of equipment when a power black-out occurs. UPS units are more expensive than surge protectors, somewhat bulky, and often very heavy. However, for a server or key personal computer (such as one used to run a business or key part thereof) they are also a very good investment.
MINIMISING THE IMPACT OF ERROR, FAILURE OR LOSS
Whilst physical threats need to be protected against, most data is lost or corrupted following user error or hardware failure. The best defence against this is an appropriate back-up strategy, triggered on both a time and event basis and with appropriate physical resilience.
In other words, users need to ensure that they take regular backs-ups at regular intervals and before and after making key data changes. They also need to store multiple back-ups on different media in different locations. There is no such thing as a permanent store of any form of computer data. Nor is any storage location entirely safe (although the cloud data centres run by Google, Amazon, IBM, Microsoft and other computing industry giants are pretty well protected these days!).
Whilst any back-up strategy does require the selection of appropriate storage media, user education is often an equally key a consideration. Taking regular back-ups is at best only half of the story. Far too many individuals and businesses keep their back-up media -- be they removable hard drives, optical disks and even USB memory sticks, in an entirely insecure manner in the same physical location as their computer. Even in corporate IT departments this has been known. Such practice has to significantly reduce the value of back-ups.
When making their disaster recovery plans and addressing the key computer security questions (as discussed at the end of this section), the location of back-up media needs careful consideration. Even on a domestic level, most households could keep a few writable CD or DVD disks (or even SD cards) of key back-ups (including photographs and their music collection) in a secure location (in the roof or under a floorboard or with family and friends or wherever), and which would provide significantly increased data storage resilience. However, unfortunately most people still only ever think of this kind of simple strategy after it is too late.
Physically protecting computer equipment and data against damage or loss is a large element of computer security. However, another large element is limiting access to all or part of a system or data store to authorised users only. In the broadest of terms, user authorisation within any security system can be verified via one three means:
For good security, two of the above measures should be employed for what is known as "two-factor security". For example, to obtain money from a bank cash machine both a card and a PIN (personal identification number password) are required.
Where computer security is concerned, one measure of user verification will almost always be a password given the relative technical ease with which this can be implemented. Computer keyboards, mobile computers and dedicated input devices that include finger print readers are also becoming more common, and can be combined with passwording to achieve two-factor security. ID cards and even retinal scans are also used in conjunction with passwords on high-end security systems. However, any system that requires a token or biometric to be read has proved difficult to rollout en-mass. This said, recently some banks have started to provide each customer with a reader device into which their bank card is inserted. This allows for two-factor security, as the unit displays a number for each transaction that is uniquely in sequence with their bank. More information on the card reader supplied by Natwest Bank to its customers since November 2007 can be found here.
Today at least, and probably in practice for many years to come, one-factor security based on passwords is all that is available for identifying authorised users in the majority of computing situations. This in turn means that users must be educated to use strong passwording -- or in other words, to choose and use passwords in a manner that makes the password difficult to either fathom or otherwise obtain by an unauthorised party. To be classed as "strong", passwords,
Users should also try and ensure password security by following the measures as outlined below under "Internet Security".
In part the confidentiality of data is protected via physical security measures and appropriate user authentication precautions as already outlined above. However, effective security should plan for what happens if these measures fail, and how data confidentiality can be protected even if computer equipment or media fall into the wrong hands. This is particularly important when it comes to the protection of sensitive information such as financial data.
The confidentiality of the data on stolen hardware or of data accessed by unauthorised users can be protected via encryption. For example, software such as the open-source TrueCrypt (available from www.truecrypt.org) can be used to encrypt the data on any storage device (for example a USB key carried in your pocket). Office documents can also or alternatively be protected by securing them with a password. This can be a particularly sensible thing to do when e-mailing sensitive documents, or posting them by snail mail on removable media. In an office package such as the freely downloadable OpenOffice, password protecting a file is as simple as ticking the "save with password" option when selecting "Save As".
Data confidentiality also needs to be protected on output and disposal. In the case of the former, in an open plan office environment precautions should be taken when sending documents containing confidential information to a communal network printer. In the case of the latter, printed output containing sensitive data needs to be disposed of securely (eg via shredding and/or incineration), as do waste media (such as discarded optical disks).
At the end of a computer's life or when components are being upgraded, care also needs to be taken to ensure that discarded hard disk drives (including those located in external hard drive units) are appropriately erased before disposal.
The connection of most computers in the world to the Internet, coupled with the growth of cloud computing, has inevitably broadened significantly the scope of computer security and control vulnerabilities.
