This post focuses on essential Information Security Management Principles and the CIA Triad.
Information Security comprises of three main principles, Confidentiality, Integrity, and Availability.
The property that information is not made available or disclosed to unauthorised individuals, entities or processes (ISO 27001)
Confidentiality helps to prevent the unauthorised disclosure of data. Methods such as authentication, access control/authentication, cryptography and physical security can be used to ensure confidentiality is maintained.
Authentication - identifying a user based on username/password, biometrics(fingerprint/retina/voice) or in some instances your physical characteristics
- Access Control - allow/deny access to data on an individual or group basis
- Mandatory Access Control (MAC) - uses labels (security/sensitivity labels) to determine access to a resource. Both users and objects (files/folders etc.) are assigned labels. If the labels don’t match, access is denied.
- Discretionary Access Control (DAC) - every object (files/folders etc.) has an owner, and the owner establishes access for the objects.
- Role Based Access Control (RBAC) - uses roles to manage rights and permissions for users based upon their assigned jobs, functions and tasks within the organisation.
- Rule based Access Control (RBAC) - access is allowed/denied to a resource based on a set of predefined rules e.g. Access Control List (ACL), firewall/router rules etc.
Authorisation - process of giving users access to a system/object/location based on their identity
Cryptography - obscuring plain text data to enforce confidentiality should it fall into the wrong hands
- Physical Security - control entry/exit from different boundary points at location
- Perimeter - fences around perimeter, security patrols etc.
- Building - only authorised personnel allowed in, security guards, video cameras, proximity cards, cypher locks, etc.
- Secure work areas - restricted access to important areas inside building
- Server and network devices - specified areas for storage of essential hardware, only accessible by IT personnel
The property of safeguarding the accuracy and completeness of assets (ISO 27001)
Integrity aims to ensure data has not been modified, tampered with or corrupted.
When changes do occur to data that are unauthorised or unintended, data integrity is lost. Only authorised users should have the authority to alter, update or delete information. This is a fundamental principle of information assurance.
Hashing techniques can be used to solidify integrity. Executing a hashing algorithm (md5/SHA) against the data in question will provide us with a hash. If the data has not been modified the resulting hash will always remain the same.
If we compare hashes at two different time frames, we’re able to determine if the original data has maintained its integrity. If the hashes are the same, our data has not changed. If the hashes are differtent, our data has been altered and we have lost data integrity.
Hashes have a plethora of uses, such as email/message integrity, file download integrity and can even help in identifying known malware.
The property of being accessible and usable upon demand by an authorised entity (ISO 27001)
Availability is important in ensuring that data and services are available to the authorised user when required. This can either be during a certain time frame, e.g. 9am-5pm or 24/7.
Fault tolerance and redundancies are a critical component of availability, they aim to eliminate Single Points of Failure (SPOF). The following are information security management practices crucial to maintaining availability:
Disk Redundancies - RAID-1 (mirroring) & RAID-5 (stripping with parity) allow systems to keep running if a disk fails
Server Redundancies - failover clusters are a group of servers that work in unison to maintain availabilty of applications and services. Should a server fail the service will switch from the failed server to an operational server in the same cluster. Virtualisation can also be leveraged in maintaining data availability.
- Site Redundancies - should a natural disaster occur, an alternative site should be ready and available 24/7
- Hot site - location ready and available 24/7
- Cold site - location where equipment, data, and personnel can move into when required
- Warm site - somewhere in the middle of a hot and cold site.
Backups - you should have backups for your backups, and backups for your backups’ backups, and backups…
Alternate Power - generators and Uninterruptible Power Supplies (UPSs)
- Cooling Systems - Heating Ventilation and Air-Conditioning (HVAC) systems
The CIA triad is a fundamental information security methodology, and should be implemented to its full extent in order to provide maximum security for your organisation’s data.