Project 2 Cloud computing
cyberspin
InformationSecurity.pdf
2/11/2021 Information Security
https://leocontent.umgc.edu/content/umuc/tgs/cca/cca610/2211/learning-topic-list/information-security.html?ou=541322 1/5
Information Security
Security safeguards in the enterprise protect telecommunications channels, minimize
successful hacker attacks, and create infrastructures to enhance enterprise-level security.
More specifically, the safeguards protect information during transit, storage, or processing
(traditional IT) by keeping the information private, unaltered, and accessible for authorized
users.
The information security services of confidentiality (privacy), integrity (lack of alteration),
and availability (accessibility) ensure that information is secure at the customer's level of
expectation for telecommunications, information systems, or supporting infrastructure.
Information Security Triad
Communications Security
Learning Topic
2/11/2021 Information Security
https://leocontent.umgc.edu/content/umuc/tgs/cca/cca610/2211/learning-topic-list/information-security.html?ou=541322 2/5
Any business should ensure that sensitive and proprietary data remain private. From
evaluating the results of a risk assessment to applying the risk management framework,
specific communications security controls are identified and implemented to reduce the
network risk to a reasonable and acceptable level.
Communications security protects wired (cable) and wireless (radio) channels in a variety
of telecommunications environments, information types, and data formats. Much of the
information traversing the telecommunications landscape is supported by the packet-
based internet protocol (IP) data network, but other data formats and transport
mechanisms exist. Mobile cellular networks, wireless local networks, and traditional
landline networks are separate telecommunications infrastructures that use various
standards and formats at the lower end of the OSI reference model to group, organize,
and transport IP data to various end-user devices. Formats and standards at the higher
end of the OSI model ensure that data is prepared for network applications and the end
user. The common use of the IP packet in the network layer allows standard techniques
for securing sensitive, private information across multiple platforms, systems, and
infrastructures.
The confidentiality of IP communications is usually provided through a process of
encryption that makes the data unreadable. This scrambling of data occurs in wireless
LAN transmissions, secure internet connections, e-commerce, some private email
transmissions, and other areas where privacy is extremely important. If you want to keep
data from snooping eyes, you encrypt it.
For example, in a telecommunications and networking environment, a company's
personnel file or payroll data could be transported through multiple networks (e.g., from
the payroll processor's network through the internet to Company B's network), so the
information is virtually and physically out of the originator's control. A skilled hacker could
capture the data at multiple points of transit and read the contents without the sender or
receiver having knowledge of the interception. Therefore, to make it more difficult for
would-be hackers, network encryption scrambles the data so only the sender and
intended recipients can easily read the information.
Systems Security
While communications security supports data in transit, there are equally important
features and security controls for servers and end-user computing devices. Since these
devices are the access points for the network, they are also important to the security of
the network.
2/11/2021 Information Security
https://leocontent.umgc.edu/content/umuc/tgs/cca/cca610/2211/learning-topic-list/information-security.html?ou=541322 3/5
Information systems in a networked environment require a variety of security features to
ensure that an authorized user has appropriate access to the set of protected data
required for the user to perform a task. These security controls are growing in importance
as more consumers access the internet from a growing array of devices such as
smartphones, tablets, gaming platforms, and nontraditional devices (e.g., kitchen
appliances). As with communications security, encryption is also important for stored,
sensitive data, especially as laptops and other mobile devices contain a growing amount of
personal privileged information and business secrets that criminals may acquire and
transmit to other users in support of a broader attack. Limiting access to servers and end-
user devices through authentication services (e.g., username/password) helps preserve
overall system security and the integration of communications security.
For instance, botnets are groups of compromised systems that can be used by a hacker
not only to commit crimes, but also to limit the availability of target systems via
distributed denial of service (DDoS) attacks. System authentication can be provided via
multiple mechanisms, such as passwords or biometrics using preferred multifactor
variables defined by
something the user uniquely knows
something the user uniquely has
something the user inherently and uniquely is
Ensuring high information system availability has distinct security concerns that are
difficult to achieve for system or communications security components when they are
handled independently. The integration of communications security, information systems,
and underlying infrastructure is critical to the success or failure of cybersecurity
initiatives. The importance of business needs, risk assessment, and security controls
culminates in the integration of infrastructure services.
