Hello readers of the Westfield Insurance Information Security Tips blog! I am new to
You may be asking, "What is Information Security (IS) Architecture?" In its broadest sense, architecture in the IT industry involves marrying an enterprise's business objectives to its current and future technology capabilities. A good architecture does this by leveraging what is already present, or when needed, carefully introducing new types of technology. When properly architected, the IT environment adapts smoothly to constantly changing business demands. Information Security Architecture tries to achieve these same outcomes but within the specialized domain of information security.
What tips does an architect have regarding day to day information security? Well, let’s take a security architecture concept and apply it to your situation. For example, consider the idea of ensuring the confidentiality of sensitive information. This idea is broadly applicable everyday on the web. From an architectural perspective it is helpful to think about the two states of confidential information, namely, at rest (e.g., stored in a file) and in transit (e.g., whizzing across the Internet from server to laptop).
Take a scenario where you keep your credit card and expiration date in a file on your PC (you can remember your CVV, that three digit code on the back of your credit card, because it's so short). Doing this makes it so much easier for you go shopping on the web because you can just cut and paste your information quickly, conveniently and without worrying about typing errors, etc. So you surf to your favorite shopping site, find the widget you want to buy, follow the checkout process, open the credit card file, cut and paste your credit card information, submit it, and in a few days your stuff arrives.
Let's talk about your information's confidentiality during the 4 steps in an online transaction:
1) In your computer file: First, if you saved your credit card information on your computer, it is sitting in a file. Here it definitely should have been encrypted in such a way that only you could decrypt and read it, for example, using a password protected file encryption such as the free GNU Privacy Guard.
2) On the merchant's order form: Next, you cut and pasted it to the online merchant’s checkout page. Did you make sure the browser was indicating that the communications were protected by verifying that there were no browser warnings about unrecognized or expired digital certificates? These certificates are used to help you make sure that you’re really at the web site of the merchant you think you are. Some browsers use a color coding scheme in the URL field and green is usually the color indicating the site’s authenticity has been successfully verified.
3) In transit on the web: When you submit your credit card information, the data will suddenly be in transit across the Internet! Prior to submitting anything, make sure it is protected in transit by confirming the URL of the page where you entered your personal data begins with the string https://... Instead of the normal http://... . That extra ‘s’ in https is for security and it means the data stream between your browser and the merchant’s web server is encrypted.
4) On the site receiving your info: And finally, after you press Submit, if you get any browser warning about information being sent unsecured, your browser is warning you that, although the page you were on was secure, the place you’re submitting the credit card info. to may not be. When you recieve such warnings while transacting confidential information you should cancel out of the transaction and perform your purchase via a different medium (e.g., over the phone).
So, from an InfoSec architecture perspective, assuring that the encryption infrastructure is guarding your information at rest and in transit is all part of your personal information security architecture.