1.3 Protecting the Foundation

  • Balance business continuity vs security
  • Controls

Balance

In reality, when information security is dealt with, it is commonly only through the lens of keeping secrets secret (confidentiality). The integrity and availability threats can be overlooked and only dealt with after they are properly compromised. Some assets have a critical confidentiality requirement (company trade secrets), some have critical integrity requirements (financial transaction values), and some have critical availability requirements (e-commerce web servers).

Controls

The implementation of controls are necessary to provide protection to the fundamentals of security. The following is a short list of some of these controls that protect our CIA.

Confidentiality:

  • Encryption for data at rest (whole disk, database encryption)
  • Encryption for data in transit (IPSec, TLS, PPTP, SSH, described in Chapter 4)
  • Access control (physical and technical)

Integrity:

  • Hashing (data integrity)
  • Configuration management (system integrity)
  • Change control (process integrity)
  • Access control (physical and technical)
  • Software digital signing

Availability:

  • Redundant array of independent disks (RAID)
  • Clustering
  • Load balancing
  • Redundant data and power lines
  • Software and data backups
  • Disk shadowing
  • Co-location and offsite facilities
  • Rollback functions
  • Failover configurations