Security in IT Infrastructure What

Security in IT infrastructure

What could happen if security is not tightly implemented in IT infrastructure design?

Why should we care?

Confidentiality, integrity, availability, authenticity, and non-repudiation are considered the five pillars of IT security. These five critical variables must be kept in mind when designing a system. Confidentiality is "the protection of information and prevention of unauthorized access or disclosure. The ability to keep data confidential, or secret, is critical to staying competitive in today's business environments Loss of confidentiality jeopardizes system and corporate integrity" (Introduction, 2011, IBM). Unauthorized users, hackers, and malware can all pose a threat to confidentiality. A systems' vulnerability to these threats must be tested, or corporate and personal data can be misused. On a personal level, most users must input critical bank, credit card and social security information in a variety of forms they must fill out online on a regular basis, and businesses contain a treasure-trove of such data in HR databases. Unprotected sources of such information are an identity thief's dream. Employees expect that a company will keep their data private, and companies self-interestedly wish to safeguard trade secrets and other information from which they make their profits.

A system has integrity if it cannot be modified intentionally or accidentally. Not all breaches are intentional. Workers may unintentionally open malicious email or download dangerous files on their work or home computers that are passed on to other users. Aggressive monitoring of spam email and clear guidelines that make it difficult for users to compromise internal controls enhance system integrity.

Availability ensures that the system is functional enough so that users will not be frustrated in their attempts to access it -- and frequently, balancing availability and integrity is a challenge. Often, users may complain that a system demands passwords that are 'hard to remember' or that they are blocked from surfing 'fun websites' during their downtime that may possess risks to the system. Although these may not be sympathetic complaints, a system must have enough ease of access so as to not compromise its intended purpose, without being too available to hackers and malware.

A system possesses authenticity when the information retrieved is what is expected by the user -- and that the user is correctly identified and cannot conceal his or her identity. Methods to ensure authenticity include having user names and secure passwords, and even digital certificates and keys that must be used to access the system and to prove that users 'are who they say they are.' Some highly secure workplaces may even use biological 'markings' like fingerprint readers (Introduction, 2011, IBM).

Accountability means that the source of the information is not anonymous and can be traced. A user should not be able to falsify his or her URL address or email address, given the requirements of the system. "Non-repudiation is a property achieved through cryptographic methods which prevents an individual or entity from denying having performed a particular action related to data... Through the use of security-related mechanisms, producers and consumers of data can be assured that the data remains trustworthy across untrusted networks such as the internet, and even internal intranets" (Introduction, 2011, IBM). Non-repudiation ensures that there is a 'trail' left by all actions performed by the user, and if there is a breach of security, that breach can be rectified by retracing the steps of the user.