mile2's Information Assurance Philosophy: Green Hat
INFORMATION ASSURANCE (IA) -- DEFINITION
There are numerous definitions of Information Assurance; a cross-section of definitions follows:
- The terms information security, computer security and information assurance are frequently used interchangeably. Information security means protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction. Wikipedia.
- Information operations that protect and defend information and information systems by ensuring their availability, integrity, authentication, confidentiality, and non-repudiation. This includes providing for restoration of information systems by incorporating protection, detection, and reaction capabilities. Also called IA. The Free Dictionary.
- Information Assurance (IA) is the confidence that information systems will protect the information they carry and will function as they need to, when they need to, under the control of legitimate users. Central Sponsor for Information Assurance (CSIA).
- Measures that protect and defend information and information systems by ensuring their availability, integrity, authentication, confidentiality, and non-repudiation. This includes providing for the restoration of information systems by incorporating protection, detection, and reaction capabilities. DoD USA.
INFORMATION ASSURANCE IS VITAL TO CORPORATIONS
Even a cursory examination of the foregoing definitions will reveal that they all include some basic concepts as their common denomination. These include confidentiality, integrity, authenticity, availability and non-repudiation (one party of a transaction cannot deny having received a transaction nor can the other party deny having sent it). It takes no great imagination to understand that these basic concepts are fundamental to the continuing security and growing prosperity of all corporations.
A compromise of any of these elements of Information Assurance and the resulting fallout may entail dire consequences for the organization. It may include a minor setback such as a small unrealized profit margin on the one hand; but, on the other hand it may result in financial ruin, lengthy and expensive court litigations, public ridicule and not least of all, irrevocable damage to brand name. Notwithstanding the imperative nature of Information Assurance, corporate history over the years is replete with instances of organizations which have misconstrued this issue, much to their regret. The question that arises is, why such a fundamental and profound issue like Information Assurance is not given its rightful due? The answer lies in the very evolution and application of Information Assurance.
IA MODELING – AREAS OF FOCUS / APPLICATION
IA modeling and the inherent areas of focus and application have evolved over the years. In the early years of computing, the models focused primarily on confidentiality. For example, the application was merely shutting down the computer, locking the door to the room and perhaps posting a guard outside. In other words, IA was achieved by the very denial of physical access to confidential assets. In truth, it was computer security aspiring to be information security. Notwithstanding advances in the use of IT terminology, Information Security and Information Assurance are being used interchangeably.
The essential difference is that, whereas information security derives mainly from computer science, IA includes that and further advocates reliability and strategic risk management. Additionally, IA embraces corporate governance and its attendant elements of privacy, compliance, audits, business continuity and disaster recovery. Hence, IA derives from a wide spectrum of disciplines. The surprising revelation is that even in a non-computer environment, organizations would still have to come to terms with security issues related to IA.
INFORMATION ASSURANCE – THE CORPORATE DILEMMA
- Corporations require security services in the areas of confidentiality, integrity, authenticity, availability and non-repudiation.
- Corporate information assets may be in a state of transmission, storage or processing.
- Corporate counter measures resources would include technology, policy and practices, and people.
The corporate dilemma is how best to interface resources to the service required for the current state of information assets in order to yield an optimum IA solution. What Information Assurance modeling is best for the corporation? Where should the corporate focus be in respect to IA? Are off-the-shelf solutions acceptable? Will the model succumb to new technology? These are the issues corporations have to grapple with in their search for the optimal solution.
GREEN HAT – mile2’S HOLISTIC APPROACH TO IA
The Information Assurance need of the hour is data protection through better risk management and business modeling. As of January 2008, a move has been made from an emphasis on in-depth and specific technology to an emphasis on holistic technology; from cursory risk management to all-encompassing and highly skilled risk management; from access controls to data leakage protection. There is no doubt that the dawn of a new breed of IA professional is emerging. RSA 2008 Europe (March 2008) said as much and many in the IA loop are endorsing this observation.
"Green Hat" borrows the best features of Black Hat, but will focus on bleeding-edge thinking in compliance management, risk management, business security architecture modeling (like SABSA), content management, data leakage protection, and user behavior modification models. It will attract the Information Risk Managers, the Information Security Managers, the CSOs and the CIOs, and the die-hard technicians who understand they must re-brand themselves (as the next generation of IA professionals) if they are to thrive in the new Information Assurance economy.
