Skip Navigation

Introduction to Security

Whenever we consider the topic of digital privacy, information security quickly emerges as relevant and related. In this lesson, we’ll define security and discuss the evolution of security from the physical world into the digital realm. We will also explore the CIA Triad: confidentiality, integrity, and availability. Finally, we’ll consider a few fundamental limitations and trade-offs involved when designing secure systems.

Page Contents

Video Lecture


Watch at Internet Archive

Definition of Security

One simple way to define security is protection from harm. For most of human existence, the practice of security has focused on the protection of physical things. Deterring theft, preventing malicious injury, and safeguarding property are concepts as old as society itself.

Fort Sumter (photo)

Figure 1: Fort Sumter in Charleston Harbor, South Carolina, photographed from Fort Moultrie. Well into the 20th century, forts were an important part of coastal defense, providing physical security to harbors.

Organized approaches to security are also not new. Humans have long built fortifications to protect settlements, villages, towns, cities, harbors, and other strategic locations from attacks by other humans. Fort Sumter (Figure 1) and Fort Moultrie (Figure 2) are examples of such fortifications, built to protect Charleston Harbor. While these forts are both historical relics today, they were still in use for coastal defense purposes through World War II.1

Fort Moultrie (photo)

Figure 2: Fort Moultrie, Sullivans Island, South Carolina.

Fortifications are examples of physical security measures. Physical security concerns the protection of assets or people from intruders or other malicious entities, often by excluding access to unauthorized parties. Note that physical security is still an important part of securing computer systems! Protecting the systems from unauthorized physical access is critical, since any software-based security controls are easily bypassed if someone has physical access to the hardware. For this reason, even glass-walled data centers like the main Coastal Carolina University campus data center (Figure 3) have several layers of physical security.

CCU campus data center (photo)

Figure 3: Coastal Carolina University main campus data center. Special security glass allows the server racks to be visible, while several layers of locked doors restrict access to authorized employees.

In the early days of computing, physical security alone provided most of the information security needed for the system. Information security refers to the protection of the data stored on the computer system. Early computers stored all their data on local physical media, such as punched paper tape, punched cards, floppy disks, magnetic tape, and hard drives. Most computer systems were not interconnected, and the Internet did not yet exist. Therefore, physical security of the storage devices was sufficient to protect the information on them.

Today, the vast majority of computer systems are connected to the Internet in some way, so there is always a concern that a remote threat actor, who lacks physical access to the system, could endanger the data. Physical security alone is no longer sufficient to provide information security. The field of cybersecurity is concerned with protecting globally-connected computer systems and the information they contain from harm.

Protecting data from harm requires considering the various ways in which a threat actor could endanger the data. Generally speaking, there are three main things that a threat actor could do. First, they could steal the data, potentially misappropriating secret or sensitive information to carry out further harm. A threat actor could also alter the data in a harmful way. For example, the threat actor could add to the balance of a fraudulent account, or they could deface a website with hateful information. Finally, the threat actor could deny legitimate users access to the data altogether, either by deleting the data or performing some kind of Denial of Service (DoS) attack that renders the data inaccessible to its legitimate users.

To be secure, a modern system must ensure that:

CIA Triad

A more formal way to express the previous point is the CIA Triad: Confidentiality, Integrity, and Availability. Confidentiality is the principle of protecting data from unauthorized access or disclosure. Some types of data are public, such as this lesson, and may be published online for anyone to see. However, other types of data are sensitive and need to be restricted. Some examples include Social Security numbers, medical records, corporate secrets, and military intelligence. The theft of sensitive data can be lucrative in itself, as these kinds of data may be resold to other criminals and/or used for fraudulent activities like identity theft.

Moving along the CIA Triad, integrity is the principle of ensuring that unauthorized or undetected changes to data or system configurations do not occur. Attacks on the integrity of a system may be carried out to alter records or falsify information. Other types of attacks misappropriate the server or computer resources for nefarious uses, such as by serving defaced content, sending unsolicited messages, or distributing illegal content.

Finally, availability is the principle of ensuring that systems stay online, and data and services remain accessible, to authorized users of the system. Some attackers break into systems with the objective of disabling corporate, government, or other services, making those services inaccessible to their intended audiences. Relatively common Denial of Service attacks do not even require breaking into the system; instead, the servers are flooded with requests that either saturate the Internet connection or overwhelm the computer, preventing legitimate users from accessing the services.

Limitations of Security

A fundamental trade-off exists between security and functionality. Implementing a strict security policy may directly affect the availability of the system. For example, a company might have a policy that certain types of business information cannot be stored electronically. If the company is large enough, and particularly if the company has offices in multiple locations, the inability for employees to access this information without having to look at physical paper records might be detrimental to the company’s market success.

One of the key components of cybersecurity is recognition of the fundamental trade-offs that exist between the principles of the CIA Triad. Focusing on only one or two of principles when designing the system and its policies may adversely affect system conformity to other principle(s). An extreme example would be designing only for confidentiality: data stored on a computer system that is physically located inside a vault, where it is not plugged into power or the Internet, will have a high level of confidentiality. However, such an arrangement would result in zero availability. At the other extreme, an Internet-connected server with few or no access control mechanisms would provide excellent availability. Unfortunately, this availability would be extended beyond the legitimate users of the system, providing ample opportunities for remote attackers to compromise confidentiality and integrity.

Notes and References

  1. National Park Service. Fort Moultrie 

 

Security and Privacy Concepts
Threats, Vulnerabilities, and Controls
Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.