Infrastructure Security
Infrastructure is often taken for granted; we don't think about it until it's not working. A
clogged pipe or a frayed electrical wire in your home may not be seen, but you will find
out about it when water backs up in the sink or a lamp doesn't work.
For consumers, infrastructure just works, but there is a lot of activity behind the scenes
that keeps that infrastructure working safely and securely. The telecommunications
security infrastructure for a business can comprise corporate firewalls, intrusion
protection services (IPS), public key infrastructures (PKI), antivirus software, etc. These
items are designed to identify and negate malicious network traffic. Through the use of
2/11/2021 Information Security
https://leocontent.umgc.edu/content/umuc/tgs/cca/cca610/2211/learning-topic-list/information-security.html?ou=541322 4/5
common infrastructure services, a large business can define a stronger and more
centralized security posture. From this perspective, potential risks and threats can be
easily categorized, current status can be more easily monitored, and security incidents can
receive a more holistic response instead of a fragmented one.
As a provider (or consumer) of infrastructure services, the following questions are worth
consideration:
Which information systems compose the enterprise infrastructure? Have protections
been applied to protect all information systems and the network infrastructure?
What level of compliance, audit, or regulatory concern is required for the business,
operating environment, or location?
What are the roles and responsibilities of people accessing restricted data (e.g.,
payroll, human resources, trade secrets)?
How are the systems, network, and infrastructure monitored and managed?
Are there defined rules for configuration and change management of any network-
enabled devices?
Internal IT Infrastructure
A company's internal IT infrastructure requires significant resources for development,
implementation, operation, management, and maintenance throughout its life cycle. Many
large companies have their own staff, equipment, networks, backup facilities, etc., to
support business operations via highly reliable and secure network infrastructure services.
However, some companies are selecting another solution to the business problem of
infrastructure services by choosing cloud services. (Note: Companies still need to perform
a risk assessment and possess a risk management plan for services outside their
immediate control.)
Cloud services can be described as one of several ways to subscribe to an IT service and
pay only for what is required. For instance, people regularly subscribe to specific content
via really simple syndication (RSS) feeds or through a publisher's range of magazines; it is
the consumer's choice, not the publisher's, what the customer receives. Similarly, the
flexibility and low cost of cloud services are very appealing to a wide range of companies.
Categories of cloud services such as software as a service (SaaS), platform as a service
(PaaS), and infrastructure as a service (IaaS) are clearly poised to provide economic
benefits, quality of service, and security features to companies of various sizes.
2/11/2021 Information Security
https://leocontent.umgc.edu/content/umuc/tgs/cca/cca610/2211/learning-topic-list/information-security.html?ou=541322 5/5
Companies with sensitive data are still faced with a difficult choice of whether to maintain
their current internal infrastructures, or use some cloud services. There are still regulatory
and compliance concerns for international data, especially when there are restrictions on
physical storage locations. There are also internal security concerns associated with the
accidental mixing of data or potential leakage of corporate secrets. There could be legal
liability issues, too, if the leakage of data causes harm to consumers, as in the case of
credit card numbers being exposed. A thorough analysis of business needs and
requirements should be conducted prior to using the public cloud, and multiple elements
must be accounted for in the final analysis and choice.
References
Committee on National Security Systems. 2010. Committee on National Security Systems
National Information Assurance (IA) Glossary. Accessed June 17, 2011.
http://www.cnss.gov/Assets/pdf/cnssi_4009.pdf.
National Institute of Standards and Technology. 2002. Special Publication 800-30: Risk
Management Guide for Information Technology Systems. Gaithersburg, MD:
Department of Commerce, NIST. Retrieved June 17, 2011.
http://csrc.nist.gov/publications/nistpubs/800-30/sp800-30.pdf.
National Institute of Standards and Technology. 2010. Special Publication 800-37: Guide
for Applying the Risk Management Framework to Federal Information Systems: A
Security Life Cycle Approach. Gaithersburg, MD: Department of Commerce, NIST.
Accessed June 17, 2011. http://csrc.nist.gov/publications/nistpubs/800-37-
rev1/sp800-37-rev1-final.pdf.
© 2021 University of Maryland Global Campus
All links to external sites were verified at the time of publication. UMGC is not responsible for the validity or integrity
of information located at external sites.
