The number of Internet clients has crossed 3.4 billion by the year 2016, in more than 200 nations, from Arctic to Antarctica as indicated by the report from the International Telecommunication Union. The Internet is a worldwide computer network that can be accessed via computer, mobile telephone, PDA, games machine, digital TV, etc. Thus, individuals and organizations can reach any point on the internet without any regard to national or geographic boundaries or time of day.
Among the easy access to the information, there is some risk associated with that including loss of valuable information, information getting stolen, altered or misused. If the information is available on computer networks, it’s more vulnerable than if the information is printed and locked in file locker. Intruders can steal the information even without entering an office or home, and also need not be from the same country. Hence the importance of information security become more critical to the owners.
Basic Information Security Concepts
Three basic information security concepts important to information are Confidentiality, Integrity, and Availability. If we relate these concepts with the people who use that information, then it will be authentication, authorization, and non-repudiation.
Information Security is such a broad discipline that it’s easy to get lost in a single area and lose perspective. Nevertheless, the classic definition of information security is brief and simple: ‘Information security is the confidentiality, integrity, and availability of information also referred as C-I-A triad or information security triad.
In brief, confidentiality is a set of rules that limits access to information, Integrity is the assurance that the information is trustworthy and accurate, and Availability is a guarantee of reliable access to the information by authorized people.
When information is read or copied by someone not authorized to do so, then it will be “loss of confidentiality”. For sensitive information, confidentiality is a very important criterion. Bank account statements, personal information, credit card numbers, trade secrets, government documents are some examples of sensitive information. This goal of the CIA triad emphasizes the need for information protection. For example, confidentiality is maintained for a computer file, if authorized users are able to view it, while unauthorized persons are blocked from seeing it.
Information can be corrupted or manipulated if it’s available on an insecure network, and is referred to as “loss of integrity.” This means that unauthorized changes are made to information, whether by human error or intentional tampering. Integrity is particularly important for critical safety and financial data used for activities such as electronic funds transfers, air traffic control, and financial accounting. For example, banks are more concerned about the integrity of financial records, with confidentiality having only second priority. Some bank account holders or depositors leave ATM receipts unchecked and hanging around after withdrawing cash. This shows that confidentiality does not have the highest priority. In the CIA triad, integrity is maintained when the information remains unchanged during storage, transmission, and usage not involving modification to the information.
Information can be erased or become inaccessible, resulting in “loss of availability.” This means that people who are authorized to get information are restricted from accessing. Availability is often the most important attribute in service-oriented businesses that depend on information. Denying access to information has become a very common attack nowadays. Almost every week you can find news about high profile websites being taken down by Denial of Service attacks. The CIA triad goal of availability is the situation where information is available when and where it is rightly needed.
Now let’s take a look at other key terms in Information Security – Authorization, Authentication, and Nonrepudiation processes and methods, which are some of the main controls aimed at protecting the C-I-A triad
To make information available or accessible/modifiable to those who need it and who can be trusted with it (for accessing and modification), organizations use authentication and authorization. Authentication is proving that a user is the person he or she claims to be. That proof may involve something the user knows (such as a password), something the user has (such as a “smartcard”), or something about the user that proves the person’s identity (such as a fingerprint). Authorization is the act of determining whether a particular user (or computer system) has the right to carry out a certain activity, such as reading a file or running a program.
Users must be authenticated before carrying out the activity they are authorized to perform. Security is strong when the means of authentication cannot later be refuted—the user cannot later deny that he or she performed the activity. This is known as non-repudiation.
No one on the internet is immune. Those affected include banks and financial companies, insurance companies, brokerage houses, consultants, government contractors, government agencies, hospitals and medical laboratories, network service providers, utility companies, the textile business, universities, and wholesale and retail trades.
The CIA triad is a very fundamental concept in security. Often, ensuring that the three facets of the CIA triad is protected is an important step in designing any secure system. However, it has been suggested that the CIA triad is not enough. Alternative models such as the Parkerian hexad (Confidentiality, Possession or Control, Integrity, Authenticity, Availability and Utility) have been proposed. Other factors besides the three facets of the CIA triad are also very important in certain scenarios, such as non-repudiation.