The most important task in IT security is to follow the technical developments. The digitalising and networking world is progressing very rapidly in terms of technology. New technologies require new software, new areas of application require new security measures.
Whereas in the past a few large computers simply took over tasks for entire companies and were operated by a few people, today there are a myriad of small devices that are all interconnected.
It can be quite tricky to even explain what exactly is to be protected from what, what threats there are and what gaps in security systems could be exploited.
However, so-called protection goals are defined – these are considered the “main goals” of any IT security. These are:
confidentiality – integrity – availability
If you consciously take these three protection goals to heart, you have already implemented half of the IT security! This is what they look like in detail:
Data, information and resulting knowledge should be hidden from persons who have no right to view them.
Data, information and resulting knowledge should be protected against unauthorized changes and manipulation.
Data, information and resulting knowledge should be accessible to those who have permitted access, if necessary.
These three objectives are so important and central because they are equally important in the private and business context. Take a look at the following examples:
The three protection goals in a private context using the example of “online banking”
You use the online access to your bank account. This is a sensitive issue, because your money is at stake. How are the protection goals fulfilled here?
The three protection goals in the corporate context using the example of “product development
A company develops a completely new product that should revolutionise the market. Of course, this should happen without the competition profiting from it. How could the protection goals be fulfilled here?
Availability: All involved and authorized persons have secure access to the development of the new product and the resulting data.
In addition, there are also extended protection goals that have to be considered according to requirements. These do not necessarily have to be anchored in IT security and can vary greatly in the private and corporate context.
- Accountability or Anonymity
An action in the IT environment can be clearly assigned to a person – or not. In the corporate context, the person responsible for internal sabotage, for example, can be identified. In private life, by the way, the opposite is more likely to happen, namely that the person enjoys the greatest possible anonymity in connection with his or her data – for example, when researching health-related topics on the Internet.
Data, information and resulting knowledge should be verifiable for authenticity, for example whether transmitted research results are original or have been manipulated by a third party.
- Non Repudiation
Actions in an IT environment should not simply be denied – this is particularly important for electronically processed contracts. Here, for example, electronic signatures are used.
How are these goals to be achieved in practice?
This question is all about weaknesses. Or rather, it’s about finding and eliminating vulnerabilities. As you have already learned, all software has weaknesses. These are not clearly identifiable as such in advance. Often it is due to poor programming of the software used or the design of the IT system. This does not necessarily mean that “wrong” programming has been done, but simply that not all known IT threats have been considered in the programming. However, weak points can also be the human being or the wrong handling of IT systems.
Of course, IT security can also bypass via the hardware not only via the software. But this is more “impractical” – because in order to manipulate or steal data via the hardware, you have to be physically present, for example with a USB stick in your hand or by stealing the entire computer.
So, accessing the software via the Internet is already more convenient – and above all more difficult to track if you get caught in the middle.
In order to achieve the protection goals of IT security, it is therefore of enormous importance to identify these weaknesses and possible threat scenarios. And this is where it becomes difficult, because a 100-percent representation of all weak points is not possible at all due to the constant development of the systems and the general inability to look into the future – one can only approximate as closely as possible.
IT security strongly depends on the current technological developments – new areas of application of information technology also involve new dangers. Here, a quick reaction is required to be able to offer appropriate countermeasures.
There are three protection goals that must be met in all areas of application:
There are three additional protection goals, which vary according to the area of application and should be considered accordingly:
To achieve these protection goals the core task of IT security to identify weak points of systems and to eliminate them accordingly. This can also affect hardware, but currently rather software – this refers mainly to programming errors or unconsidered weaknesses in programming.
Perfect IT security can only be approximated, but not 100 percent fulfilled. That is why IT security must be treated as a whole.