An little overview of the security layers needed to secure your system and data.
by Emeric Nasi
The first step to security is to know what to secure, that is, your assets/resources you want to protect.
When we talk about OS security we are talking about two different main assets, the system integrity and the
A well protected OS should protect both the system and the data. The corruption of the system should not lead
to the corruption of the data and vice-versa. I should add that the data should not depend on the system and vice-versa. The OS and the data it hosts
have common security layers but should also have their own. I am going to describe them.
I The system security
The most important thing when we talk about OS security is : "always run with minimum privileges".
The users should only use admin accounts for admin tasks. That statement is well known to UNIX users but it is still a big problem for people using Windows (and it is not entirely their fault since a lot of them may experience bugs and strange system behavior when using a non admin account, hopefully that has evolved for the better with latest Windows release).
What I said about users should be applied to system users as well. Any process running in background should only
run with the privileges he needs for the specific tasks he does. For example, an printing server should not be allowed to
add a new user or to format the disk.
An OS should have other security layers (that protect both the system and the data) :
- Regular updates of applications and security patches
- Regular system configuration backups
- An intrusion detection/prevention system to prevent attack and malwares
- Disable data execution to prevent buffer overflow
- Good resource-sharing management
- A real separation between different users (ex file-system access rights)
- A real separation, between different process
- Limit the possibility to gain admin powers
- Log monitoring and real-time alerts
II The data security
II.1 Regular data backups
This is the most important recommendation concerning data security and maybe all OS security.
Very often the data represents the large majority of the assets you want to protect and the system security is used to protect these assets. But don’t rely only on the system. The system can crash, the system can be hacked.
So backup, backup, backup!
If you use your computer only to watch some emails and do a bit of googling, maybe you do not need to save your data. In any other case (pc storing family pictures , company workstation, big servers, etc) backup!
Your data may not be confidential, but you do not want to loose it!
If your data is somewhat confidential (at in most case it is, think about it). Encrypt it.
You can as well use encrypt the entire system. But I recommend the data encryption should not be linked to the system encryption. Remember, data and system should be independent. Also do not forget to encrypt the backups!
Backup prevent the lose of data, encryption prevents eavesdropping. Both layers prevent data corruption.