What is information security (InfoSec)?

Information security explained

Today’s organizations must be prepared to deal with the threat of cyber attacks and data breaches. Every business, company, and similar enterprise must strive to prevent an attack or disruption, along with any of the far-reaching consequences experienced due to it. These consequences include financial loss, negatively affected operations and compliance, and long-term reputational damage. Any one of these factors could drive business away from an organization and put it at a competitive disadvantage. In their white paper, IDC research reports “that the 'average' cost of downtime exceeds $200,000 per hour”.¹

What can you do to protect your organization from cyber attacks and data breaches? What tools can you use to increase your resilience against them and improve your chances of avoiding them? How will you mitigate their damage and reduce your recovery time? Information security and cybersecurity are two tools that can help you protect your organization from hackers that would inflict harm.

Techopedia notes that information security (InfoSec), sometimes abbreviated IS or called data security, is meant “to protect the confidentiality, integrity, and availability of computer system data from those with malicious intentions”.² It involves keeping data secure and preventing unauthorized access or similar alterations from occurring when the data is being stored or shifted from one device to another.

The SANS Institute offers a more expansive definition, defining InfoSec as “the processes and methodologies which are designed and implemented to protect print, electronic, or any other form of confidential, private and sensitive information or data from unauthorized access, use, misuse, disclosure, destruction, modification, or disruption”.³

The National Institute of Standards and Technology (NIST) defines InfoSec  briefly as “protection of information systems against unauthorized access to or modification of information”.⁴ However, building upon this simpler definition, NIST expands it to include the act of protecting information “in storage, processing, or transit, and against the denial of service to authorized users, [and includes] measures necessary to detect, document, and counter such threats”.⁴

What is cybersecurity?

Technopedia refers to cybersecurity as “preventative methods used to protect information from being stolen, compromised or attacked [that require] an understanding of potential information threats, such as viruses and other malicious code”.⁵ NIST defines cybersecurity as the “ability to protect or defend the use of cyberspace from cyber attacks”⁴.  SecurityScorecard simplifies the NIST definition stating that “cybersecurity is related to attacks from the outside of an organization [and it’s] the framework of protecting and securing anything that is vulnerable to [technology-specific] hacks, attacks, or unauthorized access”.⁶

Strategies and tools that cybersecurity uses include the following examples:

• Identity and access management
• Risk management
• Incident management
• Antivirus and antimalware software
• Software patches
• Firewalls
• Two-factor authentication
• Encryption

Because of the critical nature of cybersecurity, it’s essential for an organization to have a comprehensive cybersecurity plan in place. Many enterprises require the deep expertise of a dedicated chief security officer (CSO) or chief information security officer (CISO) on staff to oversee the operation.

InfoSec versus cybersecurity

It’s easy to think of InfoSec and cybersecurity as blanket concepts synonymous with cyber resilience. Both concepts involve protecting information, managing and mitigating risk and disruptive incidents, and reducing the impact that any disruptive incidents would create.

However, they are not interchangeable and there are clear distinctions between the two terms that are rooted in how the data is stored or what form the data takes.

InfoSec is principally concerned with securing data regardless of whether that data is digital or analog. For all intents and purposes, the concept of InfoSec can be just as easily applied to protecting the contents of your home safe as it could to protecting all your organization’s digital data. Having a firewall is important for InfoSec, but so are methods for protecting physical assets, such as having security personal and locking doors or taking similar measures for limiting access to only those employees that require access to certain areas.

SecurityScorecard notes that “Cybersecurity [pertains] exclusively to the protection of data that originates in a digital form, including digital information, systems, and networks”.⁶ Cybersecurity’s exclusivity towards digital data helps distinguish it from InfoSec.

The CSO website offers a different explanation for the difference between InfoSec and cybersecurity, noting that “cybersecurity is the broader practice of defending IT assets from attack, and information security is a specific discipline under the cybersecurity umbrella”.⁷ Expanding on this concept, CSO notes that “Network security and application security are sister practices to InfoSec [that focus] on networks and app code, respectively”.⁷

Applying InfoSec to data center security

When it comes to the practical applications of InfoSec, consider data center security, whether managed by an organization directly or by its cloud service provider. Data centers are very complex and require both physical security and software security or virtual security. The design, layout, and location of the data center building are often incorporated into the strategies of the physical security, including locating the data center away from major roads and establishing buffer zones around the data center. Other techniques and tools for optimizing the physical security of a data center include using the following:

• Security guards, cameras, and alarm systems
• Two-factor authentication, personal identity verification (PIV) cards, and personal passcodes
• Badge readers and biometric systems, such as fingerprint readers, facial recognition software, and iris scanners

In addition to preventing unauthorized access, physical security can also be used to prevent damage to the data center as the result of a disaster or similar disruption. For example, if there was a massive power outage and power wasn’t restored quickly, then it may be difficult to establish proper cooling for all the data center’s servers, resulting in damage to the servers. However, employing redundancies, such as additional power backups and cooling systems that run longer on less power, help prevent damage and ensure the integrity of the servers.

While physical security uses different tools and techniques to ensure the security of a data center and its data, software security processes use digital tools and techniques. These digital tools and techniques prevent unauthorized access of the data center’s network, including anything that would damage the data center or result in theft or unauthorized access of its data. Security information and event management (SIEM) tools help provide oversight and management of the data center in real time. SIEM can be used to control who has access to different parts of the data center and its data, and alarm systems and sensors throughout the data center.

