General Security Principle: Introduction

A principle which is a core obligation of information security for the safe utilization, flow, and storage of information is the CIA triad. CIA stands for confidentiality, integrity, and availability and these are the three main objectives of information security. For a deeper look into these objectives, check out our security training classes.

• The Application Access Layer defines the notion that access to end-user applications have to be constrained to business ought-to-know
• The Infrastructure Access Layer describes the notion that access to infrastructure components has to be constrained to business ought-to-know. For instance, access to servers.
• The Physical Access Layer describes the notion that the physical access to any system, server, computer, data centre, or another physical object storing confidential information has to be constrained to business ought-to-know.
• The Data In Motion Layer describes the notion that data ought to be secured while in motion.
• This little icon in the middle of the illustration shows the centre of information security and the reason for the emergence of the CIA principles; the icon represents information and represents the need to protect sensitive information.

Confidentiality

The aim of confidentiality is to ensure that information is hidden from people unlawful to access it. The confidentiality principle dictates that information should solely be viewed by people with appropriate and correct privileges. The science (and art) used to ensure data confidentiality is cryptography, which involves encryption and decryption methods.

Confidentiality can be easily breached so each employee in an organization or company should be aware of his responsibilities in maintaining confidentiality of the information delegated to him for the exercise of his duties. For instance, if an employee allows someone to take a glimpse of his computer screen while he is, at that moment, displaying confidential information on the computer screen may have already constituted a breach of confidentiality.

Furthermore, confidentiality and privacy are often used interchangeably.

Below, we discuss cryptography, operative manners of protecting confidentiality, and we have included some tips on confidentiality agreements.

Cryptography

Cryptography’s beginning can be traced thousands of years ago. However, the contemporary cryptography differs substantially from the classic one, which used pen and paper for encryption and which was far less complex. The establishment of the Enigma rotor machine and the subsequent emergence of electronics and computing enabled the usage of much more elaborate schemes and allowed confidentiality to be protected much more effectively.

Encryption is an accepted and effective way of protecting data in transit but is increasingly being used for protecting data at rest as well. The Computer Security Institute published the results of a survey in 2007, which showed that 71% of the businesses used encryption for various data in transit while 53% used encryption for selections of data at rest. Furthermore, there are different techniques for preserving confidentiality depending on whether the data is in motion, at rest or a physical object. Naturally, access controls are also a necessity for maintaining confidentiality. Access controls can consist of passwords, biometrics, or a mixture of both. As regards to physical data, its means of protection are somewhat similar — access to the area where the information is kept may be granted only with the proper badge or any different form of authorization, it can be physically locked in a safe or a file cabinet, there could be access controls, cameras, security, etc.

Encryption consists of changing the data located in files into unreadable bits of characters unless a key to decode the file is provided.

In manual encryption, the user utilizes software and initiates the encryption. In transparent encryption, the encryption happens automatically without any intervention on the side of the user.

Symmetric encryption occurs by utilizing character substitution with a key that will be the only means of decrypting the bits of information. Conversely, asymmetric encryption is used when there are two keys, a public key, and a private key. Any person may encrypt the information with the public key but it can only be decrypted by the holder of the private key.

Watch this space for more information on this topic!