In many organisations IT projects are designed to address business objectives or as operational solutions without any thought about security.
The security ‘solution’ is often bolted on at a late stage of development, or even after launch when security risks are identified. Sometimes security is overlooked entirely, until something goes wrong.
This approach results in organisations deploying multiple security solutions across the network architecture, spending large amounts of money on solutions that are underutilised, and having the continual problem of updating many different solutions as new threats emerge.
It can also create gaps in security where the solution may address some threats but others are not identified and militated against.
In an ideal world instead of needing to find a unique security solution for each new IT project, IT teams should be able to reference the organisations’ information security architecture and find security solutions already within it.
This approach ensures a more holistic approach to security, where security services and solutions are identified based on core information security principles and can be deployed strategically across multiple IT projects.
Not only does this mean that organisations can potentially reduce their IT security spend, but it also means that IT teams can be confident that exposure to threats is minimised as all solutions adhere to the core principles of information security.
It’s a strategic approach rather than a tactical one.
Core principles in information security
The CIA Triad (also known as the AIC triad to avoid confusion with a certain intelligence agency) are three core principles used to design information security policies in organisations.
These core principles help identify problem areas and their security solutions and include:
This is the principle of keeping sensitive information safe – protecting it from getting in the hands of the wrong people – or anyone who doesn’t have permission to access it.
It’s about privacy and the safe handling of data.
When developing information security policies the confidentiality aspect of the CIA triad needs to define and classify what data needs to be protected, put in place measures to protect it, and manage access levels.
Not all data will need to the most stringent protection levels and therefore it will need to be classified according to its’ sensitivity and appropriate security and access controls put in place for different classifications.
This principle refers to protecting information and data from modification or deletion by unauthorised individuals, and also ensuring that authorised changes made by mistake can be undone. Protecting the integrity of the data.
In practical terms this could mean that certain users are able to view data but not modify it, or that some information cannot be modified at all.
It also underlines the importance of recovery systems and backups that can allow data to be restored if changes are made inadvertently or rescinded later.
Finally data needs to be readily available for those that need it – for business continuity – but at the same time ensuring it is not available for unauthorised users.
This means that information security measures must not block authorised access to data; that systems, authentication tools and access channels work effectively.
This core principle also applies to the measures taken to keep those channels working when incidents occur, for example a DDoS attack, power outages, and other worst case scenarios.
>See also: The Trojan horse: 2017 cyber security trends
The CIA triad is a starting point and is not without limitations.
There are a host of other key requirements including governance, user management, access control and network security that relate to these core principals.
However, by using these three core principals to build a secure network architecture the problems of bolting on security solutions later in the development of IT projects can be avoided.
Sourced by Peter Boyle, director, Burning Tree