Backup Anytime

Data security for dummies

There is much misunderstanding of data data security. This applies not just at end user level but also quite generally at overall small business level. Much of this is attributable to an ever growing and widely misused information technology vocabulary. Much of this vocabulary is brought about by intended use of trade and company names by interested parties  when producing instructions, guides and white papers.

For this reason, an understanding of data security may only be obtained by reducing the factors affecting and important to information security to micro or atom level. This has been approached by many. Here we are interested in the work of third party academics and not interested business parties.

Three classic data security components are Confidentiality, integrity and availability.
They are known as the CIA triad. CIA being the combined first letters of the three terms and triad being linguistically synonymous with the number three. The CIA triad was later added to in what is now known as the Parkerian hexad. Parkerian because it was proposed by Donn B. Parker and hexad because the number of elements was increased to six.

The six elements of information security (in our case, data security) according to the Parkerian hexad are as follows.

1. Confidentiality
2. Possession or Control
3. Integrity
4. Authenticity
5. Availability
6. Utility

A list can serve to prompt incorrect assumptions so lets take a closer look at these data security principles. You may not want to get in to the academics but someone in or representing your organisation needs to have  a clear insight so you can actively avoid data breach as against simply protect against data loss.

First off, why these six elements? Surely there are thousands of terms applicable to information. These six elements are widely agreed among data academics as being at micro or atomic level. They are considered to be essential and non overlapping from the point of view of information security.
Confidentiality deals with the who in data. Information which is available to nobody is essentially useless and it is therefore agreed that no matter the level of confidentiality required that there must be a default exception list with at least one entry. The confidentiality of data is therefore measured by comparing the required access with the actual access allowed.

Possession and control may seem to an extent to represent an overlap with confidentiality but it is agreed to be a component in it’s own right. An example would be a letter addressed to you arriving to someone else. They may not open it but regardless possession and control have been breached.

Integrity of data deals with state of data and the effect on it of any modification intended or otherwise. Integrity therefore not only applies with point in time condition but potential modifications by users, software and incidents.

 
Data authenticity is not only different to integrity but has a broader focus. Authenticity deals with labeling data. This applies not only to intended managed data store but data introduced to the organisation through communications. An example would be a communication which is received from party claiming to be from an origin different from the actual one. If this is ignored, the recipient may not be the victim of any intended crime but in real terms, just not knowing of the intention regardless of the failure or the perpetrator is in itself a breach. Another more innocent example would be a form filled out incorrectly in which an applicant or respondent accidentally places an email address in a name input box. Any failure to validate this is a data authenticity issue. 
Data availability deals not only with the possibility of accessing required information but any time lag in availing of information in normal and data outage circumstances. Nanosecond delays in normal circumstances may be a technical availability issue but not a concern such as that brought about by an hours delay, a full day delay or total outage scenario. 

Utility of data deals with the practical area of the benefits of data stored. How useful is the data? This applies also to the ability to read the data in so far as to the format it is stored in and any conversions applied or required to read. Even encryption can be said to affect the utility of data due to any time required to decrypt before reading. This is not to say that encryption is not recommended. Encryption is absolutely necessary in most business environments. Utility can be confused with availability. It is however quite distinct from availability. An example highlighting this would be data converted to generate a graphic display. Despite how well matched mathematically and helpful from a human viewpoint a visual display may be, this represents a utility modification.

In summary

Data security represents a process not a task. Data security is never 100% certain. Innocent  parties may suffer a breach despite the best will of the data administrator concerned. All this said, risk reduction is a clear responsibility for which clear steps must be taken. The consequences for everyone should business not make acceptable efforts are also clear as is the distinction between those who tool action to protect data and those who did not.