Sunday, March 11, 2007

Select a Security Model

More and more corporations are placing sensitive information on an intranet. A plan should be in place to secure this data. When developing this plan, consider the following threats and responses: Threats
  • Snooping or eavesdropping: the risk of having someone "overhear" data being sent over the intranet.
  • User impersonation: the risk of having users gain access by pretending to be someone else.
  • Unauthorized access: the risk of having users obtain access to confidential data.

    Responses and Questions for your plan

  • User authentication: Is there a central DB to bump users up against? Is it LDAP compliant or ODBC compliant? Who would update that DB? If passwords are to be used, how will they be maintained and who will support password requests and updates? If digital signatures are used, how will users get IDs and maintain them across different computers?

  • Access control: Once logged in, how will users be tracked through the system? Cookies? Digital signatures? Will these be stored in the LDAP or other DB? How will access controls be managed?

  • Data encryption: How will you protect your corporate information from outside access via the Internet? Will you use SSL or a VPN? Is secure e-mail a concern?
  • Develop this plan and enforce it strictly.