Primer on the four basic categories of security
Here is a refresher on the four fundamental
categories of security – authentication, authorization, administration and
audit. Each poses a basic question. And each must be addressed before the next becomes fully effective.
Are you who you say you are? Authentication
is the set of tools and processes for identifying people and machines. ID
badges, key cards, passwords, biometrics all deliver information about whether
a person is who they claim to be.
I know who you are, but what may you do?
Authorization technologies limit and control behavior, but also aim to allow
appropriate activities. Locks, entry devices, card readers, antivirus software,
encryption, even fences and guards require or respond to information about
one’s privileges, then ensure that one can perform all the duties of his or her
Lots of you are doing lots of things. How do
I manage it? Administration is both a set of processes and a technological act,
often requiring software and computers or data repositories called directories.
Access control administrator software, provisioning software, the forms you
pass around to managers to get approvals, all allow organizations to add,
delete or modify information about people and their privileges.
What’s happening? Is the authentication and
authorization working correctly? The last of the four categories, audit, is
arguably the most important. Cameras, video recorders, monitoring stations,
alarms, IT-SIM and PSIM products, risk assessments and computer audit logs collect
and display the current state to whomever is concerned. The better systems, of
course, correlate and prioritize events to help people respond to the
Security employs technologies and processes
to ask those questions and respond to the information in the most efficient and