loud computing

Posted by: Margaret Rouse

WhatIs.com
  

Contributor(s): Stephen J. Bigelow







Cloud computing is a general term for anything that involves delivering hosted
services over the Internet. These services are broadly divided into three
categories: Infrastructure-as-a-Service (IaaS), Platform-as-a-Service (PaaS)
and Software-as-a-Service (SaaS). The name cloud computing was inspired
by the cloud symbol that's often used to represent the Internet in flowcharts
and diagrams.

DOWNLOAD THIS FREE GUIDE

Download Now: Speech-to-Text Services: AWS vs.

Microsoft vs. Google
 In this guide, gain expert advice from IT expert
Jon Arnold on building a business case for
speech technology, and receive an overview of
what Amazon, Microsoft and Google bring to the
table.
 Corporate E-mail Address:

o I agree to TechTarget’s Terms of Use, Privacy Policy, and the
transfer of my information to the United States for processing to provide me
with relevant information as described in our Privacy Policy.

o I agree to my information being processed by TechTarget and
its Partners to contact me via phone, email, or other means regarding
information relevant to my professional interests. I may unsubscribe at any
time.
Dow nload Now


A cloud service has three distinct characteristics that differentiate it from

traditional web hosting. It is sold on demand, typically by the minute or the
hour; it is elastic -- a user can have as much or as little of a service as they
want at any given time; and the service is fully managed by the provider (the
consumer needs nothing but a personal computer and Internet access).
Significant innovations in virtualization and distributed computing, as well as
improved access to high-speed Internet, have accelerated interest in cloud
computing.

A cloud can be private or public. A public cloud sells services to anyone on

the Internet. (Currently, Amazon Web Services is the largest public cloud
provider.) A private cloud is a proprietary network or a data center that
supplies hosted services to a limited number of people. Private or public, the
goal of cloud computing is to provide easy, scalable access to computing
resources and IT services.

Cloud computing deployment models

Private cloud services are delivered from a business's data center to internal

users. This model offers the versatility and convenience of the cloud, while
preserving the management, control and security common to local data
centers. Internal users may or may not be billed for services through IT
chargeback. Common private cloud technologies and vendors include VMware
and OpenStack.

In the public cloud model, a third-party cloud service provider delivers the cloud

service over the internet. Public cloud services are sold on demand, typically
by the minute or hour, though long-term commitments are available for many
services. Customers only pay for the CPU cycles, storage or bandwidth they
consume. Leading public cloud service providers include Amazon Web
Services (AWS), Microsoft Azure, IBM and Google Cloud Platform.

A hybrid cloud is a combination of public cloud services and an on-premises

private cloud, with orchestration and automation between the two. Companies
can run mission-critical workloads or sensitive applications on the private
cloud and use the public cloud to handle workload bursts or spikes in
demand.The goal of a hybrid cloud is to create a unified, automated, scalable
environment that takes advantage of all that a public cloud infrastructure can
provide, while still maintaining control over mission-critical data.
 Main cloud
deployment models

In addition, organizations are increasingly embracing a multicloud model, or the

use of multiple infrastructure-as-a-service providers. This enables applications
to migrate between different cloud providers or to even operate concurrently
across two or more cloud providers. Organizations adopt multicloud for various
reasons. For example, they could do so to minimize the risk of a cloud service
outage or to take advantage of more competitive pricing from a particular
provider. Multicloud implementation and application development can be a
challenge because of the differences between cloud providers' services and
application program interfaces (APIs). Multicloud deployments should become
easier, however, as providers' services and APIs converge and become more
homogeneous through industry initiatives such as the Open Cloud Computing
Interface.

Cloud computing characteristics and benefits

Cloud computing boasts several attractive benefits for businesses and end
users. Five of the main benefits of cloud computing are:
 Self-service provisioning : End users can spin up compute resources for
almost any type of workload on demand. This eliminates the traditional need
for IT administrators to provision and manage compute resources.

 Elasticity: Companies can scale up as computing needs increase and

scale down again as demands decrease. This eliminates the need for
massive investments in local infrastructure, which may or may not remain
active.

 Pay per use: Compute resources are measured at a granular level,

enabling users to pay only for the resources and workloads they use.

 Workload resilience: Cloud service providers often implement

redundant resources to ensure resilient storage and to keep users'
important workloads running -- often across multiple global regions.

