Information Security Fundamentals
In my continuing effort to keep this website from exclusively becoming a “Discovering Python” blog I thought that today I would write about another digital obsession: Information Security.
Back in the day only folks in the industry needed to be concerned about digital security. These days everyone that shops at Amazon, or has a cell phone, logs in to the company portal, etc – meaning basically everyone – should take information security seriously.
What is Information Security?
This is a loaded question. In a nutshell information security deals with protecting your data. This means securing all of the entities that process, transmit, and store your data as well.
This includes all devices, software, databases, networks, etc. that your data passes through or are stored on.
So imagine you want to send a message to someone securely so that the message would be “for their eyes only”.
- You type the message on your phone
- You use an app that encrypts and send the message
- You send that encrypted message over the Internet or SMS network
- Your message is delivered to the recipient’s device
If all the hops along this path maintain their security then only you and she should know what the message says. If any of the pieces of this cycle are insecure then information security cannot be guaranteed.
In the above example you have a limited ability to control how secure that message is. That is, you don’t control the underlying software, the network, the receivers device, etc.
How can I keep my data secure?
As illustrated above, one can only control so much of their data security. Fortune says that: More than a billion people were affected by corporate data breaches in 2018.
So one of the most effective ways to give yourself better security odds is to do business with companies that have demonstrated a good security track record. Or more likely avoiding companies that have demonstrated that they are not trustworthy.
Information Security Concepts
Digging a little deeper, here are the three generally accepted pillars of information security:
Confidentiality – Only allow access to data for which the user is permitted.
Integrity – Ensure data is not tampered or altered by unauthorized users.
Availability – Ensure systems and data are available to authorized users when they need it.
Data confidentiality assures that private or confidential information is not made available or disclosed to unauthorized individuals.
Ideally this includes the ability for individuals to control or influence what information related to them may be collected and stored and by whom and to whom that information may be disclosed
Data integrity assures that information and programs are changed only in a specified and authorized manner; free from deliberate or inadvertent unauthorized manipulation of the system.
Data Availability assures that systems work promptly and service is not denied to authorized users.