Security services are functions needed to protect information from threats. Security services should not be confused with security controls or countermeasures. Security services are high-level security needs, while security controls are the technologies or procedures implemented to meet the security services.
The security services functions are defined as the information protection needs used to set information protection priorities. The LATF guidance incorporates six primary security services areas:
- Access control
In reality, these security services do not exist as separate entities; instead, each interacts with and depends on other services. Although most ISSEP candidates should be familiar with these security services, a brief description is provided for reference.
In the realm of network security (we are not concerned with physical access controls in this discussion), access control means limiting access to network resources and data. Access controls are used to prevent unauthorized use of network resources and the unauthorized disclosure or modification of data. This can also include preventing the use of network resources, such as dial-in modems or limiting Internet access.
Confidentiality is defined as preventing unauthorized disclosure of data. Confidentiality security services prevent disclosure of data in storage, being processed on a local machine, transiting a local network, or flowing over a public Internet. An aspect of confidentiality is "anonymity", a service that prevents disclosure of information that could lead to the identification of the end user.
Integrity security services are composed of the prevention of unauthorized modification of data, detection and notification of unauthorized modification of data, and recording of all changes to data. Modification includes items such as insertions, deletions, or duplications.
- Single data integrity. To provide integrity of a single data unit that is in transit, the sending entity calculates an additional data item that is bound to the originating data unit. The receiving entity that wishes to verify the integrity of this data unit must recalculate the corresponding quantity and compare it with the transferred value. If the original and receiving entities do not match, the data unit has been modified in transit. Methods for calculating this data item include checksums, cyclic redundancy check (CRC) values, and hashes (also known as message digests).
- Multiple data integrity. To provide integrity for a sequence of data units in transit, some type of ordering information must be provided within the communications protocol, such as sequence numbers and timestamps. Encrypting the sequence of data units can also provide integrity; specifically, if a chaining cryptographic algorithm is used in which encryption of each sequence depends on the encryption of all previous sequences.
Availability is the timely, reliable access to network resources, data, and information services for authorized users. Availability in a networked environment includes not only the user's ability to access network resources, such as hardware and software, but also the user's ability to obtain a desired network bandwidth with reasonable throughput (quality of service). To provide availability, network traffic must be able to traverse local area networks (LANs) and wide area networks (WANs) to reach its intended destination.
Repudiation is when one of the entities involved in a communication denies that it participated in that communication - by either denying sending the communication or denying receiving the communication. The non-repudiation security service provides the ability to prove to a third party that either the sending or receiving entity did participate in the communication. Because users are usually concerned with non-repudiation for application information, such as e-mails or file transfers, the non-repudiation service is primarily provided by application layer protocols. Digital signatures are one method of providing non-repudiation. Public key certificates, verified by a third-party entity, can also be used for non-repudiation.