Information Security

What is data (information) security and why it’s important

Data security refers to protective measures that are applied to prevent unauthorized access (virtual or physical) to computers, databases and websites.

Protecting customer and other confidential data from malicious and accidental leaks is one of the top business and IT security challenges facing organizations today. These challenges are especially high in the IoT industry where many connected devices lead to more possibilities for hackers to target us.

“The mantra of any good security engineer is: ‘Security is not a product, but a process.’ It’s more than designing strong cryptography into a system; it’s designing the entire system such that all security measures, including cryptography, work together.”

– Bruce Schneier

Security model

A simple but widely-applicable security model that is designed to guide policies for information security is the CIA triad (confidentiality, integrity and availability). In this context:

  • confidentiality is a set of rules that limits access to information. Cryptography and Encryption methods are an example of an attempt to ensure the confidentiality of data transferred from one computer to another.
  • integrity is the assurance that the information is trustworthy and accurate. One type of security attack is to intercept some important data and make changes to it before sending it on to the intended receiver.
  • availability is a guarantee of reliable access to the information by authorized people. Some types of security attack attempt to deny access to the appropriate user, either for the sake of inconveniencing them, or because there is some secondary effect.

If any one of the three can be breached it can have serious consequences for the parties concerned.

ISDS approach

The most adequate approach for achieving high graded data security is to develop security by design, where design applies to the whole information system rather than on software only. We need to get away from thinking about security as a set of features. We must think about security as a cross-cutting concern — a concern that cuts across the functionality.

The security measures employed by the ISDS approach based on the CIA model provides:

  • Reliable TRANSFER of the data
  • Strong AUTHORIZATION process, and
  • PROTECTION of the stored DATA

Each of these three dimensions applies the components from the CIA model, hence confidentiality and integrity of data are considered not only for data-in-transit but also for data during user authorization and for data stored in the database.

ISDS key features

ISDS information security solution developed by Nissatech follows the OWASP and SANS guidelines and general best practice for reliable software development in order to avoid well-known vulnerabilities and provide stable and secure systems. Key features of this approach can be grouped by horizontal dimensions described above:

» Encrypted communication (HTTPS)

» End-to-end security (E2E)

» Endpoint identity verification

» Certificate and hostname verification

» Signed access tokens (JWT)

» Multi-factor authentication (TOTP)

» Dynamic permission-based access (on-the-fly)

» Source Traceability

» Data Encryption

» Data Integrity verification

Well designed System Architecture as the foundation of a good security

Applications without security architecture are as bridges constructed without finite element analysis and wind tunnel testing. Sure, they look like bridges, but they will fall down at the first flutter of a butterfly’s wings. Although many people connect data security only with software implementation, good data protection requires well-designed security architecture i.e. well-configured network devices, scaled components and multitier architectural patterns.

From the perspective of the system architecture, the ISDS approach is based on a three-tier architecture, which the main feature is the physical isolation of the tiers. The client applications no longer connect to or communicate directly with the database server, nor do they directly access the tables or raw data defined in the database(s). All-access to data – both for reading and for manipulation – goes through the application tier (web servers), which maintains full control over the data access. The web servers are usually deployed in a secure location with exposed a very limited interface to the network (standardized internet protocols like HTTP(s) and Web Socket).

As the admin privileges in the wrong hands can damage the system dramatically, system maintenance and remote access to the server machines is allowed ONLY through the highly secured VPN tunnel. This measure of protection is applied to SSH access as well.