Continuing with Understanding the criteria….
When we refer to IT security, we usually look at access management i.e. authentication and authorization.
Authentication simply means you are who you say you are. It is also referred to as identity management.
Authorization means are you authorized to use the given service / application / system i.e. are you allowed access? Do you have the rights to use the resource? Authorization is usually a group / role specific policy. Rarely is authorization set at the individual level. Authorization can be also implemented , in a charging system, as do you have credits to be allowed to use the resource? This, of course, would be at the level of the individual or an entity such as an organization. Examples of this would be encountered in a utility computing model say cloud computing or even for mobile phone services. In the latter, the services are degraded once the credit limit is reached and are restored once the customer tops up his account with the required minimum amount. Authorization is also referred to as access management.
A robust access management system includes verifying identity and entitlement, granting access to services, logging and tracking access, and removing or modifying rights when status or roles change.
ITIL talks about information security as being effectively managed if
information is available and usable when required (availability)
information is observed by or disclosed to only those who have a right to know (confidentiality)
information is complete, accurate and protected against unauthorized modification (integrity)
business transactions, as well as information exchanges, can be trusted (authenticity and non-repudiation).
In cases where information is to be protected , use of cryptography and methods such as symmetric encryption, Public Key Infrastructure (PKI) (asymmetric encryption algorithms) and digital signatures (ensures non-repudiation). For more, read http://en.wikipedia.org/wiki/Public_key_encryption
A strategy referred to as ‘defense in depth’ is used to secure computer systems from outsider attack. Here, the premise is that even if the outer wall is breached, the inner sanctum is still secure and it is also time-consuming for the attacker, by which time, a breach may be detected and flagged by a good audit trail system.
You may be more familiar with this when building systems that access the internet and are accessible from it. Here, a De-militiarized Zone (DMZ) adds another layer of security to the firm’s LAN. For more see http://en.wikipedia.org/wiki/DMZ_(computing)
This is the most overlooked aspect of a solution / application. However clever your system may be, however ingenious the engineers developing the system, if the user does not find the application easy to use, then you have a hit a brick wall. Resistance from the users can sound the death knell of any application. A good application should be intuitive to use and leverage existing habits of users. Forcing users to change their ingrained habits is always difficult. Especially with reference to transactional systems and customer facing applications, where responsiveness is key, a non-intuitive interface coupled with inadequate training on a new system can lead to frustrated users. In my experience, at British Telecom, when a GUI was introduced to the customer service representatives replacing the old mainframe UI, the sluggish responsiveness of the new UI led to experienced users switching over to the old system so that they could finish their quota of calls to be attended to. CSRs are very stressed individuals and you do not want a system to add to their discomfort.
These , in my opinion , are the most relevant criterion in evaluating an architecture. Their importance may vary from system to system. But a good and simple way of evaluating a software architecture to assign weights to each criteria and a range of values from 1 – 10 for each criteria. This will give you a rough and ready estimate as to how well your architecture stands up to scrutiny.
Have a good day!
To be continued ……