8.4. Tools for Security
To ensure the confidentiality, integrity, and availability of information, organizations can choose from a variety of tools. Each of these tools can be utilized as part of an overall information-security policy. The tools can be categorized as either, authentication, prevention or detection.
Authentication
The most common way to identify someone is through their physical appearance, but how do we identify someone sitting behind a computer screen or at the ATM? Tools for authentication are used to ensure that the person accessing the information is, indeed, who they present themselves to be. Authentication can be accomplished by identifying someone through one or more of three factors: something they know, something they have, or something they are.
Something They Know
Passwords | The most common form of authentication today is the user ID and password. Authentication is done by confirming something that the user knows (their ID and password). This form of authentication is easy to compromise. |
Out of Wallet (OOW) Questions | Questions that can be asked of the user to authenticate their identity. OOW questions should be easy to answer by the user but not by anyone else. This makes them ideal for the authentication process. An example might be – what is the name of your first pet? |
Something They Have
Tokens | Means identifying someone by something they have, such as a key or a card. This can also be problematic as the token can be lost or stolen, making it easy to steal the identity. |
Something They Are
Biometrics | This factor identifies a user through the use of a physical characteristic, such as a retinal scan, fingerprint, or facial geometry. This is much harder to compromise. |
Multi-factor Identification
A more secure way to authenticate a user is through multi-factor authentication. By combining two or more of the factors listed above, it becomes much more difficult for someone to misrepresent themselves. An example of this would be the use of an RSA SecurID token. The RSA device is something you have, and it generates a new access code every sixty seconds. To log in to an information resource using the RSA device, you combine something you know, such as a four-digit PIN, with the code generated by the device. The only way to properly authenticate is by both knowing the code and having the RSA device.
“Chapter 6: Information Systems Security” from Information Systems for Business and Beyond (2019) by David Bourgeois is licensed under a Creative Commons Attribution-NonCommercial 4.0 International License, except where otherwise noted.
“Chapter 4 – Information Security” from Information Systems: No Boundaries! Copyright © 2021 by Shane M Schartz is licensed under a Creative Commons Attribution-NonCommercial 4.0 International License, except where otherwise noted.