Information Security

From SI410
Revision as of 22:57, 28 March 2018 by Eger (Talk | contribs) (update integrity with info on HMAC)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

Information Security is the process of protecting information from unintended access by others. The methodologies for protecting information varies based on the type of information being protected, to whom the information currently belongs, and how the information could potentially be utilized by others.

Concern with the security of information has become more concentrated with the proliferation of electronic information storage mechanisms, and subsequently with the spread of information in an online environment. [1] These mediums of information transportation have both helped and hindered the process of data protection. For instance, by allowing information to be encrypted and decrypted in a complex manner when being transferred from one point to another, data can be protected in a more robust way. Conversely, the ease with which information can be copied and disseminated without expressed consent of the information-holder can cause it to be used in nefarious ways.

Protecting bits and bytes can have as much of a real-world impact as protecting physical objects.

Conceptual Overview

Protecting private information is important to ensure that information is both reliable and confidential. When information is not protected in most formats, it can be tampered with causing inaccuracies or discrepancies. If the information is valuable and is not protected, it can be distributed to parties that could cause harm to it in some way. The CIA Model of Information Security (Confidentiality-Integrity-Availability) [2] is a fundamental way of describing the steps necessary for protecting information.

The CIA Model of Information Security consists of three components for correctly protecting information.

Information Confidentiality

The process of ensuring that information is available only to those who are authorized to view it. Disclosure of parts, or the entirety of sensitive information can harm those to whom the information belongs, as well as the inherent value of the information itself. Authentication methods IDs, passwords, pons, etc, reinforces what confidentiality is good for.

Information Integrity

Also called information reliability, it is of the utmost importance that information is accurate, up-to-date, and complete for those who plan to use it. Protecting information against unwanted modification or destruction is a significant part of securing information. Data integrity is normally employed through the use of HMACs (keyed-hash message authentication codes) which is a piece of data generated from a message which can be used to verify that the message received was not altered in transit. [3]

Information Availability

Providing access to protected information in both a timely, reliable manner helps those who are monitoring it and using it to discover issues or changes in the information itself.

Information Security and Privacy

As an important subtopic or derivative motivating force behind information security, information privacy compels many companies, governments, and people alike to consider the implications of lax security measures. Regardless of the context or scale, the degree to which information is accessible to a given audience is directly representative of its vulnerability and by extension, its inherent security (or that of its external system) and ability to defend against intrusions. Bolstering superior defensive measures not only amounts to better technology, but can contribute to improved customer satisfaction, less server down time, and the opportunity to enhance a network’s interoperability without fear of unwarranted exploitation. Striking the right balance between the open and closed nature of an information system is equally critical for common business concerns as it is for the concurrent necessity of keeping its security in the best condition possible.

Information Security and Electronic Storage

The advent of data-transfer via electronic means on the internet has shifted the focus of information security from physical protection (protecting the actual medium the information is stored on) to a more broad definition of what protection means. Prior to computerization of data, often the easiest way to protect information was to reduce access to the physical medium on which the information was kept. This could be done by managing who could access the stored mediums where the information was kept (ie. determining who could access a filing cabinet with important paperwork). The low-cost of information replication in an electronic format, and the difficulty of identifying who is viewing information has greatly changed the ways in which information needs to be protected.

Access Controls

The foremost step in identifying who a potential information user is before allowing them to view or manipulating data in an electronic environment. [4] Creating profiles of a user's identity can be a first step in allowing them access to sensitive information. These profiles can then be protected with unique passwords that allow data-protection systems to authenticate their identity before allowing them to access information. An individual's behavior while using information can also be monitored by connecting their actions to a unique profile.

