The physical world and the digital world have many similarities when it comes to security processes. The need for authentication, authorization, confidentiality, and integrity do not change from the physical world to the digital one. They do, however, change in execution through digital means and medium. For instance, the authentication of a person cannot always be done through physical recognition since the person could be across the world sitting in front of a computer. In such a case, the authentication process must be through digital means. Instead of identification cards and drivers' licenses, certificates with the user's information must be used. The certificate is a form of credential, a digital form similar to a driver's license. Another form of credential is the password used when a person logs in to a Web site.
Once the identity has been matched with a credential and accepted by an organization's system, authentication is achieved. The authorization process requires a lookup of the permission set and digital identification to see if the user has access to a resource.
In order to achieve confidentiality, the system can use the user's key for encryption and decryption. A secret key is a single key that can be used for both encryption and decryption. A key acts as a digital token for allowing data to be read by users who only have access to the secret key. To check the integrity of the information, the system hashes the information into a new hashed information block. The hashed information block is a smaller block of information that uniquely represents the original information. When the information must be checked, the hash block is created again and the two blocks are compared. If the blocks match, the system concludes that the information has not been modified.
The digital processes are merely personal security techniques applied to the digital world. The physical world simply does not apply anymore, except in the case of isolation, which is the process of physically isolating the systems from digital access to protect the systems.
Security is ever-evolving and dynamic; therefore, an enterprise's security architecture must be flexible and agile enough to change as the times and security requirements change. There is one concept that is constant in computer science: It is ever-evolving. At one time, someone was writing x86 assembler, and now they write JSPs and EJBs. Some of the concepts have remained the same; however, technology has changed. An organization's architecture must be designed so that one year it can use Kerberos and the next X.509 certificates with minimal change.
The endpoints of the organization must be constantly monitored to support security. It doesn't do much good if the Web site has a lot of security on a server sitting on a Windows NT machine accessed across the Internet (and open to the world). The network engineers should always be aware of which machines are open and which machines are not and make sure that the only way to pass into secure information is through proper security mechanisms.
The organization that wants to establish security needs to define security requirements, such as identifying which resources are sensitive. For example, the needs of a government and a non-profit organization could be very different. Therefore, the requirements are based on the type of organization, and a security policy is established to define how to enforce these requirements. The security policy governs and dictates the standards, procedures, and practices for the organization. The practices will elicit security rule sets for any resource that should be secure.
It is best to assign a security advisor to keep a running list of administrative usernames and passwords so that, if access is lost to the system, it can be recovered by logging in as the administrator. A plan needs to be devised that regulates, tests, maintains, and updates the security system at regular intervals.