Concepts of Information Security

This article is about forgotten, confidently existing, and stepping into the future concepts of information security.

Since humans invented letters and many words, in the world of information security (IS) there also exist numerous strategies and practices which may sound different but essentially speak of the same thing. My goal is to bring all of this together, comprehend it, and give it some kind of structure.

Introduction

Covering this topic, I’d like to note that, of course, we’ll be talking about the modern world, but it’s also worth mentioning that IS has existed since ancient times, even before our era (if, of course, we trust archaeologists and historians).

And if you trust me, then thanks to excavations in the information spaces and analytics, at the moment it has been possible to identify 6 almost independent concepts.

Before starting the description, I suggest we synchronize and maintain the following bestiary of terms encountered in the article:

• Concept – global strategies that determine the approaches and methods of creating an information protection system

• Approaches – theoretical methods and principles chosen for implementing a concept, influencing the architecture of the information protection system

• Methodology – a step-by-step instruction or set of methods intended for implementing the chosen approach

• Technology – tools and products intended for implementing the chosen approach

List of Concepts

So, what are these concepts:

• Concept #1: Air Gap

• Concept #2: Castle and Moat

• Concept #3: Defense in Depth

• Concept #4: Zero Trust

• Concept #5: Cyber Resilience

• Concept #6: Digital Immune System

And before starting the description, I’ll share some thoughts on how this list was created and perhaps preempt your disagreement with it.

Primarily, when compiling the final list, I relied on the following considerations, placing at the forefront two properties that contradict each other:

• presence of contradictions between the ideas of concepts, which are essentially antitheses to each other

• presence of continuity, the continuation of a concept’s idea but with reworking of its essence

The same Air Gap is now perceived as a measure (methodology) and can be one of the elements of Defense in Depth, rather than being a whole concept. However, after delving into its history and etymology, I found that it’s not so simple, and we can consider it as one of the earliest popular concepts in modern cybersecurity history. The same can be said for Cyber Resilience, which does not contradict and logically is one of the principles of Defense in Depth and Zero Trust, but carries a fundamentally different idea, which allows it to be considered a separate concept, while the philosophies of Defense in Depth and Zero Trust prioritize a different important message. As for Digital Immune System, this concept’s main distinguishing feature is that it represents a system with pre-built protective mechanisms in the form of a "living technological organism", where the decision is not made by a person, but the system makes it consciously and independently.

Various existing approaches, methodologies, and technologies in cybersecurity were analyzed, and many candidates were left out of the list of standalone concepts. If you’re interested in exploring, some of them are listed here.

Hidden text

Continuous Threat Exposure Management (CTEM) - continuous threat management

Security Risk Management (SRM) - security risk management

Compliance Based Security - security based on compliance

BeyondCorp - Google’s security approach based on the Zero Trust concept

People Centric Security (PCS) - cybersecurity strategy focused on user awareness of cybersecurity principles

Identity Centric Security - cybersecurity strategy focused on strict user identification

Data Centric Security - cybersecurity strategy focused on data protection

Threat Centric Security - cybersecurity strategy focused on threat management, essentially the same as in CTEM

Principle of least privilege (PoLP) - principle of restricting user privileges to the minimum necessary for task execution

Assume Breach - principle based on the need to build a protection system assuming that an attacker has infiltrated and established themselves in the protected environment

Assume Compromise - principle based on the need to build a protection system assuming that an attacker has infiltrated, established themselves, and compromised data in the protected environment

Site reliability engineering (SRE) - principle for building and ensuring the uninterrupted operation of the protected system

Secure by Design - approach based on the guarantee that the system is designed with security requirements in mind

Read also:

• SD-WAN and Migration Challenges: Merging Networks with Identical Address Space

DevSecOps / Secure SDLC - approach based on secure application development

Trusted Computing Base (TCB) - approach representing a set of protective mechanisms in a computer system, including hardware and software

Attribute Based Access Control (ABAC) - access control model based on analyzing rules for attributes of objects or subjects, possible operations with them, and the environment relevant to the request

Role-Based Access Control (RBAC) - role-based access control model

To a greater extent, the six concepts described above include these techniques and approaches, but I admit that I may be subjective and that certain candidates might have been worthy of nomination as standalone concepts.

So, let’s move on to the description.

Description of concepts

Air Gap

Origin:

According to NIST, the term Air Gap means the following: "An interface between two systems at which (a) they are not connected physically and (b) any logical connection is not automated (i.e., data is transferred through the interface only manually, under human control)". That is, Air Gap is the physical isolation of the protected object from other systems and external networks, where data is transferred manually, under human control.

