Information Security Must Balance Business Objectives | Objectives of Computer Security (2024)

Information security is a relative term. It is effective only when it is balanced with business requirements, cost, and risk mitigation. Learn how to determine security requirements that mesh effectively with your business objectives, create policies that work for your organization, and use technology to implement your policies.

This chapter is from the book 

In this chapter:

• The Four Objectives of Security: Confidentiality, Integrity,Availability, and Nonrepudiation

• Roles and Responsibilities

• Security Policy

• Security Technology

Most of us understand how locks, barred windows, lit parking lots, and loudbarking dogs can be used to make our office buildings more secure. Computersecurity can, in many ways, be compared with these physical security approaches.But, as with anything else that we translate from the real world to the computerworld, we find that we must very firmly define our terminology and our businessneeds before the computer version can either be understood or made to work. Inthis chapter, we will define what computer security is and how it is achieved ina successfully secured organization. If you have no experience with computersecurity, you probably think that your computers already include solutions tothese problems. In fact, most business people believe that. They are wrong.

Objectives of Computer Security

If you are new to computer security, you will soon learn that there is a lotmore to it than keeping "evil" hackers out of your systems. Computersecurity has four objectives: confidentiality, integrity, availability, andnonrepudiation (NR). Securing information is equivalent to ensuring thatcomputers keep your secrets, hold valid information, are ready to work when youare, and keep records of your transactions. Figure 1–1 shows the fourobjectives.

Figure 1–1 The four objectives of information security.

These first three objectives are the "motherhood and apple pie" ofInformation Technology (IT) departments. Unfortunately, too much apple pie canmake you sick (or at least overweight), and too much security can be bad forbusiness. We hope that this book will prepare you to understand how muchsecurity is enough for your business and why it is (and should be) up to you.The fourth objective becomes especially important when you transact businessusing computers for activities such as online sales or securities trading.

The three objectives of confidentiality, integrity, and availability cannever be completely separated. The definitions and solutions overlap among thethree. That is not a problem. We just need to keep the end goal in mind:computers that do what we want, when we want because we are the business ownersof those computers. But they must do nothing for anyone else.

Confidentiality

The first objective of security is confidentiality: keeping information awayfrom people who should not have it. Accomplishing this objective requires thatwe know what data we are protecting and who should have access to it. Itrequires that we provide protection mechanisms for the data while it is storedin the computer and while it is being transferred over networks betweencomputers. We will need to know the application programs that we use (or coulduse) to manipulate the data and control the use of those applications. Luckily,the Chief Security Officer (CSO) and the IT team will handle the mechanics ofdoing all this—just as soon as we tell them how to figure out who shouldhave access to which data and applications and how far to go in providingconfidentiality (see "Relative Security," later in this chapter).

In the Internet world, confidentiality has taken on an expanded meaning inthe form of privacy controls. For some industries, such as health care andfinance, privacy is now a regulatory issue. The U.S., European, Canadian, andAustralian governments (with others following) have legislated privacy controlsto varying degrees. Even U.S. companies in other industries are now governed byprivacy legislation of other countries if they have employees or customers inany of those other geographies. We will cover the legal requirements forsecurity in much more detail in a later chapter. In addition, public demand forprivacy has forced many companies to formulate clear privacy policies to preventtheir customers from going to competitors.

There are numerous technologies available to provide confidentiality forcomputer applications, systems, and networks. They will be described with theirstrengths, costs, and weaknesses in later chapters of this book.

Integrity

The second objective of security is integrity: assuring that the informationstored in the computer is never contaminated or changed in a way that is notappropriate. Both confidentiality and availability contribute to integrity.Keeping data away from those who should not have it and making sure that thosewho should have it can get it are fairly basic ways to maintain the integrity ofthe data.

But many security failures happen despite reasonably strong controls on whohas access. Sometimes, the people we trust are not trustworthy. Sometimes, weneed to extend levels of trust to people about whom we know little or nothing,such as temporary workers, third-party business partners, or consultants.Integrity constraints have to go beyond the simple "who" definitionsand handle the "what" conditions. Once someone has been grantedaccess, what operations can they perform on our computers? This leads torequirements for detailed constraints on different types of access within thecomputer system and, thus, to much of the complexity of a modern businesscomputer system. If a typical end user can change the behavior of the operatingsystem or network, anyone inside our company can stop business from beingprocessed—intentionally or not.

The need for data integrity connects computer security to a closely relateddiscipline: business continuity planning and data recovery. Data will eventuallybe damaged by hardware failure, software failure, human errors, or securityfailures. Recovery processes are a necessary part of any business IT plan andfrequently are under the control of a security department.

Availability

The third objective of security is availability: ensuring that data stored inthe computer can be accessed by the people who should access it. Availability isa broad subject addressing things such as fault tolerance to protect againstdenial of service and access control to ensure that data is available to thoseauthorized to access it. Most computers can at least differentiate between twoclasses of users: system administrators and general end users. The majorexceptions to this rule are the desktop operating systems that have becomecommon on personal computers.

If you read, you'll find references in most IT publications describingMicrosoft Windows 95/98, in all its versions, as being insecure. One of thereasons for this is that the operating system has no ability to discriminatebetween system administrators and general end users. Many other desktopoperating systems have this same shortcoming. Anyone who uses one of thesecomputers can change its security environment and can, in fact, turn securityoff. A few users in an enterprise deciding to turn off security can open thenetwork to attack in some cases. Of course, these operating systems also havemany other security weaknesses, even when security is turned on.

Authorization should extend well beyond discriminating between systemadministrators and general end users. In a well-secured computer system, eachuser is assigned a series of corporate roles, typically by the Human Resourcesdepartment, based on his or her job description. The computers determine exactlywhat each user is allowed to do, using those roles. This "role-basedauthorization" allows even system administrators to be limited in theircontrol of the computers. This is frequently used to stop the otherwise powerfuladministrators from turning off security or auditing and, thus, providingthemselves with unreasonable and undetectable power over their employers.

In the Internet world, availability has also taken on an expanded meaning.One of the most common forms of security problem for Internet applications isthe "denial of service" (DoS) attack. This is a focused attempt by acyberattacker to make a computer system and its data unavailable. This can bedone in two ways. First, the attacker may try to damage the target computer orsome network component on which the computer depends. Second, the attacker maysimply send so many messages to the target computer that it cannot possiblyprocess them all. Other people attempting to use that computer for legitimatepurposes find that the computer is too busy to service them.

Nonrepudiation

Security is a large enough task just trying to meet theconfidentiality-integrityavailability objectives. Technologies used for thoseobjectives are also used to create business-related functions for NR, whichallows the formation of binding contracts without any paper being printed forwritten signatures. NR is new and not broadly used, but most security expertsagree that it will be based on digital signatures, which are described inChapter 13, "Digital Signatures and Electronic Commerce." The use ofsecurity-related technologies and the need for a strongly secured and trustedinstrument for creating digital signatures have led to NR becoming a newsecurity objective.