The holy trinity of information security is CIA. The principles of confidentiality, integrity, and availability are de rigueur for most descriptions of the info sec field. Every student learns to recite the trinity in their sleep, often with the addition of authentication and non-repudiation. These concepts are valuable and useful, but they are a bit abstract and academic. Whenever they are trotted out in a meeting, eyes begin to glaze.
I've found that unauthorized access essentially means the same thing, is more intelligible to most of us, and is more in line with what most people seem to expect from information security. Let's face it, to most people availability covers much more than business continuity planning (think redundancy, load balancing, scalability, bandwidth management, fault tolerance, etc.), and it is a rare infosec department that is called in to help with database design to maximize throughput.
For a useful, practical definition of information security, I like prevent and detect unauthorized access. It covers the key areas and is fairly intuitive to non-info sec specialists. It also has, I think, surprisingly deep implications.
I use access in the "read, write, execute" sense. This covers confidentiality, integrity, and things like compromised machines and escalated privileges that don't always have direct confidentiality and integrity ramifications. The concept of authorization cuts directly to the issue of permissions and approvals which lie at the heart of information security. What are your users allowed to do?
Information security should work closely with the business to specify what is and what is not authorized. Unfortunately, this key business benefit (technically called a security model) is often underemphasized in favor of flashier infrastructure and technology. I don't blame information security departments for this failure--at least not entirely.
Specifying and maintaining a security model is hard work. It can easily uncover weaknesses and segregation of duty issues in business processes. It requires that a lot of hand waving and ambiguity be clarified, and the fear is that the flexibility needed to get business done will evaporate into rigid policies.
These are fair concerns. It is information security's responsibility to provide the expertise that will produce security models that don't block the business. At the same time, the business needs to recognize that effective security requires knowing what is and what is not allowed. Some flexibility will need to be sacrificed.
The prevention and detection of unauthorized access is ultimately what most businesses want their information security teams to deliver. To accomplish this, the business needs to be a full partner in defining what is authorized and what is unauthorized. The information security team can then work with IT to keep as much flexibility as possible while carrying out their mandate.
Comments