_edited.png)
Fundamental principles of information security, what exactly do they mean?
When we talk about information security (or cybersecurity), the terms "confidentiality", "availability" and "integrity" are recurrent. But what exactly do they mean?
These three terms are the three key principles of information security.
Let's see in detail what these three principles of information security correspond to, and let's also see the actions that can be put in place by companies, organisations but also individuals to ensure the confidentiality, integrity and availability of their data.
Data confidentiality
The word "confidential" is defined as "the character of information that is confidential, secret". In information security, the term "confidentiality" means that information or data is only accessible by authorised persons. The more sensitive the data, the more sensitive the information, the more restricted the list of persons authorised to access it must be.
An attacker seeking to breach the confidentiality of a company's data would then seek to intercept communications, confidential, private information or information about individuals. They would seek to access the organisation's internal records and information, such as information about employees, customers, contract signatures, etc.
Most of the data processed by organisations today is digitised. And with technology, all this data can easily be hacked and thus be subject to illegal and/or malicious use.
So-called "sensitive data" requires additional precautions and security measures.
Examples of data that are considered sensitive are:
National insurance numbers;
Health information;
Ethnic information, religious or philosophical beliefs;
Political opinions;
Biometric data used to identify an individual;
Genetic data;
Sexual orientation data;
Etc.
Data privacy is essential to protect personal data from malicious use. It should be noted that personal data is worth its weight in gold on the black market. It is sold at a high price because it allows for more targeted, more personalised and therefore more successful attacks. The more precise, numerous and detailed this data is, the more money it is worth. Thus, an attacker with access to too much information and personal details about an individual could then, in the most serious cases, be able to impersonate that person.
Data integrity
The Larousse defines the term "integrity" as "a state of something that has retained its qualities, its original state, without alteration". In computing, ensuring data integrity means ensuring that the data has not undergone any unauthorised modification whatsoever during communication or storage. It means that they are exactly the same as when they were created.
Thus, when data integrity is ensured, the information processed is complete, reliable and correct, regardless of how long it is stored or how often it is accessed.
There are two types of data integrity:
Physical integrity: this refers to the accuracy of the data during storage and/or retrieval. The data are complete and unaltered.
Logical integrity: the data remain unchanged, they retain their accuracy during their various uses. The data has not been modified or altered and is accurate.
Data availability
In IT, the purpose of availability is to guarantee access to an application, a system or data. The consequences of a loss of availability are not at all the same depending on the nature of the activities of the organisation affected.
For example, we have recently seen cases of cyber attacks (and particularly ransomware) affecting hospitals. For many of these organisations, the loss of availability was a major consequence, as many were no longer able to access patient records and the information contained within them, which is essential to continue providing effective care.
Ransomware has the particularity of undermining the availability of data or an information system in exchange for a ransom.
How to ensure the confidentiality, integrity and availability of its data?
Whether we are an individual or a professional, we sometimes need to put certain things in place to ensure the confidentiality, integrity and availability of our data.
A- When you are an individual
Even as an individual, you may need to ensure the availability, integrity or confidentiality of your data. And although the issues are not quite the same as for a business.
It may be a question of protecting one's digital identity, backing up family and holiday photos online, professional, personal, school and/or academic documents, retrieving previously backed up items, etc.
In terms of data availability, the rules to follow as an individual can be:
Make an inventory of the data you want to ensure availability;
Choose a backup medium (Cloud or physical);
Choose a backup frequency and backup your data regularly.
In terms of data confidentiality, the stakes for individuals are much higher. The idea is to protect personal data against possible malicious, fraudulent or criminal use. And when you are a private individual browsing online, you are the one who is responsible for ensuring the confidentiality of your personal data!
The main security rule for keeping personal data private is not to enter personal information anywhere, and to control the amount of information shared. For example:
Where you can, do not provide all the information requested. Where fill-in fields are optional and you have the option of not filling them all in, leave them blank. For example, if you have the option of filling in only one of two contacts (email or telephone), fill in only one. In this way, you ensure that if the database recording this information is hacked, the attackers will have access to partial data about you.
Be careful about the sites or applications where you enter your personal information. If the site doesn't seem trustworthy, if the online reviews are not good, or if the site promises you great deals on luxury products, beware! Many fraudulent sites are built from the ground up to steal your personal information. Unfortunately, you can only recognise them by being vigilant. To recognise a fraudulent or suspicious site: find out about it online via a Google search (don't hesitate to carry out targeted searches such as "company name + scam" to bring up any online complaints from users), consult the legal notices and terms and conditions available on the site (they must be, it's the law, if they are not, it's a bad sign) and above all, trust your instinct. If the site seems suspicious to you, you are probably right.
Feel free to exercise your rights to privacy. You have the right to request access, modification or deletion of your personal data from any organisation with which you have shared this information. There is no time limit or justification for doing so: you simply need to contact the company in question and make the request. Of course, if this personal data is necessary for the performance of a contract, this data could not be deleted (for example, you cannot ask your energy supplier to delete your postal address, which they need to deliver their service to you). But by exercising your Data Protection Rights, you have the opportunity to 1) be removed from any database that is being solicited too regularly, or 2) control the amount of personal information about you that is processed and stored by the organisations with which you interact or have interacted.
