Security

• Security is providing access to the information based on the credentials (authentication / authorization).

e.g  I should only be allowed to open my account using my password. I should be allowed to view required report related to me not other bank reports.If the credentials are not right the information is kept confidential and not allowed access.

      However, security is also ensuring that information is secured even in exchange and not allowing any information leakage (confidentiality) and information tampering (integrity).

• Confidentiality services restrict access to the content of sensitive data to only those individualswho are authorized to view the data. Confidentiality measures prevent the unauthorized disclosure of information to unauthorized individuals or processes.

          e.g. When I am sending the username/password using browser over network somebody   should not be snooping to read it and later do transaction posing as me.

• Integrity services address the unauthorized or accidental modification of data. This includes data insertion, deletion, and modification. To ensure data integrity, a system must be able to detect unauthorized data modification. The goal is for the receiver of the data to verify that the data has not been altered.

Ex- I transferred money in my own account but in transit someone changed the account number to his own.

• Non-repudiation services prevent an individual from denying that previous actions had been performed. The goal is to ensure that the recipient of the data is assured of the sender’s identity. Security is also assigning responsibility/accountability of action (non-repudiation)

e.g :- After transfering his money person should not say that his where his money go becuase he did not transfer it but it someone else. 

• Availability Security is also allowing information access at all times (availability) for right people. Availability services prevents the services getting down due to threats like Denial Of Service (DOS) attack.

• Integrity
• Confidentiality
• Identification & Authentication
• Non-repudiation
• Availability

Information Security framework can be categorized in 3 main tenants:

 

1. People, this is usually in terms of security awareness spread among the employees, NDA (Non Disclosure agreement), Security certifications; ISBS
2. Technology
1. Preventive: Security infrastructure comprising of Firewall, DMZ, anti-viruses, VPN. This is defined by the deployment architecture. Comprehensive "Threat modeling" is done which analyzes all threats dividing the architecture in zones, “Asset Classifications” and then necessary means of preventing/mitigating those threats. These threats can be at hardware levels like operating system hardening, open ports etc, Or these threats can be at software or application level like SQL injection etc. It can also be at level protocols; http, https ...
2. Detective: Although, preventive measure are quiet strong, there needs to constant monitoring on the security breaches and attempt. Event relation tools, regular vulnerability scanners, port scanner, investigative tools etc. needs to be running to catch and fix loopholes in security.
3. Corrective: In case of any security breach is caught, the threat must be immediately plugged. Unnecessary ports needs to be close. Virus removed, threats mitigated. 
3. Processes help to implement the best practices for managing the security. 
1. Preventive: It could be hardening guidelines, Information security policy, change management like process for changing the passwords, encoding key etc. It could also be code review, vulnerability scanning tools, ISMS etc.
2. Detective: Process also needs to measure and monitor the security aspects in term of audit, metrics and Assessments. 
3. Corrective: In case of any security breach, there needs to be processes for mitigating, and changing the process for filling the new gaps, adoption of new technology.