| Few topics in the information technology (IT) field today generate as much interest as security. Interestingly, the IT world has been struggling with security issues for over 30 years, yet many security problems remain unsolved, unaddressed, and serious. As those responsible for securing systems and networks address security issues by a combination of hardware, software, procedures, policy, and the law, intruders and insiders circumvent protection mechanisms, discover new and unpublished vulnerabilities, or find lapses in an organization’s policy and procedure in their efforts to damage systems, destroy data, or simply for mischief purposes. The attacker clearly has an advantage in this struggle between those who protect and those who penetrate. While the protector must close all vulnerabilities, the attacker need only find one to exploit.
Security in enterprise computing systems is also not simply a matter of technology and cannot be addressed satisfactorily with hardware and software alone. It is also a matter of managing people, establishing and enforcing strong (and correct) policies, implementing procedures that strengthen security, and periodically checking the effectiveness of the security architecture and making necessary changes. The provision of security in any enterprise must also be tailored to that particular organization. While the principles of computing security and common wisdom in the IT field are important, the actual application of such principles depends largely on a number of factors that often vary from enterprise to enterprise (e.g., confidentiality needs for data, customers, access requirements, volatility of data value, and others). Those individuals responsible for enterprise security must balance the need for security against the need for access to their system (by customers and employees), must be concerned with the cost of the security measures compared to the overall strength of the security architecture being constructed, and must also be cognizant of how well the security perimeter is performing. These are difficult tasks indeed. Success in these tasks requires vigilant attention to many factors, and the successful security manager must constantly reeducate him- or herself and his or her staff. |