In essence, information security involves making sure that only authenticated authorized entities (people and systems) are granted access to secured information. Remember that an entity is that which is or that which is perceived to exist.
Thus; the people, the information systems (hardware and software) and the data (information) contained within them (the people and the information systems) are all entities that information security is concerned about “securing”. Not only does information security have this as an objective but it must also secure these very same entities from themselves and each other. The key factor here is that you need adequately cover all bases and not just a selection. If there are any holes in your defenses the worms are sure to get in.
Thus; in order to provide adequate, expansive and multi-level protection free from any single points-of-failure the security afforded information systems must function at both the macroscopic and microscopic levels. Information and information systems security initiatives must promote confidence in the users of the information systems that said information systems will remain free from undetected outside interference, corruption or attack whilst being immune to subversion from within.
Confidentiality, Integrity and Availability (CIA)
Often referred to by the acronym CIA; Confidentiality, Integrity and Availability are the three primary tenets of information security and have traditionally been defined as follows:
Confidentiality - The goal of information confidentiality is to ensure that only duly authenticated authorized entities have appropriate access to that information. Encryption is the most commonly used tool to achieve confidentiality.
Authentication, authorization and entity (users and systems) access rights and privileges such as those implemented and enforced through RADIUS, TACACS, Kerberos and directory services including Novell's Directory Services and Microsoft's Windows Server Active Directory and Group Policy also play keys roles in ensuring information confidentiality.
Integrity - It is imperative that keeping information confidential is closely partnered with ensuring its trust-worthiness. Thus; we also need to ensure that our information systems and the information contained within them remain free from modification by unauthorized parties as well as not being improperly modified by authorized ones. Only then can they be relied upon.
Due to the difficulties of categorically enforcing attack-proof measures so that we can be 100% confident that the integrity of our information systems is not compromised we are best advised to implement additional measures that will be reliable in the detection and determination of alterations and interferences of all kinds. To this end checksums and hashes are used to validate data integrity, as are transaction-logging systems.
Availability - Information systems serve no purpose if they and the information they house are not readily accessible to duly authenticated authorized users and systems with appropriate levels of access rights and privileged as and when it is needed or desired. This should be more or less instantaneously and at a whim. The latter point concerning whimsical access is important as it does present the need for both scheduled and non-scheduled random access capabilities.
In addition to simple backups of data and disaster planning and recovery mechanisms, availability includes ensuring that systems remain accessible in the event of attack such as denial of service (DoS) and distributed denial of service (DDoS) attacks.
Critical data must be adequately protected from erasure, be it accidental or otherwise. For example, preventing the erasure of data on your organization's external Web site is of high priority for ecommerce and information and support sites alike.
Information and Information Systems Additional Concerns
Now; that we have a basic handle on the key roles played by confidentiality, integrity and availability in the information security picture, we need to augment them with additional controls to further extend our ability and those of our information systems to deliver a united and truly secure information and information systems environment. Additional areas of concern with regards to information security include:
Authentication - The purpose of implementing authentication systems and processes is to ensure that information users and information systems are, in fact, who they say they are. Various password authentication mechanisms are; without doubt, the longest standing traditional way to authenticate users.
Highly complex passwords or passphrases using in excess of 12 mixed upper and lower case alphanumeric characters as well as signs and symbols do provide reasonable levels of rapidly verifiable authentication security. It is important to note that they are not the only method available to us. Cryptographic tokens, “smart” cards and biometrics also have a role to play.
Passwords and Cryptography - Concerning password-based authentication mechanisms it must also be noted that in today's information climate cryptography also plays a key role in ensuring that passwords remain confidential. It is no longer appropriate to transmit unencrypted passwords over such publically accessible media as is the case with wireless networking. Not only should the password not be transmitted unencrypted it is desirable that verification of password authentication credentials takes place seamlessly, transparently to users and eavesdroppers alike.
