CIA of Security

A few recent blog posts, including my own, have attempted to address the encryption conundrum.  My original post talked about how you probably do not necessarily need encryption everywhere (including internal LAN); but have the ability to apply encryption anywhere there’s a potential risk/threat when sensitive data is being transmitted.  Granular access control all within the context.  Today Lori MacVittie posted an interesting article talking about some of the challenges of deploying encryption on the internal LAN as a follow up to a Network World article discussing encrypting all internal PCI traffic.

Encryption, however, is only one part of Information Security.  The hallmarks of Information Security are Confidentiality, Integrity and Authenticity (some also say Availability).  Encryption falls into the Confidentiality category – making sure that the information being transmitted stays private.  Integrity means that the message itself hasn’t been altered in any way during the communication.  Things like hashes and message digest ensure the communication stays intact.  And Authenticity &/or Availability.   Authenticity is the verification process that ensures all participants ‘are who they say they are’ and the guarantee that all parties are real.  Authenticity is usually achieved with the use of digital certificates.  Availability of the data, sort of speaks for itself  :-)

There are many opinions & challenges when considering end-to-end encryption & I wasn’t necessarily commenting on the blogs mentioned but they did get me thinking about the basic pillars of Information Security.

ps

Related articles:

• Credit Card Processors Launch A New Strategy To Defeat Theft


• Security breach cost Heartland $12.6 million so far


• Beware Using Internal Encryption as an IT Security Blanket


• PCI Standard or Not, Encrypting Internal PCI Network Traffic is a Good Thing