Information Security, far beyond Proxy, Firewall, and: computers.
Most of the time, we associate the "Information Security" area as just another department that takes care of security items on the computer network of some company, or several companies, installing some devices, and "done".
But information security is much more than just a firewall, a content intercepting proxy, an email that collects and filters data for analysis, and any type of network or computer control.
Discover the most basic information security needed for any company, outside of computers.
Information security outside the network
There are several security controls, and all of them are aimed at information security, however, information security is an area that studies a way to protect data and information from being accessible and limited only to those who can access it.
Currently, data and information in general are on computers, but it was not always so; and, there is information that is protected with somewhat unusual controls, which is simply on the basis of saying that there is a certain control, defining penalties related to it, even if this control does not actually exist.
Most problems start here
Most companies know that people with privileged information are the ones most likely to leak, or even take advantage of them to gain advantages, and the fraud work starts inside companies, watching employees; even if the IP address originating from the action is from China, recorded in the log of the incredible "Bluecoat" that logs any transaction.
It is much more likely that you are an employee, or someone who has previously worked at the company, to be able to defraud records, data, embezzling resources for any reason whatsoever, including emotional, greed, or even revenge.
The controls that can fire you for cause, even without existing
Some approaches adopted are the disclosure and diffusion that there are security and audit controls in the systems, which verify the integrity of the data to prevent fraud by employees, analyzing enrollments, and actions taken; the famous "fake" security camera, which is visible there, but it is hollow, has nothing inside; even so, no one really knows if it is a camera or not, and when in doubt, everyone behaves as if it were a camera.
Generally, these controls are treated in an extremely confidential manner, such as: "by the company's information security standard, the information in this control cannot be disclosed".
Not even top management can have this information, because information security is in fact a size of the top management of a company, and it has, and cannot have, any link with employees.
Based on whether or not there is any actual physical control, just the fact that all employees are aware of "such an audit" and its related punishments, this becomes a security control, and is considered by some psychologists, one of the most efficient; because everyone who works knows that they may one day be caught, and they may be fired for cause.
Protect information without computers
Let's think about a hypothesis that you have certain information that is extremely confidential, and you are in the year 1450, there are no computers, tablets, networks, not even cell phones. This information is extremely confidential and you need to keep it in maximum security, because after all, it is a "treasure map", something that has extreme value.
So that this information does not fall into the wrong hands, you have chests, keys, you can bury, or separate and divide and spread in various places. But, if the information is so confidential, we have to think about the following principle of information security:
- Confidentiality
- Integrity
- Availability
Let's check if our information is safe.
Confidentiality, Integrity and Availability.
How to keep this information so important, confidential, which is the guarantee that only specific people will be able to access it? Perhaps in 1450, writing partially guaranteed confidentiality, since many people did not know how to read and write; but it did not prevent others with knowledge from having access.
Passing on information only to loved ones in the family can be an option, always educating children to never speak certain information. Supposing it is a chest buried inside the house, but to open it, I would need the keys, which are scattered throughout the house.
If you have several children, and you cannot trust all of them at the same time, the ideal is to pass on to each one the location of one of the keys, stating that he can never reveal to others where the key is.
Assuming there are 3 siblings, if one tells the others the location of the key, and the others tell the location of the keys, at some point in the family there is a betrayal, someone can take all the keys, and stop the information alone and run away. .
What is the punishment if you talk about the key? Being locked in the "dungeon", just daring to speak the location of the key that has been entrusted to you; and the immediate exchange of the location of the key that was disclosed.
The punishment and division of the contents, and this exchange of places of the key when revealed, also guarantees not only confidentiality, but also integrity. One of the security controls is "if it becomes known that you have told someone else where the key is, you will be punished for being arrested". The security control then is something that you may or may not have, but that guarantees by itself that the fact occurs.
The fact of "hearing someone talking about the key, and not talking about what they saw, becomes an accomplice in the act", and will also have its punishment. There, a more secure link is closed, with the second security control.
And if any of the brothers are arrested, and killed, how will they find the key? The father holds the information for all the keys; but it will need to create some health and availability control for the information. Passing part of the information where one of the keys is to a third party that nobody knows about, and this information is worthless to this third party, may be an option.
Information security beyond network controls
When someone tells you: You talk about information security, but don't teach anything about McAfee, Squid Proxy, Linux, NTFS permissions, Bluecoat, IPS and IDS, Snort, Microsoft Exchange, Google G-Suite, and policy settings for e- mails, and other security controls, just think with yourself that these are just controls that guarantee perhaps a minimum of security, derisory for the global context of what the "Information Security" principle is really, which is to guarantee confidentiality , integrity and availability, no matter how.
It doesn't matter whether it's on parchment scattered in bottles by the sea, chests with keys scattered somewhere, or a treasure map, or in the age of quantum computing, in the future, where the use of "lack of knowledge" is a kind of security control, like the interlinked link of atoms, which nobody knows exactly how it works, but it is known that if it is intercepted in any way, the results will be shuffled and inaccessible, breaking the link.
Information security is on the rise, with countless data leak scandals from large companies, such as Google, Facebook, etc., if paying attention to the principles is more than paramount, it is essential to be able to actually protect valuable information. Look out of the ordinary to be a real expert.
No comments