Data Encryption

Information can be protected when it is being transferred from point-to-point by using processes to encrypt, or jumble, the data while in transit, and then re-assemble it upon arrival at its destination. Also called cryptography, the process of encrypting and decrypting data between two points using a shared key is a way of providing information security. [5]

Ethics of Information Security

Determining social expectations for protecting information is a societal-wide undertaking. Without a common notion of what protecting information entails, an individual's personal data can easily face unnecessarily jeopardizing circumstances. Generally, protecting important personal information is a necessity defined by society at large. As a result of these common beliefs surrounding information security, the current practice in most Western societies is that companies and individuals must jointly undertake the responsibility of protecting an individual's personal information in order to prevent it from being misused.

It is also important to note that protecting information is not merely carried out on a one-time basis when data is created or stored; ideally, it is an iterative process that takes places throughout an information object’s entire lifetime. As the shape and composition of an information article is subject to change over time, the methods by which it is protected are also liable to the same type of evolutionary change.

Individual Information Privacy

The security of an individual's personal information is inextricably tied to their personal privacy. When an individual interacts with other parties using their private information, especially in the online environment, it is hard to guarantee that this information will retain its original integrity. Companies have a legal obligation within the United States to provide the protection of their customers’ personal information during a business transaction, especially when conducted in an online environment.[6]

Ethics and Laws

Developing all-encompassing laws to cover every facet of an information society -- up to and including disciplinary measures for security infringements -- is an unreasonable expectation for the breadth of unique scenarios is an untenable obstacle. Because of the natural disparity in beliefs and thus moral principles between individuals, arriving at a universal understanding is doubtful and if attempted, insufficiently robust for continuous societal growth.[7] Whereas standing ethical tenets are objective from the perspective of their construction and operable range, the way they are interpreted is widely left to subjective interpretation.[8] Therefore, it is largely the responsibility of members of society to establish positive standards of ethical behavior and promote them as best they can for maximal diffusion. In this respect, ethics and the rule of law work hand-in-hand to ensure that individuals’ privacy is protected and that society thrives despite the challenges presented by information security. Essential to this effort is the collaboration between people, their governments, and the relationships that exist among them.[9] Striving for a culture rooted in some form of “ethical abidance” is paramount for diverging from our long trusted dependency on laws for enforcing disobedience.[10] As norm-driven behavior is often more reliably pursued with a motivation based on passion than mandatory sentencing (i.e. laws), its comparable efficacy for modifying behavior on a large scale (needed for encouraging widespread adoption of digital and informationally robust security ethics), far outweighs the potential for laws and regulatory bodies to do the same.

See Also

References

  1. National Institute of Standards and Technology: Information Security http://csrc.nist.gov/publications/nistpubs/800-64-Rev2/SP800-64-Revision2.pdf
  2. Information Systems Security Association: CIA Information Security Model http://www.issa.org/images/upload/files/Parker-Simplistic%20Information%20Security%20Model.pdf
  3. Message Authentication Codes https://csrc.nist.gov/Projects/Message-Authentication-Codes
  4. Handbook of Information Security: Access Controls http://www.cccure.org/Documents/HISM/001-002.html
  5. [1] Harold Joseph, H. (1997). Data encryption: A non-mathematical approach. Computers & Security, 16(5), 369-386. doi:10.1016/S0167-4048(97)82243-2
  6. U.S. Governmental Printing Office: Electronic Code of Federal Regulations http://ecfr.gpoaccess.gov/cgi/t/text/text-idx?c=ecfr&sid=a273032f4545305b53bd3b788739f586&tpl=/ecfrbrowse/Title16/16cfr681_main_02.tpl
  7. Dell SecureWorks. (2011, February 7). Crossing the Line: Ethics for the Security Professional. Retrieved April 23, 2016, from https://www.secureworks.com/blog/ethics
  8. Philip, A. R. (2002). The Legal System and Ethics in Information Security. SANS Institute. (PDF). Retrieved April 23, 2016, from https://www.sans.org/reading-room/whitepapers/legal/legal-system-ethics-information-security-54
  9. [2] Retrieved on 4-23-2016
  10. [3] Retrieved on 4-23-2016

(back to index)