Information Security Concepts

by

Understanding information security concepts not only enables efficient communication within organizations but also promotes understanding among different groups. Moreover, these information security concepts improve system design by highlighting areas of consideration.

Authentication

Authentication, a fundamental information security concept, proves that a person or application is genuine, thereby verifying their identity. It employs one or more of three primary methods, or factors: what you know, what you are, and what you have.

“What you know” encompasses passwords, personal identification numbers (PINs), passphrases, and other secrets. However, this type of authentication is not strong on its own and is typically paired with another authentication factor.

“What you are” involves biometric authentication methods, such as retinal scans, fingerprints, voice or signature recognition, and so on. Consequently, these factors are difficult to change if compromised.

“What you have” entails objects or applications running on objects that you physically possess. Traditionally, this involved keys, but modern forms may also include USB tokens, smart cards, and one-time password applications on devices. This factor requires possession of the object at the time of use and may be hindered by intentional or unintentional loss of, or damage to, the object.

Multi-Factor Authentication uses authentication techniques from more than one factor. For example, it combines a password with a one-time password application, or a facial scan with a PIN. As a result, this approach helps mitigate weaknesses in the use of each factor. Nevertheless, using two techniques from the same factor, such as two passwords or two physical keys, is not considered multi-factor.

Authorization

Authorization, another crucial information security concept, determines whether a user or application has the right to conduct particular activities in a system. It relies on authentication to prove the identification of the user or application.

Availability

Availability ensures that authorized parties can access data when needed.

CIA Triad

The CIA Triad abbreviates the core tenets of information security: confidentiality, integrity, and availability.

Compensating Control

Organizations implement compensating controls as alternate solutions to requirements that are not workable in their original form. Therefore, the sum of the compensating controls must meet the intent and requirements of the original security control.

Confidentiality

Confidentiality protects data from unauthorized access.

Data Breach

A data breach occurs when an unauthorized party accesses, copies, transmits, views, or steals data. This term does not indicate intent; thus, other terms such as “data leak” and “information leakage” help convey whether a data breach was intentional or not.

Defense-in-Depth

According to the US National Institute of Standards and Technology, defense-in-depth applies multiple countermeasures in a layered or stepwise manner to achieve security objectives. Consequently, the methodology involves layering heterogeneous security technologies in common attack vectors to ensure that attacks missed by one technology are caught by another.

Identification

Identification uniquely proves who a user of a system or application is, enforcing access control and establishing accountability.

Incident

An incident involves the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations. Notably, this is not limited to people, nor does it indicate intent; natural phenomena, disasters, and animals can also cause incidents.

Integrity

Integrity protects data against unauthorized modification.

Lateral Movement

Lateral movement describes the techniques attackers use after breaching an endpoint or system to “pivot” and extend access to other systems and applications in their target organization. Consequently, this moves the attacker closer to their goals, such as accessing, changing, exfiltrating, or destroying sensitive information.

Least Privilege

Least privilege assigns only the minimum access rights necessary for staff or systems to perform their authorized tasks, for the minimum duration required.

Non-repudiation

Non-repudiation associates messages, actions, and/or authentications with an individual in a way that the individual cannot deny.

Recovery Point Objective (RPO)

The Recovery Point Objective defines the largest amount of data that is acceptable to lose after recovering from an incident. Organizations measure this in time, e.g., “one hour of customer data.”

Recovery Time Objective (RTO)

The Recovery Time Objective specifies the largest amount of time that is acceptable for data to be unavailable due to an incident.

Security Control

A security control is a safeguard or countermeasure designed to protect the confidentiality, integrity, and availability of data.

Separation of Duties

Separation of duties divides critical functions among different staff to help ensure that no individual has enough information or access to conduct fraud.

Vulnerability

A vulnerability is a weakness in an information security system, system security procedures, security controls, or implementations that a threat actor could exploit.

These information security concepts form the foundation of a robust cybersecurity strategy. By understanding and implementing these concepts, organizations can better protect their digital assets and maintain the trust of their stakeholders.

More Information

For more VMware vSphere and VMware Cloud Foundation security & ransomware resources please visit:

Midjourney AI depiction of VMware Security Hardening, blocky painting in shades of blue that evokes rain, with a person in white in the middle under a white umbrella.