Information security relies on four major components: Confidentiality, Integrity, Availability and Non-repudiation. The last one is least known of the components. We shall expound on each one of them and how they are being anchored.
Confidentiality
Confidentiality is the assurance that the information is accessible only to authorized persons or systems and can be equated to privacy. It essentially prevents information from reaching unintended people. Confidentiality breach may occur due to improper handling of data or through malicious access. Controls used to guard confidentiality include; encrypting data during file transfers over networks (Secure File Transfer Protocols-SFTP), using solutions designed to prevent the unauthorized transmission of sensitive data outside the organization’s network (Data Loss Prevention-DLP), converting plaintext data into ciphertext using algorithms and keys that only authorized parties with access to the decryption keys can decipher the ciphertext and access the original data (Data encryption), control mechanisms, such as user authentication, authorization and role-based access (Access Controls), proper disposal of data storage devices and tools among others.
Integrity
Integrity is the trustworthiness of data or resources and assurance that the information is accurate for its purpose. This ensures that the data is accurate, authentic and protected from unauthorized modification either maliciously or accidental user modification. Some measures being undertaken to preserve data integrity include scrambling your data using a secret key therefore making it unreadable to anyone who doesn’t have the key (Encryption), creating a unique mathematical fingerprint of your data that any changes made to the data will result in a different hash, allowing you to detect tampering (hashing), providing features such as constraints, triggers and referential integrity rules to enforce data integrity at the database level ensuring that only valid data is stored (Database Integrity Constraints), access controls and Intrusion Detection and Prevention Systems (IDPS) among others
Availability
Availability is the guarantee that the systems responsible for transmission, storage and processing of information are accessible when required by authorized and intended users. This minimizes disruptions in the event of a disaster or when the data or transmission channels are compromised. Measures taken to maintain data availability can include; storing data across multiple disks, providing fault tolerance and increased availability (Redundant Array of Independent Disks-RAID), distributing incoming network traffic across multiple servers thus ensuring no single server is overwhelmed (Load Balancers), ensuring data availability in the event of data loss or system failures (Backup, Disaster Recovery Solutions and Replication) and copying data to multiple locations or servers and making sure that in the event one copy of the data becomes unavailable, another copy can be used to maintain data availability (Redundancy).
Non-Repudiation
Non-repudiation is a surety that the sender of a message cannot deny having sent the message or data (to some extent, the receiver cannot deny having received the message). Non-repudiation focuses on proving who sent a message or created a document (origin of data), the data hasn’t been altered since it was created (integrity of the data) and the message or data reached the recipient. Common tools for non-repudiation include; deploying electronic fingerprints that prove who signed something and the data hasn’t been changed (Digital signatures), verifying the exact time data was created or signed (Secure timestamps), documenting the movement and handling of assets from one party to another ensuring accountability and preventing parties from denying their involvement (Chain of Custody), recording details to show what actions were taken on the data and by whom (Audit logs and trails) and using systems that provide digital certificates for secure communication that can be used to verify the identity of parties involved in a transaction (Public Key Infrastructure-PKI).
These foundations work as one, creating an interconnected robust information security posture.