What are Information Security Principles? By Benjamin Roussey
Information security in today’s data-centric world is centered on the “CIA triad” to ensure the safe and smooth storage, flow, and utilization of information. The CIA triad refers to the core principles of information security, which include Confidentiality, Integrity, and Availability (CIA) – nothing to do with the clandestine federal spy agency brilliantly shown in the amazing recent movie of American Assassin.
The CIA triad primarily comprises four information security layers. These layers represent how systems make communication and how data flows within the systems.
The layer of application access indicates that access to user applications must be restricted on a need-to-know basis.
The layer of infrastructure access indicates that access to various components of the information infrastructure (such as servers) must be restricted on a need-to-know basis.
The layer of physical access indicates that physical access to systems, servers, data centers, or other physical objects that store vital information must be restricted on a need-to-know basis.
The layer of data-in-motion indicates that data access must be restricted while it is in the process of transfer (or in motion).
First Principle: Confidentiality
The principle of confidentiality says that information must remain out of bounds or hidden from individuals or organizations that do not have the authorization to access it. This principle essentially dictates that information must solely be accessed by people with legitimate privileges. It not only takes science, but also art to ensure the sanctity of this principle.
The challenge is that it is easy to breach confidentiality, particularly in larger organizations. Therefore, all employees of a company or members of an organization must be made aware of their duty and responsibility to maintain confidentiality regarding the information shared with them as part of their work.
Confidentiality is sanctimonious, and easy to breach. For example, if an employee in an organization allows someone to have a glimpse of his computer screen, which may at the moment be displaying some confidential information, he may have already committed a confidentiality breach. A former secretary of state knows all about classified email breaches but we will not dive into that!
Second Principle: Integrity
The second principle involves the integrity of information. The information or data must have a level of integrity that prevents it from getting easily breached.
Encryption is a widely established method of protecting data in motion (transit), but now it is also increasingly accepted as a way to preserve the integrity of the data at rest as well. The process of encryption involves altering the data present in the files into bits of unreadable character that cannot be deciphered unless a decode key is provided.
In the manual encryption process, the user employs a software program to initiate the data encryption. In case of transparent encryption, the data gets encrypted automatically with no intervention from the user.
The symmetric encryption process takes place by substituting characters with a key that becomes the only means to decrypt the bits of data. Conversely, the process of symmetric encryption is employed when two keys are involved: a private key and a public key.
How to Preserve Information Integrity Effectively?
Follow these five essential tips to preserve data integrity:
• Encrypt your data: If you ensure data encryption, a third party will be unable to read or use it, even if the data becomes available to them.
• Use two-factor authentication: If access to your data requires two-factor authentication, it will bolster the safety of your confidential information and reduce the risk of data leaks.
• Encrypt interactions: As a first step, you must configure your communication program or IM to use TSL or SSL. Secondly, disable the feature that allows logging into conversation history. Thirdly, create encryption for your Internet traffic because it could be intercepted.
• Protect your keys: Safeguard your keys with a foolproof system in place. In many cases, access to your keys can be equal to access to your data.
• Create information backup and ensure it is safe: Data backup should be available and accessible, but in encrypted form and stored away in a secure location.
Third Principle: Availability
The third guiding principle relates to information availability and underscores the importance of securing information in a location where unauthorized entities cannot access it, and data breaches can be minimized.
Some of the typical ways in which confidential information gets leaked relate to the faulty handling of the available information. These ways may include:
• Theft of physical equipment, such as a PC, laptop, mobile device, or paper.
• Incorrect disposal of paper or digitally stored data.
• Unauthorized or negligent disclosure of access controls or authentication keys.
• Information leak due to poor understanding of a legal agreement of confidentiality.
• Misplacing information due to negligence.
• Hacking or illegal data security breach.
How to Ensure Information Access is Secure?
• Create Firewalls: Firewalls could include both hardware and software based defenses that are created to block unsolicited protocols, connections, unauthorized network activity and other malicious attempts while you are linked to an external network (typically the Internet).
• Install Proxy Servers: A proxy server is designed to control what the outside world sees of your network. This is a type of smoke screen that can disguise your actual network and present a minimal Internet connection.
• Use Routers: Control network through routers, which like a firewall, could include an access list to deny or permit access into your network.
• Implement Network Controls: This implementation is done at the local level, and includes authentication in the form of login and password.
• Install Software Controls: These can block any malware from penetrating your equipment. If a malware enters the system, these controls will work to eliminate the infection and restore the system to its pre-infestation condition.
• Use Data Encryption
The fundamental CIA principles remain unchanged over time, but the compliance methodologies to follow these guiding principles of information security continually change with the evolution of technology and the constant development of new vulnerabilities and threats. Continuous efforts are essential to ensure adherence to the principles of confidentiality, integrity, and availability of information at all times.