What are the basic principles of information security? Security breaches and cyber-attacks are growing daily, it’s important to understand the basics of information security as well as how to apply them to your business or individual needs. In this article, we’ll discuss the CIA triad, which outlines three fundamental principles of information security, confidentiality, integrity, and availability (CIA). The goal of any information security program should be to protect the data you have from being corrupted or destroyed and from being accessed by those that shouldn’t have access to it.
What are the basic principles of information security?
- Confidentiality is part of both availability and integrity
- For information to be secure, it must be free from unauthorized access
- Rules in designing an authentication system
Confidentiality is part of both availability and integrity
Confidentiality is a basic tenet of information security. Confidentiality is about protecting your data from unauthorized disclosure—in other words, keeping it safe from prying eyes. There’s an obvious connection between confidentiality and integrity: if you can’t trust that something has been kept confidential, it becomes difficult to rely on its integrity. A third basic principle called availability concerns how quickly a given piece of data or system can be accessed by authorized users at any given time.
The basic tenets of information security are confidentiality, integrity, and availability. Every element of an information security program must be designed to implement one or more of these three basic principles. Together they form a group known as the CIA triad — confidentiality, integrity, and availability. It’s best to think about these concepts separately but keep in mind that they’re interrelated;
if you achieve one successfully, you’ll have fewer issues with its counterparts. For example, if you can make sure that confidential data is always available to authorized users, then most likely it’s also safe from unauthorized disclosure because no one but those authorized users will have access to it. Finally, if it’s safe from unauthorized disclosure, then by definition it’s not being tampered with.
For information to be secure, it must be free from unauthorized access
Confidentiality. Protecting information from unauthorized access protects confidentiality because it ensures that those who should not be able to access your confidential information cannot do so. Confidentiality is achieved through controls such as physical security and logical security measures. For example, if you want to ensure that only authorized people have access to your company’s financial records,
then you should limit physical access to your company’s financial files and databases with appropriate physical barriers (such as fences and locks), guard dogs, etc., encrypt any data stored on laptop computers or external storage devices (e.g., USB drives), and ensure that staff follows best practices regarding logging in to various applications and systems using a secure login process (for example, using two-factor authentication).
For information to be secure, it must be free from unauthorized modification: Integrity. Protecting data from unauthorized modification ensures that you know exactly what a system or application is doing and its current state at any given time. For example, in an online banking application, you want to ensure that if a customer enters $1,000 as their checking account balance, then that’s exactly what appears on your statement. However, if someone were to modify data in transit, then they could enter $10 instead of $1,000 (and still display $1,000), and those changes would never appear on your statement.
Rules in designing an authentication system
- Something You Know
- Something You Have
- Something You Are
- Somewhere You Are
Before we begin designing an authentication system, let’s first consider some basic principles. There are four elements to any good authentication system: something you know, something you have, something you are, and somewhere you are. I recommend that all of your systems include all four. If one of these components is missing from a given system, it will be more vulnerable to attack by hackers or malicious insiders than if all components were present and implemented correctly. In order for them to be effective, each individual element must also adhere to some basic rules:
1) Something You Know –
Passwords should be at least 8 characters long and contain both letters and numbers. They should not contain personal information such as birthdays, phone numbers, or addresses. Passwords should not contain easily guessed words such as password, qwerty, or 12345678′′. A password manager can help users generate strong passwords without having to remember them all themselves.
2) Something You Have –
Users should never write down their passwords on sticky notes attached to their monitors (or worse yet in plain sight). Password vaults can store large numbers of passwords in encrypted form so they can only be accessed with a master password known only by the user.
3) Something You Are –
Biometrics such as fingerprints, voice recognition, and facial recognition are all examples of something you are authentication systems. While these methods have been used for years, they still have some significant drawbacks which make them less than ideal for use as standalone authentication systems.
4) Somewhere You Are –
Two-factor authentication is one way to address concerns about somewhere you are authentication. With two-factor authentication, users must provide not only something they know but also something they have or something that uniquely identifies them before being granted access to a system or resource.