The hottest enterprise network security management

  • Detail

Enterprise network security management

in enterprise network security management, there are three principles: providing employees with access to information needed to complete their own work, avoiding unauthorized people from changing the company's key documents, and balancing access speed and security control

the international influence of China's plastic machinery industry continues to improve. The first principle is that we can provide power with super current: the principle of minimum authority

the principle of minimum authority requires us to provide employees with access to information needed to complete their own work in the enterprise network security management, without providing other additional authority

for example, the enterprise now has a file server system. For security reasons, the documents of our financial department will be subject to some special permission controls. The finance department will set up two folders, one of which is used to place some documents that can be made public, such as blank reimbursement vouchers, etc., to facilitate other employees to fill in expense reimbursement vouchers. There is also a file containing some confidential documents that can only be viewed by senior managers of the enterprise, such as the cash flow statement of the enterprise, etc. At this time, when setting permissions, we should set the permissions for ordinary employees and senior managers according to the principle of minimum permissions. If it is an ordinary employee, its function will query the folders it can access, and for the folders it does not have access permissions, the server will deny its access

in addition to this access right, the most common principle is the control of reading and writing. For example, the above financial department has two folders A and B. as ordinary employees, folder a is classified, and of course it cannot be accessed. However, folder B, which is most suitable for the format of reimbursement vouchers, is accessible to ordinary employees. However, what is the access permission? In other words, what access rights do ordinary employees have to the files in this folder? Delete, modify, or read only? If this reimbursement voucher is only a format, a general reimbursement format within the company, other employees, except those in the financial design form format, have no permission to delete or modify my files in this folder, but only read-only permission. It can be seen that according to the principle of minimum permission, we should not only define whether a user has access to specific information, but also define the level of access, whether it is read-only, modified, or fully controlled

however, in actual management, many people will ignore this principle in order to facilitate management

for example, in file server management, there is no security level management for files, but only the control of read and write permissions. In other words, employees of the enterprise can access all the contents on the file server, including the enterprise's financial information, customer information, orders and other sensitive information, but they can't modify the folders that don't belong to their own departments. Obviously, with this design, enterprise employees can easily obtain confidential documents such as customer information and price information. If employees disclose this information to their competitors, the enterprise will lose its competitive advantage

for another example, for employees in the same department, there is no subdivision of authority. Ordinary employees have the same authority as department managers. For example, in the financial management system, ordinary employees do not have the authority to review and revoke the approval of documents. However, some system administrators often give ordinary employees the same operation rights as the financial manager for the convenience of management. Ordinary employees can cancel the approved documents by themselves. This obviously brings many hidden dangers to the security of the financial management system

therefore, to ensure the security of enterprise network applications, we must adhere to the principle of "minimum authority", and not adopt the principle of "maximum authority" because of the convenience of management, thus laying a time bomb for enterprise network security

principle 2: integrity principle

integrity principle means that in the enterprise network security management, we should ensure that unauthorized individuals cannot change or delete information, especially to avoid unauthorized people changing the company's key documents, such as the enterprise's financial information, customer contact methods, etc

the integrity principle is mainly reflected in two aspects in the application of enterprise network security

first, unauthorized people do not need to change information records. For example, in the ERP system of an enterprise, although the financial department has the right to access customer information, it has no right to modify it. It needs to change some information, such as the billing address of the customer, etc. generally, it must notify the specific salesperson to modify it. This is mainly to ensure the modification of relevant information, which must be known by the founder of this information. Otherwise, if an employee modifies the information without the knowledge of the founder of the record, information asymmetry will occur. Therefore, generally in information management systems, such as ERP management systems, there will be a permission control "do not allow others to modify or delete records" by default. This permission also means that only the recorded person can modify the relevant information, and other employees only have the right to access at most, but not the right to modify

second, if someone modifies, the modification history must be saved for subsequent query. In some cases, if other people are not allowed to modify the founder's information, it is also somewhat rigid. For example, the purchasing manager has the right to modify and void the purchase order placed by the purchaser. How to deal with this situation? In ERP system, it can be processed through purchase change order. In other words, other people cannot directly modify the content of the original document. If they want to modify the price and quantity of the purchase order, whether they are other people or the owner of the purchase order, they must solve it through the purchase change order. This is mainly the process of keeping original records and changes for the modification of records. When problems are found later, they can be audited. If the original record is not saved during modification, there will be no record to check when there is a problem. Therefore, the second requirement of the integrity principle is to keep the necessary change log when making changes, so as to facilitate our follow-up tracking

if it is for a file server, the integrity requires that the file server can be restored on time. If we modify a file in the file server, it may be difficult for us to record the modified content. The file server log records at most a certain time and what kind of operation a certain user has performed on a certain file under a certain folder. However, it will not record the specific operation. Such as deleting or modifying the contents of a file. At this point, we need the file server to restore on time. When the user finds that a file has been illegally modified, it should be able to recover to the latest time. Of course, this recovery needs to be specific to specific folders or even specific files. If all the files in the file server are recovered, other users will die

in a word, the principle of integrity requires us to ensure that unauthorized people make illegal modifications to information and that historical records should be kept of the content modifications of information in the work of security management

principle 3: the principle of balance between speed and control

when we make various restrictions on information, it will inevitably affect the access speed of information. For example, when the purchase order needs to be changed, employees cannot modify the original document directly, but need to modify it through the purchase change order, etc. This will have a certain impact on work efficiency. This requires us to find a balance between access speed and security control, or compromise between the two

in order to achieve this balance, we can do so

first, classify the file information according to its security. For some less important information, we can reduce the level of security control to improve the efficiency of users. For example, for the reports of some information management systems, we can set relatively low permissions. For example, employees in the Department can view various report information. After all, this is only a query, and the data will not be modified

second, try to manage at the group level rather than the user level. Let's imagine how much work we would do if we set up file server access permissions for 50 employee accounts on the company's file server one by one. Therefore, at this time, we should use the group level to control permissions. People with the same authority can be classified into a group. For example, ordinary employees in a department can be classified into a group. In this case, users can be classified into this group. We only need to maintain the slider of the mechanical press after the forging work is completed at the group level, so as to achieve the purpose of rapid management and control. For example, when we manage the permissions of ERP and other information management systems, we can realize the comprehensive security management of information by using group permission control and some exception control rules, and its management efficiency will be relatively high

third, we should be cautious about using temporary permissions. Sometimes, an employee may need some permission. If he needs permission to export basic customer information, what should we do? Generally, in order to prevent the leakage of customer information, we do not allow users to export customer information in batches. However, sometimes due to the needs of some aspects such as customer information filing, when users apply for permission in this area, how should we deal with it? Some people like to set temporary permissions for them. Personally, I don't agree with this. Because temporary permissions are difficult to manage, and once this port is opened, they will frequently apply for these temporary permissions the next time they encounter similar problems. When I encounter this kind of situation, I usually ask them to find someone with such authority. For example, ordinary salesmen do not have the authority to export customer information in batches. At present, there is an electronic universal experimental machine in the market, which adopts ordinary 3-camera electric or frequency conversion Electromechanical. However, the sales manager has this authority, so let the salesmen inform their sales manager and let their sales manager help them export. And if you deal with it like this, the sales manager also knows that there is such a thing. If we blindly give employees the back door and open the green channel, it will increase the risk of data leakage

Copyright © 2011 JIN SHI