 Migration flexibility: Organizations can move certain workloads to or

from the cloud -- or to different cloud platforms -- as desired or
automatically for better cost savings or to use new services as they
emerge.
Types of cloud computing services

Although cloud computing has changed over time, it has been divided into
three broad service categories: infrastructure as a service (IaaS), platform as a
service (PaaS) and software as a service (SaaS).
 Cloud service
categories

IaaS providers, such as AWS, supply a virtual server instance and storage, as

well as APIs that enable users to migrate workloads to a VM. Users have an
allocated storage capacity and can start, stop, access and configure the VM
and storage as desired. IaaS providers offer small, medium, large, extra-large
and memory- or compute-optimized instances, in addition to customized
instances, for various workload needs.

In the PaaS model, cloud providers host development tools on their

infrastructures. Users access these tools over the internet using APIs,
web portals or gateway software. PaaS is used for general software
development, and many PaaS providers host the software after it's developed.
Common PaaS providers include Salesforce's Force.com, AWS Elastic
Beanstalk and Google App Engine.

SaaS is a distribution model that delivers software applications over the

internet; these applications are often called web services. Users can access
SaaS applications and services from any location using a computer or mobile
device that has internet access. One common example of a SaaS application
is Microsoft Office 365 for productivity and email services.
Emerging cloud technologies and services

Cloud providers are competitive, and they constantly expand their services to
differentiate themselves. This has led public IaaS providers to offer far more
than common compute and storage instances.

For example, serverless, or event-driven computing is a cloud service that

executes specific functions, such as image processing and database updates.
Traditional cloud deployments require users to establish a compute instance
and load code into that instance. Then, the user decides how long to run --
and pay for -- that instance.

With serverless computing, developers simply create code, and the cloud
provider loads and executes that code in response to real-world events, so
users don't have to worry about the server or instance aspect of the cloud
deployment. Users only pay for the number of transactions that the function
executes. AWS Lambda, Google Cloud Functions and Azure Functions are
examples of serverless computing services.

Public cloud computing also lends itself well to big data processing, which
demands enormous compute resources for relatively short durations. Cloud
providers have responded with big data services, including Google BigQuery for
large-scale data warehousing and Microsoft Azure Data Lake Analytics for
processing huge data sets.

Another crop of emerging cloud technologies and services relates to artificial

intelligence (AI) and machine learning. These technologies build machine
understanding, enable systems to mimic human understanding and respond
to changes in data to benefit the business. Amazon Machine Learning, Amazon
Lex, Amazon Polly, Google Cloud Machine Learning Engine and Google Cloud
Speech API are examples of these services.

Cloud computing security

 Security remains a primary concern for businesses contemplating cloud
adoption -- especially public cloud adoption. Public cloud service providers
share their underlying hardware infrastructure between numerous customers,
as public cloud is a multi-tenant environment. This environment demands
copious isolation between logical compute resources. At the same time,
access to public cloud storage and compute resources is guarded by account
login credentials.


Margaret Rouse asks:

What are the biggest benefits and

challenges your organization has
faced when using cloud computing
services?
Join the Discussion

Many organizations bound by complex regulatory obligations

and governance standards are still hesitant to place data or workloads in the
public cloud for fear of outages, loss or theft. However, this resistance is
fading, as logical isolation has proven reliable, and the addition of
data encryption and various identity and access management tools has improved
security within the public cloud.
  N et work ing & Co mmun icat ions So ftw ar e /

What Is Cloud Computing?

The 'cloud' is a real buzzword, but what is it, how does it impact what you do,
and is it anything really new?

 ByEric Griffith
 May 3, 2016 12:01AM EST  Facebook

 Twitter

 Lin kedin

 Pin terest

 Reddit

 Flipboard

 Email

 Copy

What is the cloud? Where is the cloud? Are we in the cloud now? These are
all questions you've probably heard or even asked yourself. The term "cloud
computing" is everywhere.

In the simplest terms, cloud computing means storing and accessing data and
programs over the Internet instead of your computer's hard drive. The cloud is
just a metaphor for the Internet. It goes back to the days of flowcharts and
presentations that would represent the gigantic server-farm infrastructure of
the Internet as nothing but a puffy, white cumulus cloud , accepting
connections and doling out information as it floats.
What cloud computing is not about is your hard drive. When you store data on
or run programs from the hard drive, that's called local storage and
computing. Everything you need is physically close to you, which means
accessing your data is fast and easy, for that one computer, or others on the
local network. Working off your hard drive is how the computer industry
functioned for decades; some would argue it's still superior to cloud
computing, for reasons I'll explain shortly.

