What are the 3 principles of Information Security?

Home / Security Introduction / What are the 3 principles of Information Security?

Infosec, stands for information security and this is the process of protecting a company’s information assets from all types of risk. While cybersecurity focuses solely on protecting information assets from cyber attacks, information security is a superset of cybersecurity that includes physically securing information assets.

What are the goals of Information Security?

The ultimate goal of information security is to maintain the CIA triad within an organization. The elements of the CIA triad are:

Confidentiality: This means ensuring that only the authorized users have access to information. Whenever a company suffers from a data breach or data leak and individuals’ information is accessed by criminals, the public or employee’s that don’t have the proper authorization, confidentiality has been compromised. Some of the key security controls that you can use to maintain confidentiality are:

  • Encryption: Encrypting information ensures that even if an unauthorized user is able to get access to the information, without the decryption key the information will be in an unreadable format and therefore confidentiality will be maintained.

  • Strong Passwords: By having strong passwords it reduces the chances of someone being able to access accounts or resources by guessing the password.

  • Two factor authentication: 2FA supplements traditional login information (username and password) by requiring an additional code before granting someone access to a resource.

  • Identity and Access Management (IAM): IAM is the practice of ensuring that only the correct individuals are given access to resources. It follows something called the “least privilege model”, this means that users should only be given access to the resources needed to do their job and nothing more. This helps to enforce the confidentiality of information.

  • Proper Technical Controls: Technical controls include things like firewalls and security groups. These controls prevent people from accessing the company’s network and prevents them from obtaining company information without authorization.

  • Physical Locks and Doors: Physical security measures like cabinet locks, vaults, biometric scanners and door locks prevents people from physically sneaking into the company and taking company documents.

Many companies like KFC and coca cola keep their intellectual property and trade secrets in secure vaults.

Integrity: To protect information from being modified by unauthorized people and ensures that the information is trustworthy and accurate. Anytime information is modified by someone that isn’t authorized to do so, whether it was someone inside the company or outside, it is a violation of the information’s integrity. An example would be if the CFO sends a document to be examined or reviewed by the director of finance. The director of finance may try to manipulate the information without the CFO knowing in order to make his/her department look better, launder money etc. You need to have a means of knowing whether or not a document has been modified without your knowledge so that you can trust that document’s integrity. Also, in the event data is lost, you need to be able to recover all of that data or at least most of it from a trusted source. Some controls you can use to maintain integrity are:

  • Hashes: A hash is the output of a hashing algorithm such as MD5 or SHA. A hash algorithm takes a message of any size and creates a fixed sized value called a hash (eg 12 characters long). If any character in the original message is changed, it will result in a different hash being generated. By creating a hash of a message when you first receive it, you can later test to see if that message has been altered in any way.

    For example, say I have a word document on March 10th 2020, I use a hash algorithm to generate the hash 123456789. Then on March 15th, I want to check if anyone has modified that file, I can use the hash algorithm again and if the hash created is not the same, I know someone changed the contents of that file.

  • Secure Backups: By creating secure backups if you ever have doubts about the integrity of the data on a system you can reboot that system using the information you have in your backups. Hashes can be used with your backups to ensure that they have not been altered in any way. This way you can be confident that the information you are using to reboot your systems is accurate. A good example of when you will need this is if your company ever suffers a ransomware attack and is unable to recover your data.

  • User access controls: By controlling what information users have edit access to, you limit the potential for users to edit information without permission.

Notice how the hash changes significantly just because of a period at the end.

Availability: To ensure that the information is accessible to authorized people whenever it is needed. An example of this would be a website like Netflix. For most companies they want availability of at least 99.99%, which means that 99.99% of the time you go to Netflix you should be able to access the services that you want. In order to do this there are several practices you can implement to ensure that your company will have a high uptime:

  • Off site backups: Having off site backups ensures that if something happens you have a copy of data to restart your systems and keep your business going.

  • Disaster Recovery & Business Continuity Planning: These plans outline how your company should respond to certain types of situations such as earthquakes, floods, fires, hurricanes etc

  • Redundancy: This is when you make multiple instances of network devices and lines of communication so that if one device or line fails it doesn’t cause a loss of availability.

  • Failover: This is a backup node (system) that automatically switches into production in the event that the primary system fails.

  • Virtualization: This is the process of creating a software (virtual) version of something that physically exists. Usually this takes one piece of hardware and enables it to run multiple operating systems in virtual machines (VMs), this way you can have redundancy even though you only have 1 physical machine.

  • Proper Monitoring of the environment: You want to have proper monitoring through tools like a SIEM. This way you will know as soon as there is a problem in your environment and you can address the issue asap.

This an example of redundancy from Amazon Web Services resiliency recommendations

In addition to these three principles, there is a fourth principle that is very popular.
Non Repudiation: This means that users cannot deny that they have performed a particular action and it enables you to hold people accountable for their actions. It’s important that people can be held accountable for their actions and that people know they will be held accountable so that it deters negative behaviour. Also, in the event that someone does something against company policy or the law they can be punished and corrective action taken. Here are some tools that will allow you to enforce non repudiation:

  • Account logging and Monitoring: It’s important to log the activities of users on different accounts so that you know who did what and can trace that back to an individual. Typically, each user should also have their own account so that no one can deny that they performed an action.

  • Digital Signatures: Digital signatures function similar to written signatures, they verify an individual’s identity. Usually used to sign messages or contracts.

  • Read Receipts: When you send an email, text or notification most platforms allow you to request some type of read receipt. This confirms that the person received the message and records the time.

Digital Signatures Explained

Final Thoughts

The CIA triad along with non repudiation are the 4 main goals of information security. Not only are they important for the protection of the company interest’s but they also help to protect consumer’s by keeping their information out of the hands of people that shouldn’t have it. Additionally, there are many privacy laws and regulations that require companies to take reasonable steps to protect the information of their customers. It’s important that companies implement multiple security controls for each of the three elements of the triad to ensure that they are sufficiently protected.