Data Security and Cryptology , I Introduction . Essence of Data Security. September 4th, 2013 Valdo Praust mois @ mois .ee Lecture Course in Estonian IT College Autumn 2013. Name and Goal. Name : Data Security and Cryptology ( Andmeturve ja krüptoloogia)
Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.
September 4th, 2013
Lecture Course in Estonian IT College
Name: DataSecurity and Cryptology
(Andmeturve ja krüptoloogia)
Place: Estonian IT College
Goal of lecture course: To provide a systematic overview of contemporary datasecurity and cryptology, bothfrom theoreticaland practical side. Datasecurityas a practicaldisciplinewillconsidered a littlebitmoretheoretically and cyrpotographyas a deeptheoreticaldiscipline (and alsoanimportant tool fordatasecurity) morepractically
Information(informatsioon, teave)– a knowledge concerning any objects, such as facts, events, things, processes or ideas, which have a special meaning in certain contexts
The concept “information” isheavily related tothemoregeneralconcept – knowledge. Itassumesthatthereis a factwhisisknown (an object), andthepersonwhoknowsthefact (the subject)
Informationitselfdoesnothavethe practicalshape. The practicalshapeof information will occure whenwe also consider the practical representation of information (and then it is called - data)
Data(andmed)– reinterpretable formalized representation of aninformation in sucha form whichissuitable for transfer, processing and/or interpretation
Data are always the presentation of information,usually in a pre-agreed form (which allows to transfer the information beared by the data from one subject to another)
The same data can be interpreted differently by the different subjects having a different background (for example, “hallitus” inEstonian and inFinnish)
When we talk about the computer-based (computer processable) data we always thought the digital data, which are always coded by using the queues of 0’s and 1’s.
Data format(andmevorming, vorming) — a desciption how different type of information – text, picture, voice, video etc – is coded into the queue of 0’s and 1’s
A pre-agreed (standardised) data format gives to data (to data file) a concrete and unique meaning. If we have data but do not have the data format desciption, then we do not have the information, carried by the data
Different data formats are supported by a different application software which usually allow to write the file in certain format, or to made the content of data (information) human-perceptable etc.
A typical end-user usually don’t know anything about different data formats and interpretation. He/she usually associates the certain format only to the certain software which is able to interpretate these format(s).
End user usually receives only an human-perceptable form, prepared by the software, so-calles WYSIWYG (What You See Is What You Get, in Estonian adekvaatkuva)
If we possess (or process) the data then the information carried by the data has always a certain value for us (for our business process). It does not depend either the infomation is represented by the digital nor by the paper-based data
Information security (infoturve) or data security (andmeturve) is a discipline concerning the maintaining these values/properties of information (performed in practice by the maintaining the properties of data)
These three properties (branches of secrity) must be maintained for all information/data items we possess.
In pre-computer world (paper-based information) we talked only about the confidentiality, not for other branches
It’s mainly a question about traditions and culture where we use which concept.For example in Europe the concept data protection is often used in a context of protection of personal data (isikuandmete kaitse)
Dataavailabilty(andmete käideldavus) isa timely and convenient access and usage of information carried by the datafor all authorized persons and otherentities
Data integrity(andmete terviklus) is a ensuring that data are originated (information was stored into the data) by a certain source and haven’t been altered (both by an accident or by a deliberate act or by the fake)
Integrity are thesecondimportantsecuritybranch (bytheavailability)
In the business process we usually assume that the data we used (information carried by the data) are firmly related to the creator/source of the data, creation time etc. Violationorabsense of these relationshipswill usually causesserios negative consequences
Näide: karistusregistri kuritahtliku muutmisega saab vang õigusevastaselt varem vabaks
Data confidentiality (andmete konfidentsiaalsus ehk salastatus ehk salastus) is the availability of the information, carried by the data, only by the authorized subjects (and strict non-availability for other subjects)
Security of data (security of information beared by the data) is ensured by the securing the (IT) assets surrounding the data
NB!It does not matter how many safeguards we implement, we NEVER achieve the absolute security. If we implement more safeguards we only minimise the probability that security (availability, integrity of confidentiality) will be harmed but it will never fall into zero
Instead of absolute security usually the concept acceptable residual risk by the business process (äriprotsessi jaoks aktsepteeritav jääkrisk) is used
An acceptable residual risk is a situation where the total price of all implemented safeguards is approximately equal to the forecasted total loss of security (measured by the amount of money)
Economical View of Data Security
Serious Obstacles of Evaluating the
Optimal Security Point
In order to simplify a practical security task it’s usually necessary
This process is usually called a risk management (riskihaldus)