Effective information networks combine flexibility with security.by Bailey, James M.
Effective Information Networks Combine Flexibility with Security
In the film "War Games," a teen tinkering with his home computer inadvertently triggers World War III preliminaries. While that's not likely to actually happen, the possibility of sensitive data files being fraudulently accessed, damaged, or destroyed has many organizations concerned.
Computers have found their way into all areas of business, industry, education, and government. Increasingly far-reaching information networks linking computers and databases provide important benefits, including greater staff productivity and a sharper competitive edge. The more that we expand the reach of our information networks, the more important network security becomes.
Why Information Networks?
The personal computer is the symbol of the modern, automated business. Certainly nothing has more profoundly affected data processing operations. Its growing popularity coupled with powerful business software, has resulted in an explosion of stand-alone data processing systems in many different departments of organizations throughout the world.
But the computers in these distributed departmental systems normally function only as separate entities. Data generated with computers tends to remain within the departments where they are located. This data is not readily available for profitable use by other departments.
Information networks, however, are now solving many work and productivity problems. Networks promote information exchange by interconnecting distributed departmental computers and associated terminals, printers, and other devices with centralized computers so that all units function as part of a single, unified communications system.
Ideally, the result will be one, cohesive network in which authorized personnel can speedily and efficiently access computers and other system resources from any terminal or other device, whether they are in the same room, building, city, or even country. But whether this total information network flexibility is achieved depends to a great extent on how network security is implemented.
Network Security Problems
Security problems were advanced right along with computers. These problems have multiplied with the expansion of information networks because these networks bring into play a growing number of computers, terminals, and other devices. This creates a greater potential for unauthorized access. In addition, networks often are designed to permit access via dial-up phone lines.
Popularized in newspaper headlines and motion pictures, hackers are perhaps the most well-known example of outsiders gaining unauthorized access to computers. Normally lacking criminal intent, these amateur computer buffs simply want to prove that they can "crack" a system. They can cause significant damage to, or even destruction of, valuable computer files. Other intruders attempt to gain unauthorized access to a computer for fraudulent purposes. These might include accessing and manipulating computer files to credit bank accounts, creating false payments, or tapping proprietary data such as sales results or customer lists. These external threats are significant sources of security problems.
Even more important are the dangers posed by dishonest or disgruntled employees who seek unauthorized access to sensitive and/or restricted information. Dishonest employees, for example, may try to access payroll records or other computer files for their own advantage. Disgruntled employees may try to gain entry to computers to delete or destroy information vital to the existence of an organization.
Solving Network Security Problems
The most effective way to solve network security problems is to build protection against unauthorized access into the system as an integral part of network design. True security can best be achieved by establishing a number of protective network barriers, or levels, between computer data files and users.
Let's first discuss the security measures provided at the computer level to understand how these network security levels function. Computer security basically involves the use of a log-on procedure. Authorized computer users are each provided with their own log-on procedure, which typically consists of a user name and a password. To access the computer, users log-on through terminals and gain authorization to access the computer and either specific files or all files stored within the computer.
Prior to the development of networks, this type of centrally controlled computer security was the primary method of protection against unauthorized access. Physical security precautions against entry into both the computer room and offices containing terminals linked to the computer furnish a secondary form of protection. An example is a card key required for entrance to terminal/computer rooms. In pre-network days, all terminals usually were directly connected by cable and located in the same building.
This level of computer security normally can be breached internally only if someone somehow learns the log-on procedure of others, giving that individual access to not only the computer but to specific computer files for which he or she may not be authorized.
It is more difficult for outsiders to circumvent computer security. The outsiders must first gain access to an office with a terminal as well as learn the log-on procedure of an employee. Outsiders have an easier time if an organization permits dial-up calls to the computer via an unlisted but relatively easy-to-learn phone number. The intruder must still learn the log-on procedure, but by then a major obstacle has already been overcome. This low level of dial-up security has for the most part been abandoned because gaining unauthorized access was too easy.
On the other hand, computer security based on the use of a log-on procedure has been sufficient in installations where terminals are local and connected directly by cable. It is a level of security that continues to be provided when computers are connected to a network.
This security level alone, however, is not sufficient protection against unauthorized access in a network environment. That's because terminals often are indirectly connected via phone lines from off- premise locations where physical control of their use is more difficult to assure. Networks, therefore, require an additional level of security as an integral part of their operation.
