Constant change in the technology landscape has been mirrored by the steady evolution of information security. The current information system environment is increasingly complex, comprising storage, servers, LANs/WANs, workstations, Unified Communications, Intranet, and Internet connections.
Increased threat sophistication requires equally effective defense responses. In addition to measuring compliance, incorporating logs/audits and using outsourced security services and point products, defining corporate-wide security policies is a critical first step. Based on the C-I-A information security triad (Confidentiality, Integrity, Availability), key areas to address should include questions, such as “Who sees the data?”, “Has the data been corrupted?”, and “Can I access the server and data as needed?”
The range of security-based concerns and solutions is extensive and covers operational, procedural, environmental, and system-related areas. In this white paper, we’ll explore the principles of i0nformation security and the four standards of security-based CIA that can effectively protect your environment.
Standard 1: Operational Security and Identity Access Management (IAM)
Identity/Access Management (IAM) tools and processes offer a critical framework for managing electronic identities. Moreover, well-defined business policies for IAM and for assigning access rights should be centrally controlled and enforced consistently across an organization.
A centralized framework supports the critical processes that are the basis for successful identity, access, and risk management. They include:
- Establishing compliance initiatives and meeting regulation requirements
- Controlling user access/instituting lifecycle management
- Ensuring accountability
- Automating processes to manage access risk
- Separate Security Agents: Individual, discrete agents manage network, endpoint, and virtual security.
- Multi-vendor Approach: Combining the protection of multiple vendors reduces the overall risk posture, because if a threat eludes one vendor agent, there’s a greater possibility it will be denied by the second agent.
- Security Intelligence Layer: Encompassing an entire landscape with an integrated view of security means that different point products can now be unified. Such an intelligence layer, combined with a pre-existing security landscape, offers comprehensive protection and better value.
- Least Privilege: This prevention measure reduces the number of privileges that can be assigned to either users or administrators and IT staff. Minimizing the number of capabilities reduces the potential for possible abuse and limits the extent of damage.
- Minimization: The principle of minimization prohibits the use of any system beyond its designated function. Such limitations increases security, minimizes misuse and enhances system performance.
- Compartmentalization: The use of compartments limits damage caused by unforeseen disasters or attacks. Such a powerful security mechanism ensures that the effects of disasters or attacks can be contained until solutions are found.
Standard 2: Ensuring Procedural Security
The first step to procedural security involves identification. Once a stakeholder is identified, then authentication and authorization can take place. Authentication is based on the axiom What You Know (passwords, PINs, codes, etc.), What You Have (keys, tokens, etc.), and What You Are (biometric authentication: fingerprint, iris, etc.).
Logs and audit trails represent the next step in procedural security. Essentially, the question centers on whether certain security actions performed were indeed successfully implemented.
In terms of confidentiality, the ability to circumvent security controls has led to more stringent measures such as cryptography. Encryption converts plain text into ciphered text, ensuring a measure of confidentiality: ciphered data can’t be easily read. The Advanced Encryption Standard (AES) is a fast, efficient algorithm for data at rest; Trusted Platform Modules (TPMs) can encrypt whole drives, and S/MIME encrypts email.
When it comes to ensuring integrity, a hashing algorithm can create a hash, or number, for reliable data security. Detection systems can calculate hash consistency for all types of files, including emails, and protect against tampering. Any modifications, for example, if a file is infected with a virus, indicate that a file has lost integrity.
Procedural controls for protecting against loss of availability extend to systems that provide redundancies, back-ups, and fault-tolerance. Backups make sure that data stays current. Redundancies extend to servers that provide failover protection.
Standard 3: Taking Control of Physical Environment Security
Attacks such as Distributed Denial of Service (DDoS), cross-site scripting and Advanced Persistent Threats (APTs) represent actions whose goal is to deny availability. Such initiatives strike at the heart of most data centers which are based on near 24/7 access.
Although less frequent, natural and man-made disasters also affect. To ensure physical security, frequent off-site backups are critical. Redundancy offers a key environment security feature.
Operational measures for protection overlap with initiatives that ensure physical environment security. A multi-layer approach covers any shortfalls or inadequacies. It includes:
In addition to the multi-layer approach, having good Business Continuity (BC) and Disaster Recovery (DR) capabilities in place are critical. These represent key components of effective physical environment security.
Standard 4: Network/Application Security
Generally, the most effective and secure network environments are based on the principles of least privilege, minimization, and compartmentalization. These are also considered universal security principles and can be applied to a number of areas.
Information security is no longer about just protecting data. Businesses need to formulate coherent, systematic approaches to security, incorporating regulatory compliance, periodic assessments and the application of relevant tools to eliminate security issues.
Effective authentication and authorization are basic principles that should be applied along with log-keeping and audit trails. Moreover, any physical environment should incorporate a multi-layer approach to compensate for inadequacies. Finally, effective protection of applications and networks is essential.
Security requires a framework based on the concepts of Least Privilege, Minimization, and Compartmentalization to guarantee a comprehensive approach to company-wide security. Such high levels of optimization help to ensure that an organization’s Information Security approach is both well-rounded and flexible enough to meet current and future threats.
This is an excerpt from the Global Knowledge white paper, Applying the Four Standards of Security-Based CIA.
About the Author
Kerry Doyle (MA, MSr, CPL) writes for a diverse group of companies based in technology, business, and higher education. As an educator, former editor at PC Computing, reporter for PC Week Magazine, and editor at ZDNet/CNet.com, he specializes in computing trends vital to IT professionals, from virtualization and open source to disaster recovery and network storage.