The principles and fundamentals of information security
When you’re developing an information security program for your organization, you want to protect your company’s content, keeping it from unauthorized views and use while giving access to the right people. You also want to preserve your content, preventing unauthorized people from modifying or deleting it. The core principles of information security — confidentiality, integrity, and availability — help to protect and preserve your company’s content.
These three information security objectives come from the CIA triad — also called the AIC triad to avoid any confusion with the U.S. Central Intelligence Agency. Whether you call it the CIA or AIC triad, its purpose is to serve as a benchmark that guides the way your company handles data as it’s transmitted and at rest. These three core principles of information security will help you learn how to protect and preserve your company’s content, so let’s dive in.
Keep the three principles of information security in mind as you put together an information security program and evaluate platforms to store your company’s data. Any platform you use should deliver on each of the three principles in some way.
The principle of confidentiality ensures that only the people who have permission or authority to view content can do so. This means establishing some sort of controls to ensure confidentiality. Those controls can include:
Some forms of content need more protection than others. For example, your company might want to make a marketing video available to the public, but will likely want to restrict access to budget spreadsheets or personal information about your employees. For this reason, content classification is a key part of ensuring the confidentiality of your content.
What happens if the confidentiality principle is neglected? One likely result is a breach of your content or data. When there aren’t measures or controls in place to protect your content, someone can easily access it without permissions. A hacker could break into your system, download personally identifiable information (PII), and share that information with others. A breach can hurt your company in several ways, but first and foremost, breaches are expensive. In fact, the average cost of a breach is $3.9 million.
If a bad actor gains access to your company’s content, it can hurt your business reputation. Customers might be wary of returning to your company if they feel that you aren’t taking the appropriate measures to keep their personal data safe.
A lack of confidentiality can also mean that your company loses its competitive advantage. If other companies can see what you’re working on or what types of products you’re developing, they might copy your ideas or rush their own products to market.
The Box Content Cloud allows you to classify your content based on its level of confidentiality. Box Shield lets you manually or automatically classify content. In the case of the latter, Box Shield can identify custom terms or PII in your content and classify each piece of content based on what it discovers. Once classified, a Smart Access policy can be automatically applied to limit external sharing, printing, downloading, and more.
Box Shield also detects threats from suspicious locations, suspicious sessions, and even anomalous downloads by employees.
Integrity is the second principle in the triad. Content needs to be consistent, accurate, and complete at all stages, whether it is at rest or in transit. Authorized or unauthorized users shouldn’t be able to alter the data in a way that affects its integrity.
Why is content integrity so important? Any changes to data that affect its consistency or accuracy could be harmful.
In the early 1980s, a batch of Tylenol sold in the Chicago area was altered. Someone laced the pills with cyanide, a deadly poison, after the bottles of medicine left the factory, but before they arrived on store shelves. At the time, there was no way to detect whether someone had tampered with the medicine or not. Several people took the poisoned pain relievers and died.
The incident led to the development of protocols that protect the integrity of medications. Now, bottles of Tylenol and other over-the-counter medicines have tamper-evident seals that make it easy to see if someone has opened the packaging. The company that manufactured Tylenol also changed the design of the pills themselves so a third party couldn’t open the capsules and add something different.
This is an example of physical tampering of a product that affects its quality and integrity. Similarly, there are ways for third parties to tamper with digital content in a way that affects its integrity. For example, instead of physically adding cyanide to pills, a bad actor could alter the recipe so that cyanide or another poison is added to the medication at the point of production.
This might seem like a farfetched scenario, but there are plenty of ways for bad actors to meddle with digital files in ways that cause harm. For instance, someone could change the account number of an employee’s direct deposit form so their paychecks begin going into a different bank account.
Integrity is closely tied to confidentiality. Unauthorized users can’t alter content if they can’t get access to it. Additional measures beyond confidentiality controls can help protect the integrity of content or data. Audit logs let you see who has done what to a piece of content, while backup controls allow you to regain access to deleted content.
The third principle in the triad, availability, reflects the ease with which authorized users can access information or content. You want to ensure your company’s data confidentiality, and you also want to ensure the people who need to use the content can do so. Working in the Content Cloud is one way to ensure your data availability. Authorized employees can access the content from any device that connects to the internet, provided they also have the relevant access level and authentication tools.
Some factors that affect availability include:
Where content can be accessed
The availability of content can vary based on a user’s geographic location. A user might need to be in a certain country to access a particular spreadsheet, or they might need to be physically located in an office building owned by your company to get access. Additionally, a person might be able to access a particular piece of content when using a certain device but not another.
How content can be accessed
The way someone accesses content can be determined by their user credentials or information they provide. You might, for example, require a username and password and enable two-factor authentication.
When content can be accessed
It might be necessary to set time limits for content. A temporary employee might only have access to a document during the period of their contract. A vendor might only get to access a video while working on a project with your company.
Maintaining your company’s software and hardware is a crucial part of ensuring availability. If the software crashes frequently or needs a lot of downtime, it can affect when and how people access the content. The condition of hardware also influences availability. If someone needs to print a document or has to use a special computer to access a particular content type, their overall access to the content is limited.
With Box, employees can access content through the web application, mobile device, or the desktop application, Box Drive. Both availability and security are crucial. That’s why Box has a 99.9% SLA, has SSAE 16 Type 2 data centers, and offers zero-trust content access with any device. With Device Trust, admins can validate device ownership, domain membership, and other device software and security settings.
Balancing the triad
The principles of information security work together to protect your content, whether it’s stored in the cloud or on-premises. The three objectives of the triad are:
- Protect content
- Ensure content accuracy
- Keep content accessible
Upholding the three principles of information security is a bit of a balancing act. It’s not likely that your company can prevent a breach of confidentiality, protect the integrity of your content, and guarantee that it will always be available 100% of the time. It’s important to focus on what you can do to keep the triad in balance so content is as protected, accurate, and accessible as it can be.