The cloud is also not about having a dedicated  network attached storage
(NAS) hardware  or server in residence. Storing data on a home or office
network does not count as utilizing the cloud. (However, some NAS will let
you remotely access things over the Internet, and there's  at least one brand
from Western Digital named "My Cloud,"  just to keep things confusing.)

For it to be considered "cloud computing," you need to access your data or

your programs over the Internet, or at the very least, have that data synced
with other information over the Web. In a big business, you may know all
there is to know about what's on the other side of the connection; as an
individual user, you may never have any idea what kind of massive data
processing is happening on the other end. The end result is the same: with an
online connection, cloud computing can be done anywhere, anytime.

Consumer vs. Business

Let's be clear here. We're talking about cloud computing as it impacts

individual consumers—those of us who sit back at home or in small-to-
medium offices and use the Internet on a regular basis.
There is an entirely different "cloud" when it comes to business. Some
businesses choose to implement Software-as-a-Service  (SaaS), where the
business subscribes to an application it accesses over the Internet.
(Think Salesforce.com .) There's also Platform-as-a-Service (PaaS), where a
business can create its own custom applications for use by all in the
company. And don't forget the mighty Infrastructure-as-a-Service  (IaaS),
where players like Amazon, Microsoft, Google, and Rackspace provide a
backbone that can be "rented out" by other companies. (For example, Netflix
provides services to you because it's a customer of the cloud services
at Amazon .)

Of course, cloud computing is big business: The market generated $100

billion a year in 2012, which could be $127 billion by 2017  and $500 billion by
2020 .

Common Cloud Examples

The lines between local computing and cloud computing sometimes get very,
very blurry. That's because the cloud is part of almost everything on our
computers these days. You can easily have a local piece of software (for
instance, Microsoft Office 365 ) that utilizes a form of cloud computing for
storage (Microsoft OneDrive ).

That said, Microsoft also offers a set of Web-based apps,  Office Online , that
are Internet-only versions of Word, Excel, PowerPoint, and OneNote
accessed via your Web browser without installing anything. That makes them
a version of cloud computing (Web-based=cloud).
Some other major examples of cloud computing you're probably using:

Google Drive : This is a pure cloud computing service, with all the storage
found online so it can work with the cloud apps: Google Docs, Google Sheets,
and Google Slides. Drive is also available on more than just desktop
computers; you can use it on tablets like the iPad  or on smartphones, and
there are separate apps for Docs and Sheets, as well. In fact, most of
Google's services could be considered cloud computing: Gmail, Google
Calendar, Google Maps, and so on.

Apple iCloud : Apple's cloud service is primarily used for online storage,
backup, and synchronization of your mail, contacts, calendar, and more. All
the data you need is available to you on your iOS, Mac OS, or Windows
device (Windows users have to install  the iCloud control panel). Naturally,
Apple won't be outdone by rivals: it offers cloud-based versions of its word
processor (Pages), spreadsheet (Numbers), and presentations (Keynote) for
use by any iCloud subscriber. iCloud is also the place iPhone users go to
utilize the Find My iPhone feature that's all important when the handset goes
missing.

Amazon Cloud Drive : Storage at the big retailer is mainly for music,
preferably MP3s that you purchase from Amazon, and images—if you have
Amazon Prime, you get unlimited image storage. Amazon Cloud Drive also
holds anything you buy for the Kindle. It's essentially storage for anything
digital you'd buy from Amazon, baked into all its products and services.
Hybrid services like Box , Dropbox , and SugarSync  all say they work in the
cloud because they store a synced version of your files online, but they also
sync those files with local storage. Synchronization is a cornerstone of the
cloud computing experience, even if you do access the file locally.

Likewise, it's considered cloud computing if you have a community of people

with separate devices that need the same data synced, be it for work
collaboration projects or just to keep the family in sync . For more, check out
the The Best Cloud Storage and File-Syncing Services for 2016 .

Cloud Hardware

Right now, the primary example of a device that is completely cloud-centric is

the Chromebook . These are laptops that have just enough local storage and
power to run the Chrome OS, which essentially turns the  Google Chrome  Web
browser into an operating system. With a Chromebook, most everything you
do is online: apps, media, and storage are all in the cloud.

Or you can try a  ChromeBit , a smaller-than-a-candy-bar drive that turns any

display with an HDMI port into a usable computer running Chrome OS.

