As society increasingly relies on digitally stored and accessed information, traditional information security technology, policies, management, and practices are found more and more limited in satisfying the security and assurance needs of modern information systems and applications, for several reasons. In general, addressing only the protection of information against unauthorized disclosure, transfer, modification, or destruction, traditional information security cannot deliver the level of information assurance that modern applications require. In particular, first, as applications increasingly rely on digitally stored and accessed information, they increasingly rely on the availability of this information and the reliability of the corresponding information system. However, availability and reliability are largely neglected by traditional security of information.
Second, although information confidentiality, privacy, and integrity protection are certainly crucial in meeting the security of information needs of modern applications, not all attacks can be prevented and some attacks do succeed. These attacks can cause substantial confidentiality and privacy loss (via unauthorized disclosure of information), substantial integrity loss (via unauthorized modification of information), substantial availability/reliability loss and serious denial-of- service (via destruction of some critical components of the information system), and substantial non repudiation loss (via destruction of evidence and audit data). When applications were lightly dependent on digitally stored and accessed information, such information security losses might be able to be tolerated. But as applications increasingly rely on digitally stored and accessed information, such security losses can be disastrous and may no longer be able to be tolerated. Hence, another fundamental limitation of traditional information security technology is how to address these successful attacks or intrusions.
As a result, to meet the security and assurance needs of modern information systems and applications, a broader perspective is introduced, saying that, in addition to preventing information from being disclosed, modified, or destroyed, intrusions should be detected; countermeasures (e.g., responses) to intrusions should be planned and deployed in advance; security and fault tolerance mechanisms should work together to ensure confidentiality, privacy, integrity, non repudiation, authenticity, availability, and reliability in the presence of attacks; and the damage caused on the information and the information system should be repaired and restored (or recovered). In this literature, this is referred to as information assurance.
The basic meaning of information assurance is well captured by the definition from the National Information Systems Security Glossary, which is as follows:
Information Assurance (IA): Information operations that protect and defend information and information systems by ensuring their availability, integrity, authentication, confidentiality, and non-repudiation. This includes providing for restoration of information systems by in- corporating protection, detection, and reaction capabilities.
Compared with the concepts of information security and information systems security, whose definitions are quoted below, it is not difficult to see that the concept of information assurance is much broader than that of information security.
In particular, bellow are the different concept between information security and information assurance:
(a) the focus of information security is on protection or prevention, whereas the focus of information assurance is on integration of protection, detection, and reaction;
(b) intrusion detection and reaction are not a major concern of information security, but they are certainly crucial for information assurance;
(c) attack recovery or restoration may be a topic out of the scope of information security, but it is certainly a critical component of information assurance;
(d) the goal of information security technology is to prevent attacks from happening, whereas the goal of information assurance is to ensure that even if some attacks intrude into an information system, certain levels of availability, integrity, authentication, confidentiality, or non repudiation can still be guaranteed.
Information security: The protection of information against unauthorized disclosure, transfer, modification, or destruction, whether accidental or intentional.
Information systems security (INFOSEC): [The] protection of information systems against unauthorized access to or modification of information, whether in storage, processing or transit, and against the denial of service to authorized users, including those measures necessary to detect, document, and counter such threats.
It is no doubt that information assurance involves many disciplines and has a variety of aspects, such as the policy, legal, ethical, social, management, evaluation, and technical aspects of information assurance. Compared with traditional information security practices, information assurance involves not only the design and development of a variety of new security technologies but also a variety of emerging policy, legal, ethical, social, economical, management, evaluation, and assurance issues as information assurance evolves people’s practices of in- formation security in an ever quicker pace. Nevertheless, to make this more tangible, it focuses primarily on the technical aspect of information assurance, though some relevant policy, management, and evaluation issues are also addressed.
