Fundamentals of Information Security — Part 2
Welcome Back! In the previous blog i.e. Fundamentals of Information Security — Part 1, we explored some of the basic fundamentals of Information Security and we also went through some of the differences between Information Security and Cyber Security. If you haven’t explored Part 1 yet, I would highly recommend reading through some of the basics in Part 1 and then proceed with Part 2.
Refer to: Fundamentals of Information Security — Part 1
Now, that you have an idea and a basic understanding of Information Security, the most common question that arises is that how can the sensitivity of information be assured? Well, in this blog we will explore the three main pillars often around which the Information Security programs are built i.e. the CIA Triad. In addition to that, we will also go through some add-on concepts and a few key terms that often gets people confused. Let’s dive in.
CIA TRIAD:
The idea of the sensitivity of information had been influenced by Alan Turing who successfully decrypted the Enigma Machine which was then used by the Germans to encrypt warfare data. Information is basically enclosed in an envelope type of structure. From the above figure, it can be seen that the information is surrounded by 3 main layers.
Layer 1: Physical Security (which includes hardware, software, and communications)
Layer 2: Personal Security (which includes people)
Layer 3: Organizational Security (which includes procedures)
Thus, the layers surrounding the information deal with storing, processing, and transmission of information along a safe path.
Information Security programs are often built around the 3 main objectives, also known as CIA Triad — Confidentiality, Integrity, and Availability.
Confidentiality
Confidentiality means that only authorized users can access the information and thus, there is no disclosure of information to unauthorized entities. Confidentiality often involves cryptography, network security, and computer security. For example, passwords for some social media applications. Breaching of Confidentiality often occurs when the information is compromised. For example, if a user enters the password for a social media application and someone besides the user notes down the user’s password, then it can be said that the password has been compromised. To achieve confidentiality for passwords, cryptographic algorithms are often used.
Integrity
Integrity basically ensures completeness, accuracy, and an absence of unauthorized information. In simple terms, the information should be maintained in a correct state and only authorized users should be able to make the permitted modifications. For example, the total number of books on the bookshelf must match the number of books indicated by the database. Integrity also helps in determining if a piece of information is provided as requested. Integrity can be compromised through human errors as well as through the cyber-attacks like destructive malware and ransomware. To achieve integrity, Hashing Algorithms or Baselines are often used.
Availability
Availability states that the systems and all the system components must be available and operational when required, as requested by an authorized user. For example, a user should be able to access and check its personal data kept on a website at any time. Availability of information can be compromised by cyber-attacks such as Denial of Service (DOS) attacks, hardware or network issues, infrastructure overload, or power outages. Availability can be achieved through methods like distributive allocation, redundancy, fault tolerance, disaster recovery plan, etc.
Thus, ensuring confidentiality, integrity, and availability of critical and sensitive information helps organizations to create an effective security program needed to protect their valuable assets.
In addition to the CIA Triad, there is one more principle (known as Non-Repudiation) that is important for governing the information security programs.
Non-Repudiation
Non-Repudiation is simply the assurance that someone cannot deny something. It is basically the ability to prove the occurrence or non-occurrence of an event. For example, a signature on a contract or sending an email. In the case of information security, we have a service or a set of services that are used to provide proof of integrity and origin of data. For example, authentication and cryptographic mechanisms used to effectively sign the data so that the receiver is confident about the data coming from a well-known source and that it has not been tampered with.
KEY TERMS
i. Authorized user: The authorized user is someone who is authenticated. Once a user is authenticated, it has some level of authorization (for example, the ability to view, change, delete, etc.) which is then identified and checked by the system.
ii. Authentication: It is basically a mechanism through which a user is identified and uses some token to prove who they are. For example, when a user registers for a course on Coursera, upon successful registration, only the user is permitted to view the contents of the course, make quiz attempts, participate in discussion forums, etc. Authentication exists in the form of biometrics as well which includes the use of biological features such as the face, iris, etc.
iii. Integrity Mechanism: The integrity Mechanism basically ensures that the information or data that we are accessing, is valid. It basically identifies the “absence of unauthorized modifications”. Integrity Mechanism consists of:
- System Tracks (also known as logging) show a list of users that have access to the information and that the users have gone through a proper authentication process.
- Checking whether a user has write-access before it is permitted to make any changes (although the backup of changes is saved).
- Ensuring that an authorized user can view, modify and delete only the information for which they have permission.
As I mentioned in my previous blog, this is just a drop in the huge ocean of information security. Every domain is like a vast ocean in itself and has a lot to offer.
Keep learning :)
See you next time!
