Information Security via 1

Running Head: Information Security via Technology

TUI UNIVERSITY

Module 5 – Case

Information Security Overview for Managers and Policy Makers

 Information Security via 2

Introduction

In today’s information age, information is one of organizations’ most valuable assets,

hence its security is of paramount importance. Information security may be defined as protecting

information from unauthorized access, use, disclosure, disruption, modification or destruction.

Attaining such goals require human intervention along with the application of information

effective information security technology such as cryptography. Cryptography is now the

soundest aspect of information security, and modern security systems are rarely penetrated by

confronting the cryptography directly (Diffie, 2008).

This paper begins with an overview of public key cryptography, followed by a discussion

on the pros and cons of solving information security via technology and concludes with a

discussion on the trend of information security.

Public-Key Cryptography: Cryptography is the science of using mathematics to encrypt

and decrypt data (Network Association Inc, 1999). Cryptography enables the storage and

transmittion of sensitive information on insecure media or cross insecure networks (like the

Internet) so that it cannot be read by anyone except the intended recipient. A cryptographic

algorithm, or cipher, which works in combination with a key (a word, number, or phrase — to

encrypt the plaintext), is a mathematical function used in the encryption and decryption process

(Network Association Inc, 1999). The security of encrypted data is depedent on the strength of

the chiper and the security of the key.

The problems of key distribution are solved by public key cryptography, the concept of

which was introduced by Whitfield Diffie and Martin Hellman in 1975 (Network Association

Inc). For this reason, it is sometime called Diffie-Hellman encryption. Public key cryptography is an

asymmetric scheme that uses a pair of keys for encryption: a public key, which encrypts data,
 Information Security via 3

and a corresponding private, or secret key for decryption. This idea is opposite to symmetric

encryption, which uses a single key for both encryption and decryption. With public key cryptography

anyone with the possession of a public key may encrypt the data but only the person with the possession

of the corresponding secret key can decrypt the data. This therefore means that one can publish his/her

public key to the world so that he/she may receive encrypted information from anyone, since he/she will

be the only one able to decrypt it.

A very obvious advantage of public key cryptography is that the data remains secure even if the

medium on which the data is stored or the network on which the data is transmitted is in secure. In other

words, even if the data falls into the wrong hands, without knowledge of the secret key such data is

useless. Another advantage of public key cryptography is that it not only provides security but it also

provides authentication. In an age where decisions and agreements are communicated electronically the

need to provide authentication is necessary. Digital signature is a cryptography means through which

authentication may be achieved. On the other hand the main disadvantage of using public-key

systems is that they are not as fast as symmetric algorithms. Private key compromise are often

worse than symmetric key, as it is used to protect every communication. Long keys don’t make

up for an insecure system because total security is weaker than the weakest component in the

system (Ellison and Schneier, 2000). Storing one private key on an insecure computer is

certainly not the best idea.

The pros and cons in solving security via technology: In the 1950s computer security

would have been very difficult to distinguish from the security of the computer itself.

Computer rooms were guarded, operators and users were vetted, and card decks and

printouts were locked in safes—all physical or administrative measures (Diffie, 2008). How did

we reach were we are today? Curiously, computer security in the late 20th century was rescued

by another great development of computer science—networking—particularly client-server

 Information Security via 4

computing. Networking increased the need for technology as a means of information security. In

the past it was much easer to secure information on a standalone desktop computer, however, in

today’s interconnected computer world information security technology is playing a vital role.

For this reason information security technologies such as cryptography, firewalls, virtual private

networks, antimalware programs, security patches, biometrics authentication technology,

employee monitoring software, intrusion detection software and the list continues, are becoming

very popular today. Using these and other information security technologies do have their pros

and their cons.

One of the most obvious advantages of using technology to achieve security is the fact

that the attackers are also applying technology to carryout their acts. For example, when an

attacker launches a virus, only through the means of technologies such as antivirus software and

firewalls can be used to combat such attacks. In other words we have to use technology to fight

against technology. Also some security measures are just not possible without the use of

technology. Cryptography for example would be almost impossible without a cryptography

software. Technology also creates speed, efficiency and accuracy, once they are programmed

correctly and applied appropriately.

On the other hand, there are also some disadvantages in using technology to achieve

security. Technology relies on users in its application and this can have several disadvantages: 1)

If the technology is incorrectly installed or programmed it may create a false sense of security

allowing individuals and organizations to believe they are secured when in fact they are not; 2)

Users often believes that because a security technology is in place they can disregard security

procedures. For example and individual by believe he can download executable files from any

website because an antivirus software is installed. Another disadvantage of using technology is

 Information Security via 5

the fact the individuals and organizations must rely on the manufactures for patches and updated

versions of the technology, some of witch come with an additional cost. Although some security

technologies are affordable obtaining the very best security technology come with a very high

price tag. Such cost can be seen not only in the initial purchases but also in the upgrading and

maintenance as well as the human resource that is needed to install, monitor and maintain such

technologies.

The trend of information security: The increasing information security threshes has

cause information security experts to improve old technologies and developed new one in order

to safeguard against such threats, creating a trend in information security. The following are

some recent trends in information security.

In is surprising to know that organizations and individuals are now investing is open

sources software as a means of security as opposed to closed source. This means that the users of

open source operating systems such as Linux will be on the rise.

Endpoint security is simply evolving as a function of the changing threat landscape

(Oltsik, 2008). Therefore, traditional antivirus, anti-spyware, and firewall software will merge

with endpoint operations, data loss prevention, and full-disk encryption in 2010.

Encryption technologies are more often becoming "baked in" rather than "bolted on"

(Oltsik, 2008). Tape drives now contain cryptographic processors as do hard drives from Fujitsu,

Hitachi, and Seagate. In the near future there will be multiple layers of encryption technologies

running on top of each other.

As server and desktop virtualization continues to proliferate, we will need better security

tools for things like role-based access control, virtual server identity management, virtual

network security, and reporting/auditing (Oltsik, 2008).

 Information Security via 6

Many organizations simply don't have the capital budget dollars or security skills to take

on the increasingly sophisticated bad guys themselves (Oltsik, 2008). Consequently, there will be

the need for security in the “cloud.” Therefore companies like Blue Coat, Cisco, and Trend

Micro will supplement on-site security equipment with scalable reputation and update services

“in the cloud”.

Conclusion

Cryptography not only provides security but it can also be used as a means of

authentication. In the 1950s computer security would have been very difficult to distinguish from

the security of the computer itself, however, the advent of connected computing has change such

views. For this reason technology has become a vital part of the information security process.

Some recent trends in information security are: achieving security via open source, an increase in

the use of encryption technology, endpoint security is evolving, virtualization security and

security “in the cloud.”

Reference

Ellison, C., Schneier, B. (2000). Ten risks of PKI: what you're not being told about Public Key

Infrastructure. Computer Security Journal, v 16, n 1, pp. 1-7. Retrieved March 14, 2010

from http://www.schneier.com/paper-pki.pdf.

Diffie, Whitfield. (2008). Information Security: 50 Years Behind, 50 Years Ahead.

Communications of the ACM, Vol. 51 Issue 1, p55-57. Retrieved March 12, 2010 from

TUI library.

Network Association Inc. (1999). How PGP works. Retrieved March 12, 2010 from
 Information Security via 7

http://www.pgpi.org/doc/pgpintro/#p9

Oltsik, J. (2008). Looking ahead at security trends for 2009. Retrieved March 16, 2010

fromhttp://news.cnet.com/8301-1009_3-10128133-83.html