Costas Nicou Back Office

Fundamentals of Security

Information Security

Information Security is the act of protecting data and information from unauthorized access, unlawful modification and disruption, disclosure and corruption and destruction.

Information Systems Security

The act of protecting the systems that hold and process critical data.

The CIANA Triad (Confidentiality, Integrity, Availability, Non-repudiation, Authentication)

Confidentiality ensures that information is only accessible to those with the appropriate authorization, for example of you encrypt files only those people who have the access to decrypt them ts considered confidentiality. Integrity ensures that data remains accurate and unaltered unless modification is required. Availability ensures that information and resources are accessible and functional when needed by authorized users. A good example of availability is a website when implementing redundancy measures to ensure it remains online and up regardless the traffic it’s receiving. Non repudiation is the guaranteeing that a specific action or event has taken place and cannot be denied by the parties involved.

AAA of Security (Authentication, Authorization, Accounting)

Authentication is the process of verifying the identity of a user or system. Authorization, defines what actions or resources a user can access. An example a user accessing a database you may have the authorization to view records, but you might not be authorized to edit them. Accounting, the act of tracking user activities and resource usage typically for audit or billing purposes.

Security Controls

Measures or mechanisms put in place to mitigate risks and protect the confidentiality, integrity and availability of information systems and data. Security controls can be grouped into categories technical, managerial, operational and physical. There also types of security controls which are preventative, deterrent, detective, corrective, compensating, directive.

Zero Trust

Security model that operates on the principle that no one, whether inside or outside of the organization should be trusted by default. In order to achieve zero trust we have to use a control plane and a data plane. Control plane consists of the adaptive identity, thread scope, reduction, policy driven access control and secured zones. Data Plane focuses on the subject/system policy engine, policy administrator, and establishing policy enforcement points.