One way to balance the triad is to focus on the particular risks that are present and how they affect each principle. Ransomware often affects the availability of your content. It’s a type of malware that encrypts your files, making them unreadable. A hacker who succeeds in installing ransomware on a device renders the device fairly unusable to the owner as long as the malware remains on it. Recognizing the ways that ransomware can affect the availability of your content allows you to develop security plans for combatting it.
You can stop a ransomware attack from limiting access to your content by using a cloud backup program. The malware might block access to a particular device, but if the content is also stored in the cloud, your employees can still access it without having to pay the ransom and hope that the hacker sends a decryption key.
Box Shield can also help. With automated malware detection, content is scanned upon upload. If malware is detected, the file is classified as malicious, and security controls are put in place to prevent downloading and local editing, stopping the spread. Users can still view and even edit the content online, so productivity is not lost. Admins are notified and alerts can be published to SIEM and CASB tools.
Some risks and threats only affect one principle, but there are cases when a threat can affect two principles. Confidentiality and integrity often go hand in hand. Someone could get access to information they shouldn’t and alter that information, either to cause harm or to benefit themselves. A hacker could get vendor payment information and change it so they receive the payments that were meant for vendors.
Information security controls
Your organization can use multiple controls to protect the three principles of information security. It’s usually best to implement multiple controls to ensure a balance of the three principles. Box has several security controls in place that ensure any data you upload to the Content Cloud remains accurate, accessible, and confidential.
Authentication controls can help guarantee the people who are accessing your content are the people who have permission to do so. The controls can be digital or physical, depending on the location of the content. They include:
Identification controls can include scanning badges before allowing a person access to a building area, such as a file room. Other types of physical identification controls include thumbprint or retina scanners, which can verify a person’s identity before granting access to a device or physical location. Identification controls for digital content that’s stored in the cloud or on-premises can include usernames or email addresses.
Passwords can provide an additional layer of authentication. Your company might require employees to create passwords, change their passwords regularly, and craft strong passwords to minimize the chance of a hacker guessing them.
Two-factor authentication (2FA), or multi-factor authentication, requires at least one additional verification beyond a username and password before a person can get access to a piece of content. 2FA can take several forms. A popular option is to send a code to a person’s mobile device via text message and have that person type in the code before proceeding. Another option is to have people download an app to their mobile device. When they try to access a piece of content or log in, they also need to tap a button in the app to complete the authentication process.
Authentication controls protect the confidentiality of your content. They can also impact the availability of the content, as employees who have permission to use certain types of content need to ensure they have the right passwords and identification needed to gain access.
2. Access control
Another way to protect the confidentiality of your content is to limit access to it. Several types of control allow you to limit or open up access:
Classifying your content is one way to determine who can view or modify what. You might want to set up a piece of content so that anyone who has the link can view it or edit it, or you might want to limit access to a particular piece of content to only the people you specifically invite to view or edit it. Box Shield can automate the classification process for you by looking for certain terms or keywords within files.
It might be the case that you’re working with an outside vendor or an individual who needs access to a piece of content, but you don’t want them to have access to the content forever. Putting an expiration date on the permissions you grant is one way to control access. The individual can only view or edit the content until the date the link expires. You can create a new link if you still need their input after that date.
Updated access lists
Employees might come and go from your company. It’s important to ensure someone who no longer works for your business doesn’t continue to have access to your information and content. Regularly updating access lists means that only the people who legitimately have a right to view or edit content can continue to do so. Updated access lists also ensure that new employees get the permissions they need to start doing their work quickly and efficiently.
Encrypting your content lets you control its confidentiality and integrity. Encryption turns a plain text piece of content into a cipher. A hacker who gets access to a plain text document, such as a sales contract, spreadsheet, or email, can read it easily. But someone who gets access to a cipher won’t make heads or tails of it, unless they also happen to have the decryption key.
The length of the key determines its strength and effectiveness. The longer it is, the more effective it is, in most cases. For security, an 80-bit key is considered the minimum strength. Our platform uses a 256-bit key, which is the strength recommended by the U.S. Department of Commerce’s National Institute of Standards and Technology. Someone trying to break a 256-bit key would need to try 2,256 combinations to do so, which is challenging even for a sophisticated computer.
Using encryption protects your content when it’s at rest and when it is being transmitted from one computer to another.
4. Anywhere, anytime access to file history
You need to control how content is altered in addition to who has access to it. The integrity of your company’s content can be affected in multiple ways. A person could make an innocent mistake while editing a spreadsheet, putting a decimal point in the wrong spot or misspelling a client’s name. A hacker could access a piece of content and change it so much that it becomes unrecognizable.
Visibility across older versions of files means that if a piece of content gets altered beyond recognition by a third party, you can compare to see what went wrong and delete any compromised content.
You have several options for maintaining previous versions of your content:
The Content Cloud
Box automatically versions your content on a single cloud platform, meaning that it’s stored on an internet-based server rather than an on-premises server. If something happens to your physical computers or if your content is compromised in any other way, you can quickly revert to the versions maintained in the cloud.
A USB drive
Another backup option is to store your content on a USB drive. A USB is small, but it has a lot of storage space. Unlike cloud-based backups, backing up your content on a USB isn’t an automatic process. You need to remember to do it. Most USB drives are also small, so there’s a chance the drive itself can be lost or stolen.
A network-attached storage device allows you to automatically back up your content. Unlike cloud-based backups, a network-attached storage device stores your content on a physical hard drive. The systems can get pricey, depending on the amount of storage space you need. It is possible for someone to steal these devices, although they are bigger than a USB.