Cloud Provider Evaluation
matador
ApplicationandDataSecurity.pdf
3/5/22, 12:33 PM Application and Data Security
https://leocontent.umgc.edu/content/scor/uncurated/cca/2218-cca610/learning-topic-list/application-and-data-security.html?ou=622270 1/7
Learning Topic
Application and Data Security In simple terms, the purpose of information security is to protect computer systems from
theft, logical and physical.
The best way to ensure that computer systems are protected is to follow the basic
security principles of confidentiality, integrity, and availability. Also known as the CIA
triad, these principles are used as a model to help organizations create information
security policies.
The triad is sometimes taken to be a product of the Central Intelligence Agency, but it is
not associated with the organization.
CIA Triad Security Model
3/5/22, 12:33 PM Application and Data Security
https://leocontent.umgc.edu/content/scor/uncurated/cca/2218-cca610/learning-topic-list/application-and-data-security.html?ou=622270 2/7
The CIA triad is the cornerstone of information systems security. If any one of the three
parts is breached, it can lead to consequences for the parties concerned.
Confidentiality
Confidentiality refers to the methods used to protect information from unauthorized
disclosure. Protecting the confidentiality of proprietary or sensitive information is of vital
importance, as you can see based on the definitions below.
Proprietary information—Proprietary information is information that an organization
compiles to gain an advantage over its competitors. If a company spent millions of
dollars researching the latest microprocessor, the information attained through that
research would be classified as proprietary.
Sensitive information—Sensitive information is any information that should be
restricted to only those people who require access to it. Examples of sensitive
information are
personal medical information
credit card information
personal financial information
government-classified information
Several threats to confidentiality exist:
Social engineering—In its malevolent form, social engineering is the act of
manipulating or deceiving people into performing actions they should not perform
or divulging information they should not disclose. It may involve appealing to
people's respect for authority, people's desire to assist others, or people's fear of
failure.
An example of social engineering would be if an impersonator called a military help
desk and asserted that he was a senior officer and required his password
immediately. Although the help desk worker would surely be required to verify the
identity of callers, the worker would possibly feel intimidated by the caller's
supposed rank and pressured to ignore standard protocol and provide credentials
without properly vetting the caller.
System vulnerabilities—Unpatched or misconfigured systems may be vulnerable to
attackers' attempts to compromise them. When vulnerabilities within systems are
identified, software vendors release patches to address them. The failure to apply
3/5/22, 12:33 PM Application and Data Security
https://leocontent.umgc.edu/content/scor/uncurated/cca/2218-cca610/learning-topic-list/application-and-data-security.html?ou=622270 3/7
patches leaves these systems in an exposed state. Additionally, some software ships
in a configuration not considered secure.
It is necessary for administrators to configure systems so as to disable unneeded
protocols or functionality, as this minimizes the attack surface area of a system.
Most people are familiar with the security patches sent out routinely by Microsoft,
Firefox, and antivirus and computer security companies.
Unintentional disclosure—Unintentional disclosure can result from a lack of training
or from negligence. Here is an example of unintentional disclosure.
In March 2009, it was disclosed by Tiversa, a company that specializes in reviewing
peer-to-peer (P2P) file-sharing networks, that the blueprints to Marine One, the US
president's personal helicopter, were available freely on multiple P2P networks.
Additionally, it was identified that this information was resident on a machine in
Tehran, Iran.
According to Tiversa, the blueprints for the aircraft were originally disclosed by a
government contractor responsible for manufacturing the aircraft. One of the contractor's
employees downloaded a P2P client and inadvertently shared out a directory containing
the blueprints (Wilson, 2010)
Integrity
Integrity refers to the processes that ensure accuracy of information. Consider the need
for maintaining integrity in systems and the data they process in the following contexts:
Military—What if the coordinates for a planned airstrike are inaccurately provided
by a navigational system?
Banking—What if a user pays for a delivery, and the bank's system adds an extra "0"
to the payment?
Health—What if a specific medicine is administered to the patient in room 401
instead of the patient in room 410?
Two categories of threats to integrity exist:
Intentional—Intentional threats occur when a computer system or user deliberately
modifies data to skew its accuracy. Intentional threats can stem from an attacker's
desire to sabotage a system or its functions.
3/5/22, 12:33 PM Application and Data Security
https://leocontent.umgc.edu/content/scor/uncurated/cca/2218-cca610/learning-topic-list/application-and-data-security.html?ou=622270 4/7
Unintentional—Unintentional threats occur when a computer system or user
modifies data without knowing it. For example, a programmer could make an error
leading to the incorrect calculation of accounting information.
Regardless of the types of threats against them or the types of information they contain,
systems should have sufficient accuracy validation to ensure that incomplete or
inaccurate data does not gain credibility.