Also, be aware of the amount of information you are asked for depending on the site or application. For example, you want to download a white paper online, and the form asks you for information such as a postal address, phone number or date of birth. That's a lot of personal information for a white paper, for which a simple email address (and why not a first name) should be requested. Second example: you download a photo editing application on your phone, and it asks you for access to your contacts, your email applications or your location data. This should immediately raise a red flag.
Limit the information you share with and on social networks. When you create an account on social networks, you are asked for a lot of personal information. Do not fill in all the fields. First of all, this will limit the risks in case your account is hacked (and social network accounts are a privileged target for attackers who know these platforms are greedy for personal data). The attacker would then have access to partial information about you. But this also limits the risk in case of visits by malicious users to your online profiles: they too would only have partial information about you.
And this list is not exhaustive. As an Internet user, you are therefore also responsible for ensuring the confidentiality of your personal data when you surf online or use digital services or applications.
B- When you are a professional
When you are an organisation, ensuring the integrity, confidentiality and availability of your data essentially mostly involves thinking about an ISSP (i.e. Information Systems Security Policy) which defines in detail the security rules applied by the organisation.
It is this document that defines :
How data is stored and how this storage is secured (availability and confidentiality of data);
How data exchanges are secured (confidentiality and integrity of data);
How access to data is regulated, controlled and secured against unauthorised access (data confidentiality);
The encryption techniques used when collecting, storing or exchanging data (data confidentiality);
The backup policy in place in the company (data availability);
How data modifications and deletions are tracked (data integrity);
How the IT tools have been secured against unauthorised access or intrusion (data confidentiality);
Etc.
This stage therefore requires the intervention of a cybersecurity expert to ensure that all potential threats and breaches to data confidentiality, integrity and availability are effectively taken into account. An expert profile will also be able to carry out a mapping of your data in order to propose the appropriate security measures.
Data breaches
A "data breach" means that the data in question has lost integrity (it has been altered, modified or is partially missing), confidentiality (it has been accessed by an unauthorised third party) and/or availability (it is inaccessible).
These fundamental principles of information security, known as D.I.C., are therefore used to assess whether an information system is properly secured. Although they are not imposed, they are strongly recommended, and indeed, without the strict application of these principles, it is impossible to know whether a data item has been corrupted.
When we talk about information security, cybersecurity, the words "integrity", "confidentiality" and "availability" are recurrent. But what exactly do they mean?
Let's start with "integrity". The Larousse defines it as a "State of something that has all its parts, that has not undergone any diminution, any subtraction", or again a "State of something that has retained without alteration its qualities, its original state". In computing, ensuring data integrity means ensuring that the data has not been altered in any way during communication. That it is exactly the same as when it was created. In order to guarantee this integrity, hash functions such as SHA 256, which allow the calculation of a data's fingerprint, can be used for example.
The word "confidentiality" is defined as "the character of information that is confidential; secret". In computer science, confidentiality aims to ensure that information or data is only accessible by authorised persons. The more sensitive a piece of data or information is, the more restricted the list of persons authorised to access it must be. In order to guarantee confidentiality, cryptographic solutions such as encryption can be put in place.
Finally, the word "availability" is defined as "the state of something being available".
In IT, availability is intended to guarantee access to an application, system, data, etc. Availability will not be of the same importance depending on its nature. Indeed, the repercussions will not be the same if an interruption occurs for an e-commerce site which has a strong need for availability for the continuity of its business, as for the IT department of a company, if it is interrupted on a weekend.
To help ensure this availability, firewalls (e.g. Stormshield), anti-virus, load balancers, etc., can be installed/implemented.
These three criteria for information sensitivity can be complemented by two others: traceability, and non-repudiation.
Traceability is the possibility of identifying the origin and reconstructing the path of a product at the various stages of its production, processing and marketing.
In IT, traceability makes it possible to follow the life cycle of a requirement from beginning to end (from its origins, through its development, its specifications, its deployment and finally, its use). It is the feature that keeps track of the state and movement of information. It is through this that we can ensure that the other three criteria have been met.
Some solutions and protocols have been developed to help maintain these traceability links: syslog, SNMPv3, Windows Event, etc.
Finally, for non-repudiation, we need to look at the definition of "repudiation", which Larousse defines as "an action of rejecting what one has admitted". Non-repudiation is therefore simply the opposite!
In computer science, non-repudiation is the act of ensuring that the sender or recipient of a message cannot deny having sent or received it.
For example, electronic signatures can be used, as well as key systems (asymmetric and symmetric).
These fundamental principles of information security, known as D.I.C., are therefore used to assess whether an information system is properly secured. They are by no means imposed, but they are indeed recommended: indeed, without the strict application of these principles, it is impossible to know whether the data has been corrupted.
If you are in any doubt about the practices and about what to do, do not hesitate to ask for help and/or support!
The CNIL also offers a toolbox to help you comply.
Related blog post:
Did you enjoy this blog post?
Find more content related to cybersecurity and GDPR regulatory compliance on the CyberSecura blog!
We need your answers!
By completing this survey, you are helping us to better understand your interactions with our site and your potential needs.
Your answers are anonymous, and unless you ask to be contacted again by our teams, no personal information is requested!
Thank you for your responses!
Would you like to be informed of our news and receive our latest blog articles directly in your mailbox ? Subscribe to our monthly newsletter!
Would you like to discuss your difficulties, your needs, our offers? Ask to be contacted, free of charge and without obligation, by one of our cybersecurity experts!