Posted by: James Murray
information security, Modern Network Architecture, Network Architecture
There seems to be a boring side to Information security and an almost sexy side to data security. Don’t forget to change your password, backup your data, disaster recovery is the boring side. Ok these are interesting subjects, but talk to a client about countering international gangs of hackers
The three core principles I was originally trained to think in terms of were
Confidentiality – Preventing disclosure of information to unauthorized individuals inside or outside the system.
Integrity - Integrity systems confirm whether a data packet has been modified.
Availability – practices that ensure availability of the data
In 2002 the international policy organization OECD (Organization for Economic Co-operation and development) expanded these to include:
Authenticity – Authentication of data passed between two known identities.
Non-Repudiation – Systems that allow online contractual obligations can be enforced
When strategizing information security we can think about the life cycle of the data. The life cycle starts with the creation of the data and ends with the disposal of the data. During the cycle there are points in the cycle when the data is in motion and when the data is at rest. At each point or management point requires an administrative control, logical control and/or a physical control. At each management point a new control is added or subtracted from the data. Controls are packed and then unpacked throughout the life cycle of the data.
When discussing this with a management team I’ve found that writing out a process diagram helps me understand and better explain the process. By doing this, I’ve found that management teams better understand and will even begin contributing to the security process.
These controls are made up of security mechanisms. Some of the physical controls include
Disk Encryption – Encrypting a data on a physical drive or piece of hardware
Backups - Copying data to a separate location
Data masking – Obscuring specific data in a database table or cell
Data erasure – Overwriting specific sections of the media where data has been erased
Other controls affect data in transit
Checksum – a fixed-sized component of the packet used to detect errors
Packet signing – Simple hash in the packet that identifies a packet that has been opened
Data encryption – Encrypting the data portion of the packet
Tunneling encryption – A data packet security strategy that encrypts the entire packet. At the same time, provides a layer 3 address that allows passage across public and private routers.
Network security is mostly about understanding your tools. Physical mechanisms can be a simple as locking the door to the server room. The day to day transactions of fixing forgotten passwords and managing security groups can be a little boring. Yet that’s really what you want. As system become more complex, we need to understand the holes in the packets we send as well as the access control holes that keep the bad guys out or the employees in the right places