Of course, you may be wondering what happens if you're somewhere without

a connection and you need to access your data. This is currently one of the
biggest complaints about Chrome OS, although its offline functionality (that is,
non-cloud abilities) are expanding.
 The Chromebook isn't the first
product to try this approach. So-called "dumb terminals" that lack local
storage and connect to a local server or mainframe go back decades. The
first Internet-only product attempts included the old  NIC (New Internet
Computer) , the Netpliance iOpener , and the disastrous 3Com Ergo
Audrey  (pictured). You could argue they all debuted well before their time—
dial-up speeds of the 1990s had training wheels compared to the accelerated
broadband Internet connections of today. That's why many would argue that
cloud computing works at all: the connection to the Internet is as fast as the
connection to the hard drive. (At least it is for some of us.)  

Arguments Against the Cloud

In a 2013 edition of his feature What if?, xkcd-cartoonist (and former NASA
roboticist) Randall Monroe tried to answer the question of "When—if ever—
will the bandwidth of the Internet surpass that of FedEx?" The question was
posed because no matter how great your broadband connection, it's still
cheaper to send a package of hundreds of gigabytes of data via Fedex's
"sneakernet" of planes and trucks than it is to try and send it over the
Internet. (The answer, Monroe concluded, is the year 2040.)

Cory Doctorow over at boingboing took Monroe's answer as "an implicit

critique of cloud computing." To him, the speed and cost of local storage
easily outstrips using a wide-area network connection controlled by a telecom
company (your ISP).
That's the rub. The ISPs, telcos, and media companies control your access.
Putting all your faith in the cloud means you're also putting all your faith in
continued, unfettered access. You might get this level of access, but it'll cost
you. And it will continue to cost more and more as companies find ways to
make you pay by doing things like metering your service: the more bandwidth
you use, the more it costs.

Maybe you trust those corporations. That's

fine, but there are plenty of other arguments against going into the cloud
whole hog. Apple co-founder Steve Wozniak decried cloud computing  in 2012,
saying: "I think it's going to be horrendous. I think there are going to be a lot
of horrible problems in the next five years."

In part, that comes from the potential for crashes. When there are problems at
a company like Amazon, which provides cloud storage services to big name
companies like Netflix and Pinterest, it can take out all those services ( as
happened in the summer of 2012 ). In 2014, outages afflicted Dropbox, Gmail,
Basecamp, Adobe, Evernote, iCloud, and Microsoft; in 2015 the outtages hit
Apple, Verizon, Microsoft, AOL, Level 3, and Google. Microsoft had another
this year. The problems typically last for just hours.

Wozniak was concerned more about the intellectual property issues. Who
owns the data you store online? Is it you or the company storing it? Consider
how many times there's been widespread controversy over the changing
terms of service for companies like Facebook and  Instagram —which are
definitely cloud services—regarding what they get to do with your photos.
There's also a difference between data you upload, and data you create in the
cloud itself—a provider could have a strong claim on the latter. Ownership is
a relevant factor to be concerned about.

After all, there's no central body governing use of the cloud for storage and
services. The Institute of Electrical and Electronics Engineers (IEEE) is trying.
It created an IEEE Cloud Computing Initiative  in 2011 to establish standards
for use, especially for the business sector. The  Supreme Court ruling against
Aereo  could have told us a lot about copyright of files in the cloud... but the
court side-stepped the issue to keep cloud computing status quo.

Cloud computing—like so much about the Internet—is a little bit like the Wild
West, where the rules are made up as you go, and you hope for the best.

For more, check out our roundups of the  Business Choice Awards for Cloud
Computing Services   and the  Cloud Storage area of the PCMag Business
Software Index .
INFORMATION SECURITY

What is Information Security?

