MEMORANDUM
 
 
 
DATE: 12 November 2001
TO: Allan Kinney
FROM: Martha Stewart
SUBJECT: Evaluation of share-level versus user-level security
 
 
INTRODUCTORY SUMMARY
 
 
Mr. Kinney, this memorandum evaluates share-level and user-level security in order to

determine the security system that BS Networking Solutions will recommend in our upcoming

proposal to rebuild Riverside Credit Union’s network. The role of the security system in the

proposed network will be outlined. The two network security systems will then be compared

with respect to Riverside’s requirements for network access control and for resource

accessibility to authorized personnel. It will be found that user-level security is more

appropriate for Riverside’s planned network if it is changed to a client-server network.

 
 
THE ROLE OF THE SECURITY SYSTEM IN RIVERSIDE’S NETWORK
 
 
As a credit union, Riverside must strictly control the access of its own employees to network

resources. Riverside is a small but fast-growing credit union with a good reputation [1]. As

a small organization, it has only one network of sixteen computers, in which all the business’

information, including confidential customer financial information, is stored. It is therefore

of utmost importance to Riverside that its own employees have access only to legally and

professionally sanctioned files and applications. Furthermore, for security reasons, different

employees typically do not have authorized access to the same set of files and applications.

Finally, the possibility of access to files or applications by people outside the organization

must be kept to a minimum [1].

 
 
On the other hand, Riverside must reduce the risk that its employees make costly mistakes

in handling sensitive files [1]. If network security is cumbersome, complicated, or irrational,

it may interfere with employees’ correct handling of information on the network. It can

also introduce an external security risk of its own if it is impossible for employees to use

the security system without written notes or memory aids. For example, Post-It notes with 

sensitive passwords are easily lost, misplaced, or stolen. Such memory aids may result in a 

costly break in security for this vulnerable business.

 
 
As a result, the security system in the network to be proposed by BS Networking Solutions

to Riverside Credit Union must provide tight selective control of network access while it 

permits relatively easy and simple use of authorized network resources. Tight and selective 

control is necessary to protect sensitive and confidential information vital to Riverside’s 

business. Ease of use of network resource security will reduce the risk of costly oversights

by employees who otherwise are authorized to use the network.

 
 
SHARE-LEVEL SECURITY
 
 
A share-level security system would permit access to a given network resource by anyone 

with knowledge of the password for that resource. Share-level security involves 

resource-by-resource passwords that are the same for all users on the network [2].

In this way, the network cannot distinguish between an employee who knows

the password on authority and another person who types the correct password 

without authorization. Even in the case that all employees are in good faith, such a system is 

liable to allow at least unauthorized employee access, if not external access, to sensitive 

applications and files.

 
 
On the other hand, share-level security would be unwieldy and therefore potentially

dangerous even for authorized employees. In order to have access to all network resources

for which they are authorized, all employees must memorize a password for each

application or file that they can or must use. The constant prompts for passwords can cause 

employees to perform work on the network in a mechanical and inattentive way and

therefore to risk making expensive mistakes such as the loss of important records. Also,

every employee may eventually need to make written notes of passwords for rarely used 

resources. Casual notes that are seldom read may allow these resources to end up in the 

wrong hands.

 
 
USER-LEVEL SECURITY
 
 
User-level security in Riverside’s network would allow tight and selective control of

network access. A user-level security system involves a user-access list for each network 

application and file [3]. Each employee at Riverside would have a different personal

password, required for access to the network itself. After that, the user-access lists would

allow use only of the unique set of network resources for which the employee was authorized

[4]. In order for an employee or non-Riverside person to have unauthorized access to a

specific network application or file, such a person would have to learn the personal password

of an employee who did have authorized access rather than merely the password of the

network resource itself. To the extent that security clearances and employees’ good faith are

effective, then, user-level security would permit tighter and more selective control of access

to network resources.

 
 
What is more, user-level security would greatly simplify the security process for 

Riverside’s employees. An employee would only need to memorize one password for all 

required network access under user-level security. Once the employee had successfully 

"logged on" to the network, no further routine security interruptions would be necessary in

the employee’s work on the network. Furthermore, all employees could be expected to 

memorize their personal passwords after a few days of use. The result would be the

elimination of the security paper trail of individual network resource passwords.

 
 
USER-LEVEL SECURITY IN THE PROPOSED NETWORK
 
 
From these considerations, it is clear that user-level security is preferable to share-level 

security for Riverside’s needs. User-level security permits more selective control of access

to the applications and files on the proposed network. It also would be far simpler for 

Riverside’s employees to use and thus would reduce the chance of error and security

leaks.

 
 
The improved security system cannot be implemented in a peer-to-peer network of the

kind currently used by Riverside Credit Union (see Appendix A). Happily, my partner in

this project, David Bowie, is studying the advantages to Riverside of a client-server

network. Should he conclude that Riverside would benefit from a client-server network,

the change to network security and the change to network organization may both be

included in BS’s proposal to Riverside Credit Union.

 
 
CONCLUSION AND RECOMMENDATIONS
 
 
A user-level security system would be a good addition to a client-server network in the 

Riverside Credit Union network proposal. It would permit Riverside greater access

control for network resources and easier error-free use of these resources by its

employees.

 
 
As a result, I recommend that BS Networking include a user-level security system in the 

Riverside proposal. I will communicate my findings to David Bowie to assist him in his

work on the network organization to be proposed to Riverside. If you would like us to 

proceed with this recommendation or have questions or comments, Mr. Kinney, you will

find that I am easily reached at artsandtarts@bswebcommerce.com or at (819) 136-

ME-ME.

 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
REFERENCES**
 
 
[1]   T.H. van Beek, Vice-President of Sales, Riverside

       Credit Union, Interview with the author on

       RCU network security needs, 1202 Alta Vista

       Drive, Ottawa, 2001 31 Oct.

[2]   G. Madow and J. Chellis, MCSE Exam Notes: Networking

       Essentials.
Los Angeles: Sybex Inc., 1998.

[3]   C. Trumble, T. Mainelli, and B. Cranford-Petelle,

       "Value-priced LAN's," Novice Guide to

       Buying Hardware,
Vol. 7, No. 6, pp. 37-38, 1999.

[4]   N. Courtois and R. Hewitt, "Network security," Network

       Solution Report,
Vol. 1, no. 1, pp. 1-2, 2000.
 
 
 **NOTE TO ALL READERS: This is a deliberately fictional bibliography, intended only to serve as an example of correct formatting in IEEE style. All cited information in this text was actually borrowed from an investigation report by my students Rob Hewitt and Nick Courtois in ENL1819T in Autumn 2000.
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
Att.: Appendix A – Network Security Flowcharts