Welcome to Definition Monday, where we define and explain a common technology or security concept for the benefit of our less experienced readers. This week: Information Security.
“I shall not today attempt further to define the kinds of material I understand to be embraced within that shorthand description; and perhaps I could never succeed in intelligibly doing so. But I know it when I see it.”
This famous quotation from Justice Potter Stewart is from the obscenity case of Jacobellis v. Ohio – the Justice is saying that he cannot come up with a succinct and simple definition of pornography, but he knows it when he sees it. If you will forgive the comparison, the same thing can often be said about Information Security.
It’s easy to tell when Information Security has failed. Credit card numbers stolen? Identity falsified? Web site defaced? “Secret” internal memos ended up on Wikileaks? These are all failures of Information Security, and most people would realize it – but that doesn’t get us any closer to a definition.
The classic definition of Information Security, the one that I generally work with, is simple: Information Security is the enforcement of the “CIA Triad” – Confidentiality, Integrity, and Availability.
Confidentiality means that only the proper people are allowed access to a piece of information. This is enforced via systems like Access Control Lists on files, encryption on data in transit, even relatively crude measures like locks on a file cabinet. If confidentiality is properly enforced, information is available to those who need it and (perhaps more importantly) not available to those with no right to it.
Integrity means that information cannot be modified without the caretakers of that information being aware of it. This is enforced with things like fingerprinting of data with hashes or digital signatures, auditing file access and modification, certificate hierarchies, and maintaining proper backups. Integrity means that you can be sure an email claiming to be from a bank or other trusted authority is actually from that entity.
Availability means that information is available when it is needed. It’s easy to maintain confidentiality and integrity on their own; carve the data into a stone tablet and drop it into the middle of a lake. The hard part is when you need to ensure that this information can be retrieved simply when it is needed. Availability is enforced with things like load-balanced server clusters, redundant network connections, UPSes and emergency generators, and “hot” or “warm” site disaster recovery plans.
Let’s take a look at how this triad applies to something commonplace – say, online banking. A bank’s website will require proper authentication before account details can be accessed; this is confidentiality. It will also maintain a proper balance in the account when money has not been deposited or withdrawn; that is, money will not magically appear or disappear, but rather will correspond to the sum of the debits and credits over time. This is integrity. Finally, the bank’s website will be available from the Internet 24 hours a day, 7 days a week, no matter what disasters befall the individual data centers hosting the site. This is availability. A proper Information Security plan, for your own company or for any other institution, must enforce the CIA Triad in order to be successful.