Information Security is not all about securing information from unauthorized access.
Information Security is basically the practice of preventing unauthorized access, use,
disclosure, disruption, modification, inspection, recording or destruction of information.
Information can be physical or electrical one. Information can be anything like Your
details or we can say your profile on social media, your data in mobile phone, your
biometrics etc. Thus Information Security spans so many research areas like
Cryptography, Mobile Computing, Cyber Forensics, Online Social Media etc.
During First World War, Multi-tier Classification System was developed keeping in mind
sensitivity of information. With the beginning of Second World War formal alignment of
Classification System was done. Alan Turing was the one who successfully decrypted
Enigma Machine which was used by Germans to encrypt warfare data.
Information Security programs are build around 3 objectives, commonly known as CIA –
Confidentiality, Integrity, Availability.
1. Confidentiality – means information is not disclosed to unauthorized individuals,
entities and process. For example if we say I have a password for my Gmail
account but someone saw while I was doing a login into Gmail account. In that
case my password has been compromised and Confidentiality has been breached.
2. Integrity – means maintaining accuracy and completeness of data. This means
data cannot be edited in an unauthorized way. For example if an employee leaves
an organisation then in that case data for that employee in all departments like
accounts, should be updated to reflect status to JOB LEFT so that data is complete
and accurate and in addition to this only authorized person should be allowed to
edit employee data.
3. Availability – means information must be available when needed. For example if
one needs to access information of a particular employee to check whether
employee has outstanded the number of leaves, in that case it requires
collaboration from different organizational teams like network operations,
development operations, incident response and policy/change management.
Denial of service attack is one of the factor that can hamper the availability of
information.
Apart from this there is one more principle that governs information security programs.
This is Non repudiation.
 Non repudiation – means one party cannot deny receiving a message or a
transaction nor can the other party deny sending a message or a transaction. For
example in cryptography it is sufficient to show that message matches the digital
signature signed with sender’s private key and that sender could have a sent a
message and nobody else could have altered it in transit. Data Integrity and
Authenticity are pre-requisites for Non repudiation.
  Authenticity – means verifying that users are who they say they are and that
each input arriving at destination is from a trusted source.This principle if followed
guarantees the valid and genuine message received from a trusted source through
a valid transmission. For example if take above example sender sends the
message along with digital signature which was generated using the hash value of
message and private key. Now at the receiver side this digital signature is
decrypted using the public key generating a hash value and message is again
hashed to generate the hash value. If the 2 value matches then it is known as valid
transmission with the authentic or we say genuine message received at the
recepient side
 Accountability – means that it should be possible to trace actions of an entity
uniquely to that entity. For example as we discussed in Integrity section Not every
employee should be allowed to do changes in other employees data. For this there
is a separate department in an organization that is responsible for making such
changes and when they receive request for a change then that letter must be
signed by higher authority for example Director of college and person that is
allotted that change will be able to do change after verifying his bio metrics, thus
timestamp with the user(doing changes) details get recorded. Thus we can say if a
change goes like this then it will be possible to trace the actions uniquely to an
entity.
At the core of Information Security is Information Assurance, which means the act of
maintaining CIA of information, ensuring that information is not compromised in any way
when critical issues arise. These issues are not limited to natural disasters,
computer/server malfunctions etc.
Thus, the field of information security has grown and evolved significantly in recent
years. It offers many areas for specialization, including securing networks and allied
infrastructure, securing applications and databases, security testing, information
systems auditing, business continuity planning etc.

Definition - What does Information Security (IS) mean?

Information security (IS) is designed to protect the confidentiality, integrity and
availability of computer system data from those with malicious intentions.
Confidentiality, integrity and availability are sometimes referred to as the CIA Triad of
information security. This triad has evolved into what is commonly termed the Parkerian
hexad, which includes confidentiality, possession (or control), integrity, authenticity,
availability and utility.

Introduction
A principle which is a core requirement of information security for the safe utilization, flow, and
storage of information is the CIA triad. CIA stands for confidentiality, integrity, and availability and
these are the three main objectives of information security. For a deeper look into these objectives,
check out out our security training classes.
Below is an illustration of the CIA triad along with the four layers of information security. These four
layers represent the way systems communicate and how information flows among systems. Тhe
concept of layers illustrates that data communications and computer network protocols are
designated to function in a layered manner, transferring the data from one layer to the next.

 The Application Access Layer describes the notion that access to end-user applications have to be
constrained to business ought-to-know
 The Infrastructure Access Layer describes the notion that access to infrastructure components has
to be constrained to business ought-to-know. For instance, access to servers.
 The Physical Access Layer describes the notion that the physical access to any system, server,
computer, data center, or another physical object storing confidential information has to be
constrained to business ought-to-know.
 The Data In Motion Layer describes the notion that data ought to be secured while in motion.
 This little icon in the middle of the illustration shows the center of information security and the
reason for the emergence of the CIA principles; the icon represents information and represents the
need to protect sensitive information.
Confidentiality
The aim of confidentiality is to ensure that information is hidden from people unauthorized to access
it. The confidentiality principle dictates that information should solely be viewed by people with
appropriate and correct privileges. The science (and art) used to ensure data confidentiality is
cryptography, which involves encryption and decryption methods.

To continue, confidentiality can be easily breached so each employee in an organization or company

should be aware of his responsibilities in maintaining confidentiality of the information delegated to
him for the exercise of his duties. For instance, if an employee allows someone to take a glimpse of
his computer screen while he is, at that moment, displaying confidential information on the computer
screen may have already constituted a breach of confidentiality.

Furthermore, confidentiality and privacy are often used interchangeably.

