Balancing Information Security and Access

Even with the best planning and implementation, it is impossible to obtain perfect information security.
We need to balance security and access. Information security cannot be absolute: it is a process, not a
goal. It is possible to make a system available to anyone, anywhere, anytime, through any means.
However, such unrestricted access poses a danger to the security of the information. On the other hand, a
completely secure information system would not allow anyone access.
To achieve balance—that is, to operate an information system that satisfies the user and the security
professional—the security level must allow reasonable access, yet protect against threats. Figure shows
some of the competing voices that must be considered when balancing information security and access.

Because of today’s security concerns and issues, an information system or data-processing department
can get too entrenched in the management and protection of systems. An imbalance can occur when the
needs of the end user are undermined by too heavy a focus on protecting and administering the
information systems.
Both information security technologists and end users must recognize that both groups share the same
overall goals of the organization—to ensure the data is available when, where, and how it is needed, with
minimal delays or obstacles. In an ideal world, this level of availability can be met even after concerns
about loss, damage, interception, or destruction have been addressed.
 ITU-T X.800 Security Architecture for OSI
The OSI Security Architecture is a framework that provides a systematic way of defining the
requirements for security and characterizing the approaches to satisfying those requirements. The
document defines security attacks, mechanisms, and services, and the relationships among these
categories.
ITU-T: International Telecommunication Union Telecommunication Standardization Sector
OSI: Open Systems Interconnections

Security Services
Requirements X.800 defines security services in following categories.

Authentication:
The authentication service is concerned with assuring that a communication is authentic:
The recipient of the message should be sure that the message came from the source that itclaims to be
All communicating parties should be sure that the connection is not interfered with byunauthorized
party.
Example: consider a person, using online banking service. Both the user and the bank should be assured
in identities of each other.

Access control:
The prevention of unauthorized use of a resource (i.e., this service controls who can have access to a
resource, under what conditions access can occur, and what those accessing the resource are allowed to
do).
Data confidentiality:
Protection of data from unauthorized disclosure. It includes:
Connection confidentiality
Connectionless confidentiality
Selective field confidentiality
Traffic-Flow Confidentiality

Data Integrity:
The assurance that data received are exactly as sent by an authorized entity (i.e., contain no modification,
insertion, deletion, or replay).
Nonrepudiation:
Provides protection against denial by one of the entities involved in a communication of having
participated in all or part of the communication.
Nonrepudiation can be related to
Origin: proof that the message was sent by the specified party
Destination: proof that the message was received by the specified party
Example: Imagine a user of online banking who has made a transaction, but later denied that. How the
bank can protect itself in such situation?

Availability service:
The property of a system or a system resource being accessible and usable upon demand by an
authorizedsystem entity, according to performance specifications for the system (i.e., a system is
available if it provides services according to the system design whenever users request them).
Security mechanisms: are used to implement security services. They include (X.800):

Encipherment:
The use of mathematical algorithms to transform data into a form that is not readily intelligible. The
transformation and subsequent recovery of the data depend on an algorithm and zero or more
encryptionkeys.
Digital signature:
Data appended to, or a cryptographic transformation of, a data unit that allows a recipient of the data
unitto prove the source and integrity of the data unit and protect against forgery (e.g., by the recipient).
Access Control:
A variety of mechanisms that enforce access rights to Resources.

Data Integrity:
A variety of mechanisms used to assure the integrity of a data unit or stream of data units.
Authentication Exchange:
A mechanism intended to ensure the identity of an entity by means of information exchange.

Traffic Padding:
The insertion of bits into gaps in a data stream to frustrate eavesdropper’s traffic analysis attempts.
Routing Control:
Enables selection of particular physically secure Routes for certain data and allows routing
changes,especially when a breach of security is suspected.
Notarization:
The use of a trusted third party to assure certain properties of a data exchange.