Availability
Availability addresses the need of a system to provide continued, reliable access to
information while maintaining an acceptable level of performance. Consider organizations
with technology and services that must be nearly 100 percent available 24 hours a day,
such as financial institutions, emergency service providers, power providers, and
communication providers. Every moment that these organizations cannot exchange
information, there is the potential for serious financial loss, injury, or even death.
In cases where an organization dictates to a service provider an acceptable level of
availability, the negotiated level of service is defined as a service-level agreement (SLA).
SLAs help the service provider identify the availability expectations.
To better conceptualize the need for availability, consider the devastating effects of
Hurricane Katrina, where the systems normally used to provide critical processing for
emergency and other services were disrupted by damage from wind and flooding. In this
natural disaster, the following exacerbating conditions were present:
lack of reliable communication and power for weeks
significantly hindered transportation
physical destruction of facilities
evacuation of emergency and other personnel
Several threats to availability exist:
Natural disasters—Natural disasters can render an organization's computer
processing facilities unusable due to a power loss.
Technology failures—All electrical components eventually fail. Hard drives crash,
power supplies fail, routers shut down.
Attackers—An attacker can launch a denial-of-service attack, which is designed to
send so many requests to a system that the system cannot successfully process
3/5/22, 12:33 PM Application and Data Security
https://leocontent.umgc.edu/content/scor/uncurated/cca/2218-cca610/learning-topic-list/application-and-data-security.html?ou=622270 5/7
them.
References
Baker, W., Goudie, M., Hutton, A., Hylender, C. D., Niemantsverdriet, J., Novak, C.,
Ostertag, D., Porter, C., Rosen, M., Sartin, B., Tippett, P., & United States Secret
Service. (2010). 2010 data breach investigations report. Retrieved from
http://www.verizonbusiness.com/resources/reports/rp_2010-data-breach-
report_en_xg.pdf
Kairab, S. (2005). A practical guide to security assessments (pp. 245–54). Boca Raton, FL:
CRC Press.
Pfleeger, C., & Pfleeger, S. (2007). Security in computing. Boston, MA: Prentice Hall.
Wilson, T. (2009). P2P leak exposes sensitive data on marine one. Security dark reading.
Retrieved from
http://www.darkreading.com/security/vulnerabilities/showArticle.jhtml?
articleID=215600314
3/5/22, 12:33 PM Application and Data Security
https://leocontent.umgc.edu/content/scor/uncurated/cca/2218-cca610/learning-topic-list/application-and-data-security.html?ou=622270 6/7
Authentication Cheat Sheet
(https://leocontent.umgc.edu/content/dam/course-
content/tgs/cca/cca-
610/document/OWASP_org_AuthenticationCheatSheet_checked.p
df?ou=622270)
A Comprehensive View on CIA Triad
(https://leocontent.umgc.edu/content/dam/course-
content/tgs/cca/cca-
610/document/AComprehensiveViewonCIATriad_checked.pdf?
ou=622270)
Data Security and Privacy in Cloud Computing
(https://leocontent.umgc.edu/content/dam/course-
content/tgs/cca/cca-
610/document/DataSecurityandPrivacyinCloudComputing(1)_chec
ked.pdf?ou=622270)
Biometric Authentication in Cloud Computing
(https://leocontent.umgc.edu/content/dam/course-
content/tgs/cca/cca-
610/document/BiometricAuthenticationinCloudComputing_checke
d.pdf?ou=622270)
Basic Principle of Information Security
(https://leocontent.umgc.edu/content/dam/course-
content/tgs/cca/cca-
610/document/BasicPrincipleofInformationSecurity_checked.pdf?
ou=622270)
Confidentiality, Integrity, Availability: The Three Components of the
CIA Triad
(https://leocontent.umgc.edu/content/scor/uncurated/cca/2218-
cca610/learning-resource-list/confidentiality--integrity--
availability--the-three-components-o.html?ou=622270)
Multi-Factor Authentication
(https://leocontent.umgc.edu/content/scor/uncurated/cca/2218-
cca610/learning-resource-list/multi-factor-authentication0.html?
ou=622270)
Resources
3/5/22, 12:33 PM Application and Data Security
https://leocontent.umgc.edu/content/scor/uncurated/cca/2218-cca610/learning-topic-list/application-and-data-security.html?ou=622270 7/7
Protecting Your System: User Access Security
(https://leocontent.umgc.edu/content/dam/course-
content/tgs/cca/cca-610/document/Authentication_checked.pdf?
ou=622270)
NCMCO Instructor Series: CIA Triad
(https://leocontent.umgc.edu/content/scor/uncurated/cca/2218-
cca610/learning-resource-list/ncmco-instructor-series--cia-
triad.html?ou=622270)
Non-Repudiation
(https://leocontent.umgc.edu/content/dam/course-
content/tgs/cca/cca-610/document/Nonrepudiation_checked.pdf?
ou=622270)
© 2022 University of Maryland Global Campus
All links to external sites were verified at the time of publication. UMGC is not responsible for the validity or integrity
of information located at external sites.