Below, we discuss cryptography, effective manners of protecting confidentiality, and we have

included some tips on confidentiality agreements.

 Cryptography
Cryptography’s beginning can be traced thousands of years ago. However, the contemporary
cryptography differs substantially from the classic one, which used pen and paper for encryption and
which was far less complex. The establishment of the Enigma rotor machine and the subsequent
emergence of electronics and computing enabled the usage of much more elaborate schemes and
allowed confidentiality to be protected much more effectively.

Contemporary cryptography (with SSL protocol) is explained plainly in the following

link: http://resources.infosecinstitute.com/cryptography-101-with-ssl/.
Encryption is an accepted and effective way of protecting data in transit but is increasingly being
used for protecting data at rest as well. The Computer Security Institute published the results of a
survey in 2007, which showed that 71% of the businesses used encryption for various data in transit
while 53% used encryption for selections of data at rest. Furthermore, there are different techniques
for preserving confidentiality depending on whether the data is in motion, at rest or a physical object.
Naturally, access controls are also a necessity for maintaining confidentiality. Access controls can
consist of passwords, biometrics, or a mixture of both. As regards to physical data, its means of
protection are somewhat similar – access to the area where the information is kept may be granted
only with the proper badge or any different form of authorization, it can be physically locked in a safe
or a file cabinet, there could be access controls, cameras, security, etc.

Encryption consists of changing the data located in files into unreadable bits of characters unless a
key to decode the file is provided.

ETHICAL HACKING BOOT CAMP — EXAM PASS GUARANTEE

In manual encryption, the user utilizes software and initiates the encryption. In transparent
encryption, the encryption happens automatically without any intervention on the side of the user.

Symmetric encryption occurs by utilizing character substitution with a key that will be the only means
of decrypting the bits of information. Conversely, asymmetric encryption is used when there are two
keys, a public key, and a private key. Any person may encrypt the information with the public key but
it can only be decrypted by the holder of the private key.

 How to protect confidential information properly

1. Encryption
If you encrypt your data, it will be unreadable for any third-party which may get hold of it. You can
encrypt your hard drive using Microsoft’s BitLocker software if you are using the Ultimate or
Enterprise version of Windows 7 or Vista or Enterprise/Pro version of Windows 8. To do so, you only
have to enable BitLocker in Control Panel > System and Security > BitLocker Drive. Alternatively,
you can use TrueCrypt or DiskCryptor (free of charge). You can also encrypt any external and USB
drive.
2. Two-factor authentication
Requiring two-factor authentication increases the safety of the confidential data and decreases the
probability of data leakage. Two-factor authentication enables you to access the information only if
you have both a physical object (like a card) and an immaterial* one (like a security code). Thus,
two-factor authentication means that there must be a thing that you know* and a thing that you
possess in order to gain access.

*It is presumed that you know the code as most companies require you to memorize the security
code as if you keep it written down it may be stolen. To add, the security code or password should
be a mixture of lowercase and uppercase letters, numbers, and symbols and be at least 10
characters long, preferably 12 or more.

3. Encrypt your interactions

You would not want your communications being intercepted and confidential data in motion being
leaked to third parties. Firstly, you should configure your IM, and whenever it is possible – any
communication software, to use SSL or TSL. Secondly, you should disable logging of past
conversations and remove any logs that leak confidential information. Thirdly, you should encrypt
your internet traffic as it can be intercepted. When using an unsecured Wi-Fi network, encrypt it by
creating a secure tunnel to a trusted third-party server (VPN). So, do not send confidential
information without proper encryption.

4. Safeguard your keys

Remember that sometimes access to the keys equals access to the information. One should keep a
second set of keys in a safe place because the information can be lost or taken advantage of if he
cannot access it or if he cannot access it on time in case of loss or theft of the first set of keys.

5. Backup your information and make sure the

backup is safe and protected
The information should be accessible but encrypted and stored in a secure place.

Note that the average overall cost per business that reported a data breach in 2011 was 5.5 million
dollars. Thus, not only confidentiality has a central role in avoiding data breaches but it can also
save your company millions of dollars.