Before the widespread adoption of personal computers, rogue programmers with malicious or criminal intent would try to "hack" into big computing facilities via the phone network. Then, once personal computing really took told, the focus for many such malicious programmers shifted to writing computer viruses that could be unknowingly distributed on floppy disks, and which could hence disrupt the operation of those millions of computers not connected to the telephone network. Today, this situation has evolved again, with many personal computers having an "always on" broadband connection which makes them potentially prone to unauthorised access via a computer network. And on top of this, the virus writers are still at work, the fruits of their corruptive programming labours now distributed both online and via physical storage media.
Whilst there are very real security risks associated with both the consumer and business use of the Internet, it is also the case than many such security concerns are perceptual. To an extent, all that has really changed over the past few years has been the willingness of people and organizations to conduct their affairs over the world-wide web. The sensible use of a credit card over the web is not that much more secure that it was five years ago. The fact that it has become the norm is therefore due to the fact that the risk/benefit ratio of doing e-business has shifted significantly in favour of the "benefit" side in the eyes of the value-seeking majority.
Care, of course, does need to be taken. For a start these days it is foolish in the absolute extreme to run any computer with an Internet connection without antivirus software. Such software -- such as the range of Norton security software available from www.symantec.com -- is most usually commercially purchased with a yearly subscription for regular updates to its virus definition database. However, it is possible to obtain antivirus software for free. Indeed, my own current recommendation for PC owners is to install Microsoft Security Essentials. For most people this is a very good option, does not hog resources, comes from a reputable organization -- and is free!
In addition (though often bundled with) antivirus software, all computers with a potentially always-on Internet connection should be protected via a firewall. Whilst antivirus software is intended to detect and prevent infestation with malicious software (including viruses and other "malware"), the job of a firewall is to regulate the network communications a computer receives, permitting or denying such communications based on how trusted the communications source is considered to be.
Firewalls can be implemented via either hardware or software. A personal computer firewall will almost certainly be software based, although increasingly some form of hardware firewall is being incorporated into wireless ADSL routers (wireless access points). Like antivirus software, a firewall needs to be regularly updated with the latest threat information to be most effective. Windows XP, Vista and Windows 7 all include a software firewall, although many people choose to adopt third party firewall software as an alternative to this.
In addition to antivirus software and a firewall, user vigilance and even plain common sense provide one of the most effective defences against potential Internet-related security vulnerabilities. For example, users should be educated never to open unsolicited (spam) emails, and doubly-so never to open any e-mail attachments included with such e-mails (and as may be automatically opened by some configurations of e-mail software). Viruses and other malware (such as "sniffer" software intended to record and communicate usernames and passwords) can be attached as "Trojan" (horses) to e-mails. However, it is only when the user opens such messages and executes their attachments that corruption or security risks can occur.
Users also need to ensure that they use strong passwording (as above) when setting up accounts for web transactions. They should also never permit their browser software to remember their login details for a website unless they are absolutely certain of who else may have access to the computer they are using. Indeed, it is still potentially unwise to let even a single-user PC remember passwords for activities such as online shopping or online banking. This is because the theft of the PC would permit direct access to the user's bank and other online accounts.
Talking of online transactions, users should also be careful only to conduct business online with trusted websites and over secure (encrypted) connections. Trusted websites are those that are well known, have an established trading history, and which advertise contact points for both online and off-line customer support. Secure connections can be identified by looking for the letters "HTTPS" (a secure version of the hypertext transfer protocol that facilitates web communications) at the start of the web address seen at the top of a web browser window. HTTPS connections exchange digital certificates to encrypt communications via what is known as a "secure socket layer" (SSL). As a basic rule, never enter your credit card details into a web page without first checking that the address of the page starts "HTTPS".
For users of cloud computing services such as SaaS applications, all of the above points relating to good Internet security clearly apply. Computing in the cloud is still deemed by many to be risky. However, it can also bring security advantages as user data is protected off-site in large vendor data centres. For example users of Google Docs are always safe in the knowledge that their files are always securely stored on two different servers in two different data centres. For private individauls and small companies, such a high level of off-site data protection and replication is hard to achieve by other means.
In addition to using antivirus software, a firewall, strong passwords, and uploading regular operating system and browser updates, it is doubly important for users of the cloud to ensure the security of the computer they use to access their chosen online services. In particular care needs to be taken to make certain that they never leave active accounts on a device that may be stolen or otherwise accessed by inappropriate users. For example, files held in Google Docs or indeed another other SaaS application are not at all secure if a user leaves their netbook or smartphone in a public place and all anybody has to do to gain access is to boot up the machine and visit the appropriate web address. SaaS users who share desktop PCs -- or who for example use public desktop computers in cyber cafes -- ought also to be very careful indeed to ensure that they log-out from cloud services whenever they finish using them.
