Chapter Summary

To understand the business concerns that drive security policy, activity, and principles, it's essential to understand security practices and how they may be applied to meet any given situation. This explains why general best practice and policies must be tailored to meet an organization's location, type of business, employee needs, and so forth when formulating security policy for any specific application. This also explains why even though there are predictable, pro forma aspects to security policy for any organization, there is really no one-size-fits-all or cookie-cutter approach feasible when formulating a specific security policy.

The cornerstone of security as a systematic discipline is AAA, which stands for access control, authentication, and accounting. Authentication provides some reasonable proof of user identity, which in turn makes control over access to resources and information possible, as well as permitting individual actions, access, and behavior to be audited and accounted for. Although the details involved in implementing AAA vary from situation to situation, basic requirements for all three security principles remain constant.

Various methods for access control may be applied to systems and networks. These methods include Mandatory Access Control (MAC), Discretionary Access Control (DAC), Rule-Based Access Control, and Role-Based Access Control (RBAC).

User authentication techniques vary in scope and strength, but also in expense. Generally, most ordinary situations are amenable to using accounts with suitably strong passwords, but in situations in which stronger security (and hence, stronger authentication) is required, biometric or special-purpose security devices may be incorporated into authentication schemes instead (or as well).