 Drafting a successful confidentiality agreement that would effectively protect confidential data.
Business contracts often have confidential information clause(s), which is (are) inserted to protect
information they deem proprietary and sensitive from disclosure to unauthorized third parties. These
clauses usually state what is deemed as confidential information and what is not deemed as such.
Typically, the confidentiality provisions that enumerate what the parties consider confidential are
highly variable depending on the parties’ type of business whereas there is, to some extent, a
common stand on what is defined as non-confidential information.
A standard clause extracted from a non-disclosure agreement of Microsoft goes like this:
“‘Confidential Information’ means nonpublic information that Microsoft designates as being confidential or
which, under the circumstances surrounding disclosure ought to be treated as confidential by Recipient”. It is
worth mentioning that it is much more desirable to enlist the types of information that are to be considered
confidential and, in this way, create a narrow and unambiguous clause. Mary Hanson, a California business
lawyer, asserts that “Trying to cover too much information by defining the confidential information as ‘all
business information’ may backfire. It is important to try to identify particular information, without giving out
valuable information.” Accordingly, the confidential information involved in the agreement must be defined to
the extent which makes it enforceable in court without any particular sensitive information being disclosed in
it.

The definition of confidential information can be narrowed down to (1) marked information, (2) written
information, (3) information disclosed during a particular period of time and (4) particular categories of
information.

However, a breach of confidentiality can occur even without a signed confidentiality provision or agreement.
In the US, employees or other parties to a business contract are required to keep confidential any secret
information disclosed to them by the other party and breaches of confidentiality may be sanctioned in courts.
The courts will ask the following questions, which if answered affirmatively will result into a reimbursement
of the injured party:

 Whether the information was confidential by its nature

 Whether the information was disclosed in circumstances which show that it was confidential

 Whether the party who received the information misuse it

It has to be noted that although the law implies a duty of confidentiality – its scope, nature, and obligations are
indeterminate and subject to judicial determination.

Statistics and discussion as regards to data breaches (failures to attain the objectives of information security
and complying with the CIA principles).
Frequent manners of leakage of confidential data are enumerated below to understand what
problems may occur when handling such information:

1. Theft (of laptop, computer, paper, etc. – physical security)

2. Improper disposal (it is a must to use a shredder)
3. Unauthorized access/disclosure (access controls, authentication, lack of understanding of
confidentiality agreements, negligence, etc.)
4. Loss (negligence, etc.)
5. Hacking/ IT incident, etc. ( most often Internet security )
 The ways of leakage are enumerated in a random sequence.
In 2011, negligence was the cause of 39% of all reported data breaches while malicious attacks
(defined as a mixture of hacking and insider theft) accounted for 37% of the data breaches whereas
the cause was hacking in more than one-quarter of these malicious attacks. On a global scale, 232.4
million identities were exposed and endangered in 2011. Deliberate breaches were chiefly aimed at
gathering client-related information as this information can be utilized for various fraud schemes.
Businesses and companies in the computer software, IT, and healthcare sectors accounted for 93%
of the overall number of stolen identities in 2011. Loss or theft was the most recurrent cause in all
sectors and it accounted for 34.3% of exposed identities. The attacks were mostly undertaken
because the criminals saw the crime easy to perform. Hence, 79% of the victims were chosen
because of opportunity while 96% of the attacks did not appear to be very difficult. Of all laptops
stolen, only 30% had their systems encrypted whereas merely 10% had different anti-theft
technology.

Concerning insider intellectual property thefts, statistics show that it is usually done by men who
serve in various positions such as scientists, managers, programmers within a month of leaving
the company from which they steal. Often they have created their own business or have started
working for another, only 20% steal the information as a consequence of recruitment by an
outsider that wants the information. 75% of the perpetrators stole material to which they were
granted access in the course of employment and trade secrets were unlawfully taken in 52% of
the thefts. Furthermore, most insider thieves of intellectual property were caught by non-
technical staff members.

It can be concluded that data breaches are a frequently occurring phenomena, and that not only
CISOs’ and other personnel in charge of information security ought to undertake measures to
attain the objectives of InfoSec but also that non-technical staff in companies shall be aware of
the risks and educated in maintaining the CIA principles in the course of their employment. This
is so as most criminals or cyber-criminals perform their attack because they see an easy prey in
their targets as their security is loose. Staff from all levels of the organization’s hierarchy shall
take measures to prevent theft, loss and take reasonable measures to protect the confidential
information they have been granted access to for the fulfillment of their duties.

 Top five methods for abiding by the CIA principles.