Basic Network Security
Most networks provide a level of additional basic security by acting, in effect, as a doorway or guard for the computers that they serve. The networks perform this security function by restricting terminals from accessing some computers but not others, depending on the purposes for which the terminals are to be used.
Under this terminal-oriented security approach, a network asks terminal users which computer they want to access. The terminal users indicate the desired computer. The network then determines if the terminal is permitted to access the designated computer. If it is, the network requests entry of a password associated with the computer. After this password is correctly entered, the network connects the terminal to the desired computer, and the users implement the log-on procedure to access specific data files stored in the computer. If the network determines that the terminal is not permitted to access this computer, the connection request process is terminated immediately.
This network control of computer access by terminal can reduce the flexibility and ease of network operation. Each terminal in the network can only be used to access specified computers.
Suppose, for example, that an accounting department operates a terminal that is used to access the computer running an organization's payroll system. For security reasons, no other terminal in the organization is permitted to access this same computer.
If this terminal breaks down or the line connecting the terminal is lost, no other terminal can access the payroll computer. Operations must come to a halt until the terminal or line can be repaired, or an alternate terminal can be cleared for access.
Consider, for example, the president of an organization who has a terminal on his desk. This terminal is permitted to access all computers on the organization's network, providing the president with complete access to all computer files. But suppose the president is in the sales department and wants to use a terminal there to access a computer containing financial data. If the sales department terminal is restricted from accessing computers with financial information, the president will not be able to get the information he needs when he needs it.
The problem is even worse in the case of dial-in phone calls to the network. Because it is impossible to know who is making these calls, the network must either deny access or limit it to computers containing nonsensitive data.
Limitations like these call for a more advanced approach that combines security with flexibility.
Advanced Network Security
An advanced security approach is provided by networks that incorporate a second level of security as an integral part of their operation. This second security level is based on coded user names that have been approved by the network manager and on passwords that can be changed by users themselves at any time but are otherwise "locked in" by the network.
With this approach, users can access computers in a network from any terminal. At the request of the network, the users first enter their coded user name of up to eight characters. The users then enter the password, which can include as many as six characters.
Based on the user name and password entries, the network determines which computers can be accessed by the individual user, eliminating the need to restrict computer access on the basis of which terminal is being used. The user then proceeds to pass through the same basic or first level of security as before by identifying the computer he or she wants to access and entering its associated password. Once connected to the computer, the user also follows the normal log-on procedure. This is an excellent enhancement to all networks, in particular to those using dial-in phone calls. Now the network determines "who" is calling in and implements security accordingly.
Advanced Security Benefits
This advanced level of network security provides maximum network flexibility as well as an additional layer of protection against unauthorized computer access.
The flexibility comes from a user's being able to access computers for which he or she is authorized, no matter which terminal in the network is being used. Computer access can also be attained through dial-up phone connections from anywhere in the country, or even the world. In addition, a user can be sent messages electronically no matter what terminal he or she is using at the time.
In this way, network security is improved because unauthorized users are prevented from getting into the network, much less accessing a computer. With just the basic level of security first mentioned, for example, unauthorized users can get into the network by gaining physical access to a terminal. But, with an advanced security level, they are unable to even get into the network unless they know both a network manager-defined user name and a user-controlled password that can be changed at will by the user to prevent detection.
This advanced security level also makes possible an audit trail of network usage. This trail shows which users signed on to which terminals and computers and the duration of their sessions. Another benefit is that a user authorization can be quickly and efficiently rescinded from the network. Because the network security is controlled from a central point, all it takes is eliminating the individual's user name from the network.
Overall, this advanced security level can help reduce, if not eliminate, the need for costly additional security hardware such as data encryption devices.
Capability Linked To Security
Organizations of all sizes today run on information. A well-planned network circulates this information life-blood to all parts of an organization as efficiently as possible. Inappropriate network security provisions, however, can reduce network flexibility and still not close the door against unauthorized access and information loss. The ability of a network to blend an advanced level of security with maximum operating flexibility, therefore, must be considered carefully in any network plans.
The CPA Journal is broadly recognized as an outstanding, technical-refereed publication aimed at public practitioners, management, educators, and other accounting professionals. It is edited by CPAs for CPAs. Our goal is to provide CPAs and other accounting professionals with the information and news to enable them to be successful accountants, managers, and executives in today's practice environments.
©2009 The New York State Society of CPAs. Legal Notices
Visit the new cpajournal.com.