Both individuals and in particular businesses should have plans in place to cover the eventuality of hardware failure or loss and/or data loss or corruption. Such disaster recovery or "business continuity" plans need to address how data would be recovered, what hardware would be used to run critical applications, and by whom. Such plans particularly need to take into account any current use of out-of-date software applications that may not be able to be replaced and/or run on replacement hardware and operating systems. To recover back-ups of data that cannot be run on any available hardware and software will not in any way ensure business continuity!
Depending on the types of threat they are intended to cover, disaster recover plans may rely on one of a mix of strategies (and a mix is arguably often best). One option is on-site standby, where duplicate systems exist that can be used to run critical operations (provided that data is still available or can be recovered). Such duplicate systems need not necessarily be standing idle waiting for disaster (as they would be in a nuclear power station), but may be everyday systems used in one part of the business that are prepared to run key applications from other parts of a business if the need arises.
As an alternative to on-site standby, some sort of off-site standby is very common. If a company has multiple buildings or premises, then it makes sense both to hold off-site back-ups across these locations, and to ensure that key system functionality can be duplicated across sites.
Some businesses also have "reciprocal agreements" with other companies to make use of their computers to run key operations in the event of a disaster (such as a fire that destroys their premises). Often small and medium-sized companies make such reciprocal agreements with nearby schools who have suitable computer suites which they are prepared to offer as an off-site standby provision for a reasonable cost. For larger organizations, or those highly dependent on computing continuity, "hot-site agreements" can be made with firms that offer commercial disaster recovery as a service, and who can deliver (for a price) portable working computer rooms at very short notice.
As a final element of disaster recovery planning, replacement purchase plans should be in place. In the event of fire or theft, the last thing most individual users or companies would want to be thinking about is where to purchase new computer equipment from, and what specification to choose. Not least this is an issue because direct-specification let alone exact-model replacements for any items of computer hardware or software more than a year old are incredibly unlikely to be available.
We live in a world where data is held on everybody and used and inter-linked for a very wide range of purposes. In an attempt to provide some redress against inappropriate data use, in the United Kingdom the Data Protection Act (DPA) 1998 protects data held on living individuals.
Any individual can submit a subject action request to any party that holds data on them. This allows them to obtain a copy of all data held on them within 40 days of the subject action request being received. Following a subject action request, individuals can challenge the validity of the data held on them, and if appropriate can claim compensation relating to any inaccuracy or misuse.
The Data Protection Commissioner is charged with ensuring that all data in the UK "shall be obtained and subsequently processed in a fair and lawful manner". All organizations have to have a "data controller" who, with a few limited exceptions, must register all data stored with the Data Protection Commissioner. They must also be open about the data's purpose, and ensure its accuracy and security.
Whilst the Data Protection Act protects individuals on whom data it held, it does not protect data itself or computer systems. Such protection is provided in the United Kingdom by the Computer Misuse Act (CMA) 1990. This created three levels of offence, and which make it illegal to gain unauthorised access to computer material; to gain unauthorised access with intent to commit or facilitate further offences; and to make an authorised modification of computer material. The last of these offences in theory at least makes it illegal to write and distribute computer viruses.
COMPUTER SECURITY: SUMMARY
For most users and organizations, effective computer security and data integrity involves carefully considering the following key questions:
Unless there are deemed to be no negative consequences that could arise, in order to address the potential implications of the above any computer user -- be they an individual or a large business organization -- needs to take the following measures.
First and foremost, a back-up strategy should be implemented that provides resilience against flood, fire theft and media failure. Such a strategy needs to ensure that back-ups are taken at regular intervals and when key events take place (for example when a major project is completed or prior to and following a company's end-of-year and audit). Resilience will be obtained by keeping multiple back-ups on multiple media in multiple locations. As noted above, users of cloud computing services often obtain excellent resilience just by using online applications. For non-cloud computer users, more information on back-up hardware and services is included in the storage section.
Alongside a back-up strategy, users must ensure that they are using strong passwording (see above) and have a firewall and antivirus software installed on all computers connected to the Internet. It is also important to ensure that files are encrypted where protection is needed against loss of data confidentially in addition to loss of data access. Many people are excellent at keeping back-ups, but have never thought about the consequences of one of their back-up devices (such as a USB key containing all of their personal files) getting lost or stolen and falling into the wrong hands.
Also of critical importance for organizations is the maintenance of a disaster recovery plan for ensuring a continuity of operations in the event of hardware failure or loss. Finally, if data is being held on living individuals, a company must make sure that is has registered with the Data Protection Commissioner and made appropriate plans for handling any subject action requests.
Computer security involves safeguarding computing resources, ensuring data integrity, limiting access
to authorised users, and maintaining data confidentiality.