Below is an illustration of the top five layers that information security offers in terms of attaining the
goals laid out in the CIA triad. It is presented in order to reveal the most commonly used manners of
safeguarding the CIA principles and defending any system from a potential data breach.
 The core of the chart is represented by the CIA principles
 Firewalls can be hardware-based and software-based. Firewalls are a piece of equipment or
software that are designed to block unsolicited connections, protocols, unwanted network activity and
block spam and other malicious requests while you are connected a third-party network (usually the
Internet). The hardware firewall utilizes packet filtering to examine the header of a packet and decide
if the packet should be forwarded or dropped. Firewalls serve as an intermediary between your
computer and the Internet connection. Thus, firewalls can block connections that their user did not
wish to make, filter out bad data and prevent outside endeavors to gain control or access to your
machine. They have a set of predefined rules that enable them to allow, deny or drop connections and
as such their function is of a filtering gateway.
 A server, through hardware such as proxy server can regulate what the external world sees of the
network, this could be a type of protection by providing a “smoke screen” on the network. It can
disguise the real network and display a minimal connection to the Internet
 Routers, another piece of hardware, can regulate access to the network, just like firewalls, it may
have access lists that allow or deny acess into the network. Nonetheless, they route IP packets to the
other networks, a thing which is neither performed by firewalls, nor by any other appliance on the
network or the Internet.
 Network controls are implemented at local level, they involve authentication like logins and
passwords.
 Software controls are software that prevent malware from penetrating the machines. Should a
malware infest the system, software controls are in charge of removing the infection and returning the
system to the pre-infestation state. Unlike firewalls, software controls can remove existent malware,
malware that has already affected the machine, whereas firewalls cannot deal with malware that has
already been loaded on your computer.
 Encryption has already been discussed above (Cryptography)
Below is an illustration of a firewall acting as an intermediary.

Confidentiality of information is frequently a regulatory requirement and, as such, there is an

obligation to implement measures to protect such information for companies or governmental
bodies.

Conclusion
It can be concluded from the discussion above that the fulfillment of the CIA principles and the compliance
with the goal of information security is not a goal with a clear end but an open goal that continually changes
with time and the development of technology, the means of information security and the emergence of new
threats and vulnerabilities. Lasting efforts must be exerted to maintain the confidentiality, integrity and
availability of information, it is not possible to take some precautions and declare that the CIA triad is fulfilled
and that nothing more should be done.

Moreover, it can be deduced from the discussion that efforts ought to be exerted not only by information
security professionals, but by employees and all holders of confidential information to safeguard the CIA
principles.
In a nutshell, the discussion above affirms the centrality and the “objectives” status of the CIA principles in
information security

References
PC World, ‘How to encrypt (almost) anything’. Available
at: http://www.pcworld.com/article/2025462/how-to-encrypt-almost-anything.html
Ricky M. Magalhaes, ‘Data Leakage, preserving confidentiality’. Available
at: http://www.windowsecurity.com/articles-tutorials/content_security/Data-Leakage-preserving-
confidentiality.html
Surveillance Self-Defense, ‘Instant Messaging (IM)’. Available at: https://ssd.eff.org/tech/im#im-
encryption
In Defense of Data, ‘Data Breach Trends & Stats’. Available at: http://www.indefenseofdata.com/data-
breach-trends-stats/
U.S. Department of Health & Human Services, ‘Breaches Affecting 500 or More Individuals’.
Available at: http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/breachtool.html
Margaret Rouse, ‘two-factor authentication’. Available
at: http://searchsecurity.techtarget.com/definition/two-factor-authentication
Wikipedia, ‘Information security’. Available at: http://en.wikipedia.org/wiki/Information_security
ContractStandards, ‘Confidential information’. Available at: http://www.contractstandards.com/contract-
structure/remedies/covenants/confidential-information
Torys LLP, ‘THE PROTECTION OF CONFIDENTIAL INFORMATION’. Available
at: http://www.torys.com/publications/documents/publication%20pdfs/artech-3t.pdf
George Garza, ‘Top 5 Layers of Information Security’. Available
at: http://www.brighthub.com/computing/enterprise-security/articles/86838.aspx
Duston Sackett, ‘The InfoSec Layer Methodology’. Available
at: http://www.theiia.org/intAuditor/itaudit/2009-articles/the-infosec-layer-methodology/
Vangie Beal, ‘The Differences and Features of Hardware and Software Firewalls’. Available
at: http://www.webopedia.com/DidYouKnow/Hardware_Software/2004/firewall_types.asp
Kioskea, ‘Firewall’. Available at: http://en.kioskea.net/contents/603-firewall
Intuit. QuickBase, ‘Information Security: A Closer Look’. Available
at: http://quickbase.intuit.com/articles/information-security-a-c loser-look
Wikipedia, ‘Encryption’. Available at: http://en.wikipedia.org/wiki/Encryption
Claudio LoCicero, ‘Confidentiality, Integrity, Availability and What it Means to You’. Available
at: http://searchwarp.com/swa268042.htm


  


  Share

  

  