This article defines information assurance from a military point of view, addressing the five pillars of information assurance: availability, integrity, authentication, confidentiality, and non-repudiation. Most of these tenets can be applied to any network Ã¢â¬â commercial or military.
Information Assurance (IA) consists of "measures that protect and defend information and information systems by ensuring their availability, integrity, authentication, confidentiality, and non-repudiation. This includes providing for the restoration of information systems by incorporating protection, detection, and reaction capabilities." (Department of Defense Directive 8500.1 "Information Assurance," October 24, 2002)
Secure communications have evolved through three very distinct stages over the past 50 years: Communications Security (COMSEC), Information Systems Security (INFOSEC) and Information Assurance (IA). After WWII and the Korean War, COMSEC efforts focused primarily on cryptography. The introduction and widespread use of computers created new demands to protect information exchanges between interconnected computer systems. This demand created the Computer Security (COMPUSEC) discipline. With the introduction of COMPUSEC came the recognition that stand-alone COMSEC and stand-alone COMPUSEC could not protect information during storage, processing or transfer between systems. This recognition gave rise to the term INFOSEC and the information protection mission took on a broader perspective. IA emerged and focused on the need to protect information during transit, processing, or storage within complex and/or widely dispersed computers and communication system networks. There needs to be an assurance that the information sent is the same information that is received.
Availability is the state where information is in the place needed by the user, at the time the user needs it, and in the form needed by the user. The issues that most directly affect availability are information system reliability (is it up and running?), the informational level of importance (some information is more critical than others), and timely information delivery (delay of some information has a greater impact than other information).
Integrity is sound, unimpaired, or perfect condition. This includes system integrity and data integrity.
Authentication verifies the identity of the user, device, or other entity in a computer system, often as a prerequisite to allowing access to resources in a system, and to verify the integrity of data that have been stored, transmitted, or otherwise exposed to possible unauthorized modification. Authentication ensures that you have the right to see the information, and that you are who you say you are. The two elements most often associated with authentication are logins and passwords.
Confidentiality is the concept of holding sensitive data in confidence, limited to an appropriate set of individuals or organizations. Confidentiality is often referred to as information security. Here we deal with two issues: clearances and data security. In the military, there is a distinction between having a security clearance and having a need to know. Just because someone has a Top Secret security clearance doesnÃ¢â¬â¢t entitle him or her to read every Top Secret document in the world. They can only access those that pertain to their job.
Non-repudiation is a service that provides proof of the integrity and origin of data, which can be verified by any third party at any time. Two of the services that support non-repudiation are digital signatures and encryption. Biometric and retinal scans are right around the corner and are being used by some organizations.
We are all involved in information assurance. Not only do we depend on it to do our work, but also we are involved in making sure it works. Remember, information is only as good as the assurance that we apply to it. Not all information needs to be protected at the same level, but all information needs to be protected.
ÃÂ©2005, all rights reserved
Secure Systems Analyst for HQ United States Army Pacific (USARPAC) responsible for policy and procedure for the Pacific Theater. Retired from the Army after 30 years of service primarily in the telecommunications and Communications Security (COMSEC) field. "Security" is my middle name.