For example, I spent about 15 years of my career specializing in a field known as IAM - short for Identity and Access Management. IAM is all about access control and determines who can access data ( information) and do various "things" to it/with it i.e. read, write, delete and create. Even within IAM , of late, there has been further specialization. CIAM is the area of practice that deals with customer oriented IAM. E-IAM , on the other hand, focuses on Enterprise IAM which deals with employees, vendors , partners and contractors of organizations and enterprises i.e. regular companies.
So, back to infosec - what is it anyway? It is the field focusing on how information is secured. For our purposes, we could also liken information to data. You have probably heard about the "CIA" triad in relation to infosec. This is an acronym that captures the essence of what infosec tries to accomplish. C stands for confidentiality , I for integrity and A for availability. Given that humans produce and consume a lot of information/data in our day to day existence and consider it valuable enough to warrant protection, C provides confidentiality for that data, I provides integrity and A ensures availability.
Confidentiality ensures that data is only available to those authorized to read and consume it. Integrity ensures that data is not inappropriately modified and Availability ensures that data is there when one needs access to it. Each component of the CIA triad could be dissected and explained in excruciating detail but we will leave that for a future session.
How is CIA accomplished? In the biz, people would say - through the use of "controls". For example , there can be physical controls which would be locked rooms, safes, cages for computers, fences, guards, dogs...you get the idea. All these have some effect on access. On the other hand, there can be technical controls. In good old days prior to widespread use of computers, these would things like ciphers, keys. Today, these would be very much related to computers and the technologies running on them.
For example, encryption is used for scrambling data when on the move over a network or statically stored in a database.
The concept of digital identity has evolved so that a human in the physical world with a unique identity can operate similarly in the digital world and this digital identity is then used to determine what actions are permissible on what data.
Ok - so how does digital identity get established? When a person e.g. customer or employee gets established in the system, digital identity comes about from aspects of physical identity - so attributes like name, address, contact info become the seeds of digital identity. In addition, an identifier which could be a unique number or string is attached to the set of attributes we just talked about , resulting in a digital identity. Of course, this is an ultra simplified version of digital identity that we've discussed. There is a lot more we will talk about in subsequent posts.
The process of discovering the customer or employee's digital identity is called Authentication or AuthN. We will discuss this in great detail in the future. The process of deciding what a customer can and cannot do with the data is called Authorization or AuthZ.
So, in this blog we have lightly covered
- what information security is
- what are the objectives of infosec ( remember CIA )
- what are controls and more importantly , what are technical controls
- what are concepts like encryption, identity, authN and authZ.
No comments:
Post a Comment