Once one begins to appreciate the power of data, it is important to learn how to protect it. This is the subject of information assurance.
Let us use the UK’s National Security Agency definition as a guide for us.
Information assurance (IA) consists of five pillars: availability, integrity, authentication, confidentiality, and non-repudiation. Let us use the idea of a physical mailbox service to explain these terms.
Let us assume that I open a mailbox service. I need to make sure that my mailbox is an appropriate size such that my mailbox can accept letters. If it is too small, it may be so flooded that legitimate mail is denied entry, and may wind up being left outside, falling prey to the outside environmental conditions. That would not be nice for us.
Providing a service is insufficient. We return to the snail mail example. We seal our mail in an envelope, and sometimes affix stickers on tamper-prone surfaces, so that our recipient knows that the contents within the envelope are indeed unmodified.
Even if a message was delivered tamper-proof, how do we know that the sender who sent the mail is indeed the one we requested for? We need the sender to first establish his or her identity, before we know if the message is indeed what we expected. In the case of a physical mailbox, we look at the envelope for signs of identity (example the envelope states “For Government Service”, or has a legitimate company seal). Thankfully, in the digital world, we can do this far better than such primitive methods of identity.
Even if our message is delivered with integrity, we may not want others to know we are sending messages. We may be sending private correspondence, in which case we do not want the world to know the contents of our correspondence. That is why the envelope we seal our mails in are opaque.
Say we have an unfortunate situation, where I receive a letter and I would like to ask, “Can I verify that the letter was indeed sent by my best friend, Alice, and not an evil person?” At this point, I will need to examine the contents of the letter and look out for signs that I can associate with Alice, and not someone else, such as her handwriting, linguistic features and more. Clearly this is not a great way to ensure non-repudiation. Thankfully, the digital world also handles this better than in the physical world.
How do we apply IA principles to the digital world? This will be covered in the next part.