Since security and privacy are paramount in today’s highly connected world, security-conscious organizations depend heavily on software solutions to keep their data safe and their information private.
Security is a necessary precondition for the operational use of information systems and informational self-determination. The more it is a pity that the actual relevance of IT security is often only recognized when absent, so that respecting compliance requirements for all areas where computers are used remains challenging.
Although, the industry is continuously working hard to make the Internet more secure for users, dealing with more and more complex business processes and technologies make it hard for users to gain confidence regarding security issues.
At least, the confidentiality, integrity, and availability (CIA) triad, one of the core principles of information security, I want to highlight again:
- Confidentiality refers to preventing the disclosure of information to unauthorized individuals or systems, enforced usually by encryption or by limiting the places where it might appear (in databases, log files, backups, printed receipts, and so on), and by restricting access to the places where it is stored. Actually, confidentiality is necessary for maintaining the privacy of the people whose personal information a system holds.
- Integrity in information security means maintaining and assuring the accuracy and consistency of data over its entire life-cycle, implying that data cannot be modified in an unauthorized or undetected manner. Information security systems typically provide message integrity in addition to data confidentiality.
- Availability is a must for any information system to serve its purpose when it is needed. This means that the computing systems used to store and process the information, the security controls used to protect it, and the communication channels used to access it must be functioning correctly and be available at all times, preventing service disruptions due to power outages, hardware failures, and system upgrades. Ensuring availability also involves preventing denial-of-service attacks.
Of course, there are more fine-tuned concepts as well, such as the nine generally accepted principles of the OECD Guidelines for the Security of Information Systems and Networks, which are awareness, responsibility, response, ethics, democracy, risk assessment, security design and implementation, security management, and reassessment, or the Engineering Principles for Information Technology Security of the National Institute of Standards and Technology (NIST) that even proposes 33 principles, to name just a few.
Besides all these guidelines, let’s make a note that IT security will never be a static process but dynamic, depending on the technical developments. At times, when there were just a few mainframe computers that were served exclusively by experts, IT security hardly played a role - and if so, mainly focused on the physical protection of access to the system. But with the increase in electronic representations, networking, and control of real processes in information systems, the scope of the term "IT security" expanded and influenced the type of required security mechanisms, too.
Quite obviously, IT security has different aspects, which is why it is crucial to clarify systematically and in detail what has to be protected, what threats exist and can be carried out, based on what security gaps and vulnerabilities are there. In fact, the three mentioned protection goals can always serve as useful guideline: Confidentiality aims to hide information and resources (e.g., manufacturing data, record communications) from prying eyes; integrity focuses on the intactness of information and resources and aims to protect them from unauthorized changes; and constant availability is of course required to fight threats that violate the protection goals of IT security and can lead to damage.
Cryptography, as well as its follow-up mechanisms, are of course the basics, besides antivirus programs, which detect known viruses, worms and Trojans, and prevent their execution. Still, despite all these protection mechanisms, technically not all attacks can be completely blocked, since we have to consider human mistakes and social engineering tactics, such as phishing attacks, too.
Security is an ongoing process of exercising due care and due diligence to protect information and systems from unauthorized access, use, disclosure, destruction, modification, disruption or distribution. It is a never ending process that involves ongoing training, assessment, monitoring and review, since it is an indispensable part of all the business operations across different domains.
By Daniela La Marca