Java Reference
In-Depth Information
fees and in some cases the noncompliant entities even risk severance of their activity with the pay-
ment brands. For some entities like credit card processors and merchants, noncompliance with the
PCI-DSS results in their inability to do any business. As we can see, legislation and compliance
are serious motivators.
2.2 Some Basic Security Concepts
2.2.1 The Pillars of Security—The CIA Triad
We have discussed the importance of information security and its growing need in today's world.
We have also explored the motivation for building a strong information security practice, but
before we proceed further, we need to gain an understanding of some basic but important secu-
rity concepts. hese concepts form a basis for our understanding of more detailed and complex
information security concepts and implementations. hese concepts are seemingly simple, but
one would be surprised at the miscomprehension and misinterpretation of these basics resulting
in disastrous security implementations and weak security programs. he CIA Triad is one of the
basic and important aspects of information security. he CIA Triad has nothing to do with covert
American intelligence data but rather is the
conidentiality
,
integrity,
and
availability
triad. hese
are the three pillars of information security. Let us explore each of these briely.
2.2.1.1 Conidentiality
he International Organization for Standardization (ISO) deines
conidentiality
as ensuring that
information is accessible only to those authorized to have access. It is a term that is usually used
to express secrecy over a particular subject. Conidentiality is the property that emphasizes the
need to maintain secrecy over data at rest (when data is stored), data being processed, or data
being transmitted. It is paramount for a military organization to ensure secrecy over military
and defense data. If the data regarding a secret military base were disclosed and this informa-
tion were used by a terrorist organization, then the consequences of a breach of conidentiality
would be catastrophic. he need for conidentiality was exempliied recently, when a document
containing conidential information about U.S. nuclear sites was accidentally posted on the
Internet.
*
he document contained information on the locations of stockpiles of fuel for nuclear
weapons. his is a typical example of an inadvertent blunder, which can lead to dire conse-
quences. Any action causing unauthorized disclosure of such information is considered to be a
breach of security.
A strong information security practice must emphasize the need to maintain secrecy over sen-
sitive information. Conidentiality includes ensuring that unauthorized users cannot gain access
to the system containing sensitive information. Encryption is a popular technique to maintain
conidentiality of information. Encryption is the practice of rendering data unreadable by passing
it through an encryption algorithm and with a key. An authorized individual to decrypt the data
and view it in its original form uses the key. We will discuss more on this matter when we discuss
data protection techniques for Web applications.
*
http://www.guardian.co.uk/environment/2009/jun/03/us-nuclear-obama
Search WWH ::
Custom Search