Elements of Information Security
Confidentiality We want to make sure that our secret and sensitive data is secure. Confidentiality means that only authorized persons can work with and see our infrastructure’s digital resources. It also implies that unauthorized persons should not have any access to the data. There are two types of data in general: data in motion as it moves across the network and data at rest, when data is in any media storage (such as servers, local hard drives, cloud). For data in motion, we need to make sure data encryption before sending it over the network. Another option we can use along with encryption is to use a separate network for sensitive data. For data at rest, we can apply encryption at storage media drive so that no one can read it in case of theft.
Integrity We do not want our data to be accessible or manipulated by unauthorized persons. Data integrity ensures that only authorized parties can modify data.
Availability Availability applies to systems and data. If authorized persons cannot get the data due to general network failure or denial-of-service(DOS) attack, then that is the problem as long as the business is concerned. It may also result in loss of revenues or recording some important results.
We can use the term “CIA” to remember these basic yet most important security concepts.
Table 1-01: Risk and Its Protection by Implementing CIA CIA Risk Control Confidentiality Loss of privacy. Unauthorized access to information. Identity theft. Encryption. Authentication. Access Control Integrity Information is no longer reliable or accurate. Fraud. Maker/Checker. Quality Assurance. Audit Logs Availability Business disruption. Loss of customer’s confidence. Loss of revenue. Business continuity. Plans and test. Backup storage. Sufficient capacity.