Before anything is deployed onto the data center’s network, it must be scanned and assessed to determine if it poses any harm to the integrity of the data center’s network. These scans usually look for malware or a similarly malicious piece of software or code.

What are the core principles of InfoSec?

First mentioned in a NIST publication in 1977,⁸ what's commonly referred as the CIA triad consists of the core principles that make up the beating heart of InfoSec. These three principles are:

Confidentiality
Arguably the element that’s most synonymous with InfoSec, confidentiality refers to the act of protecting privacy and maintaining authorized restrictions on disclosure and access to data, information, software, or something similar. CSO notes that to maintain confidentiality, your IT security must “be able to identify who is trying to access data and block attempts by those without authorization”.⁷ Tools that increase your cyber resilience and help ensure data confidentiality include the following:

• Single-factor authentication (SFA), two-factor authentication (2FA), multi-factor authentication (MFA), and other similar types of authentication
• Password-based authentication, which is the most common type of authentication
• Symmetric encryption and asymmetric encryption
• Identity and access management products and services

Integrity
Integrity refers to the act of maintaining your data’s homeostasis and protecting it from improper or similarly unauthorized modification or destruction. Many of the tools and practices for ensuring data confidentiality are identical to the practices used for defending your data’s integrity.

Tools that increase your cyber resilience and help ensure data integrity include the following:

• Checksums or hashes are alphanumeric values which uniquely represent a file’s contents and are frequently used for verifying a file’s integrity. For example, a file installer that was downloaded from an external website.
• Version control systems (VCSs) help users keep track of their files’ histories, including what changes were made to their files and when these changes were made.
  • Git is an example of a VCS and GitHub is a website that hosts projects using Git.
• Frequent data backups help ensure that your data is restored from its most recent state.
  • Coinciding with data backups and establishing recovery time objectives (RTO) and recovery point objectives (RPO) help ensure that if disruption does occur, the disaster recovery process will be much more streamlined.
• A cyber vault helps shield your critical data from malicious cyberthreats. Cyber vaults function as a security-rich, isolated vault of immutable storage with analytics scans monitoring your data and detecting potential threats, unauthorized access, or similar issues. A cyber recovery solution, cyber vaults help ensure that your data is clean, protected, and accessible when you need to restore your data.

SecurityScorecard states that by maintaining integrity, you ensure “information non-repudiation and authenticity [of your data]”.⁵ CSO shares a similar point and expands on what nonrepudiation is by defining it as “[being] able to prove that you’ve maintained the integrity of your data, especially in legal contexts”.⁷

Availability
While integrity shares many similarities with confidentiality, availability is an almost perfect reflection of confidentiality. The principal difference is that the concept of integrity addresses what data unauthorized users shouldn’t have access to. The concept of availability addresses what data authorized users should be able to access.

Establishing proper permissions is one way to ensure your data’s accessibility. CSO argues that you can ensure data availability by “matching network and computing resources to the volume of data access you expect and implementing a good backup policy for disaster recovery purposes”.⁷

Ensuring that your data is both confidential and available is a balancing act that many organizations struggle to maintain. As with integrity, establish a regular schedule for replicating and backing up your files. These processes help streamline your disaster recovery process and help ensure a fast recovery. In addition to frequently backing up your files, CSO states that to ensure data availability you should “[match] network and computing resources to the volume of data access you expect”.⁷

What is disaster recovery as a service?

Disaster recovery as a service (DRaaS) is an important component of availability, ensuring that either you always have access to your data, IT assets, and applications or if it’s not immediately available, then it will quickly become available.

In its Market Guide for Disaster Recovery as a Service, Gartner notes that “DRaaS is a great option for infrastructure and operations leaders who want to cost-effectively improve IT resilience, meet compliance or regulatory requirements, and address resource deficiencies”.⁹

Techopedia defines DRaaS as “a cloud computing and backup service model that uses cloud resources to protect applications and data, [functioning as a second infrastructure that gives] an organization a total system backup that allows for business continuity in the event of system failure”.¹⁰

IBM notes that DRaaS “provides continuous replication of critical applications and infrastructure, data and systems for rapid recovery after an IT outage [and includes] the following features:

• Reliable, verifiable, consistent [RTOs] in minutes and [RPOs] in seconds
• Custom solution architectures [including] private, public and hybrid cloud, disk and tape combinations"¹¹

IBM also notes that DRaaS helps “support business resiliency”¹⁰ and “provides comprehensive disaster recovery services, including disaster recovery orchestration processes, disaster recovery health monitoring [and] continuous replication of applications, infrastructure, data and cloud systems”.¹¹

“DRaaS is often paired with a disaster recovery plan (DRP) or a business continuity plan (BCP)”.¹⁰ If DRaaS works properly, then organizations should be able to continue with their daily processes—despite any disruption or necessary repairs—by running them on virtual machines (VMs).

Gartner notes that the DRaaS provider “can deliver the service as a fully managed offering, an assisted recovery offering, or a software-as-a-service (SaaS) model”.⁹ The DRaaS service should be “marketed and sold as a stand-alone, industrialized offering and includes the following features [at a minimum]:

• On-demand recovery cloud for planned exercises and declarations
• Server image and production data replication to the cloud
• Automated failover and failback between on premises and cloud
• Recovery time service-level agreements (SLAs)⁹