Security

The goal of enterprise security is to protect an organization’s information assets and infrastructure from accidental or malicious disclosure, modification, misuse and erasure. This chapter introduces the primary concepts in information security, namely, confidentiality, integrity, and availability, commonly known as the confidentiality, integrity, and availability (CIA) triad. Defense in depth entails putting in place multiple layers of defense, each giving an additional layer of protection. The identification and authentication are introduced as the first line of defense protecting an organization’s information assets and infrastructure. Authorization provides the segregation of duties control that is necessary for many organization functions. Access control refers to mechanisms used to limit access to networks and systems. Once granted access, the users need to be accountable for what they do with the resources or information. Auditing is the process we go through to ensure that our environment is compliant with the laws, regulations, and policies that bind it. This chapter’s appendix describes aspects related to cryptography: cryptography provides a suite of basic mechanisms for implementing the security services that protect electronic information, such as confidentiality, data integrity and authentication. Cryptography does not secure information on its own, but cryptography is at the core of many technical mechanisms for protecting information.