Alternative names found in various international standards, publications, and research: “Offline Segmentation”, “Network Separation”, “Isolated Network”, “Disconnected Security” and “Off-Grid Network”.

The key principles are:

• isolation of the protected object from other systems

• no connection to the Internet

• no remote connection to the protected object

• limited use of data transfer interfaces

• sufficiency of the isolation measure that excludes the use of other security measures

The phrase “air gap” in English first appeared back in 1840, but as you can understand, clearly did not apply to information security. The phrase “воздушный зазор” (“air gap” in Russian) appeared in the world of electrical engineering and then, during the Cold War, migrated into information security.

If online sources are to be believed, the pioneers of using this term in information security are considered to be the USA and the USSR. The term began to be used in a security context back in the 1960s, and companies such as Forrester, Gartner, and IDC began mentioning Air Gap in the early 2010s.

Types of approaches:

It is worth noting that the concept of “isolation” is elastic, and if previously the principle of Air Gap was based on complete physical isolation of the protected object, with technological progress various allowances have emerged, which can be felt in the descriptions of Air Gap approaches:

• Full Air Gap – this is that very legendary physical isolation, where there is absolutely no interaction of the protected object with other systems, and any clever technological tricks, which will be discussed later in other approaches of the concept, are unacceptable

• Logical Air Gap – in this paradigm, interaction of the protected object with other systems is allowed, but only through special equipment (Firewall, Data Diode, etc.) that ensures channel protection, and control over data transmission and reception

• Virtual Air Gap – protected objects are isolated virtually, using containers, hypervisors, or virtual machines, which physically exist on the same network but are logically separated; essentially a variety of Logical Air Gap

• Procedural Air Gap – interaction of the protected object with other systems is allowed, but is limited by organizational rules and procedures (for example, connection is strictly performed during system updates and temporary transfer of data outside)

Concept summary:

At the moment, the Air Gap concept has not lost its relevance, but it is not a panacea for all threats, and it can be confidently assumed that from a concept it has turned into a measure within the framework of the Defense in Depth concept, which we will touch upon a little later. And as we can see, there are various modifications of Air Gap, where it is possible to find common ground and a compromise between ensuring information security and conducting business processes.

It is worth noting that Air Gap does not provoke rejection and even receives approval from customers (especially in industry), but to some extent acquires an odious status and becomes the hero of “memes” among information security specialists due to the fanatical belief that it is the most effective protection against threats under the slogan "no connections – no threats."

Nevertheless, Air Gap continues to be in demand in certain areas of activity. In the same areas where the trend is set by the term "digitalization," this concept, in the context of "complete physical isolation," contradicts modern business realities and therefore gives rise to more flexible approaches to its implementation. Likewise, it contradicts the modern threat landscape, where isolation from the outside world is not a guarantee of system security.

Castle and Moat

Origin:

There is no official term "Castle and Moat" in the world of information security, meaning it is not found as a definition in international standards or government regulations.

Therefore, we will use the popular definition: Castle and Moat symbolizes an approach in which external threats to the protected object are blocked at the perimeter with the external network, and the internal network is considered safe. Accordingly, an analogy is drawn with a medieval castle with fortress walls and a moat.

Alternative names found in various international standards, publications, and research: “Perimeter Security,” “Classic Security Model.”

The key principles of the concept are:

• all protection is concentrated at the perimeter

• all measures are aimed at protecting against external threats

• the internal network is safe

The Castle and Moat concept emerged in the late 1970s, when the first models of network perimeter protection and firewall technologies began to take shape, and companies such as Forrester, Gartner, and IDC began mentioning the term in the early 1990s and 2000s.

Types of approaches:

There are no fundamentally different approaches to perimeter protection, so without overcomplicating things, we will divide the approaches according to attack vectors:

• controlled area protection

• network connection protection

• email protection

• web application protection

• mobile application protection

• remote access protection

Concept summary:

At the moment, Castle and Moat has essentially transformed from a concept into one of the measures within the Defense in Depth concept, which follows later. Given the modern threat landscape and technological development, it can be stated that Castle and Moat has lost its relevance, but nevertheless, there are still protected objects where other concepts are inapplicable except for Castle and Moat.

Even if the concept has lost its former popularity, perimeter defense approaches and technologies continue to evolve to this day, playing an important role, including focusing on protecting the internal network.

Defense In Depth “Эшелонированная защита”

Origin:

The term Defense In Depth “Эшелонированная защита” appears in NIST SP 800-123, which states: “Security mechanisms (defenses) need to be layered so that compromise of a single security mechanism is insufficient to compromise a host or network.” Also, a slightly different definition can be found in the glossary of NIST: "Information security strategy integrating people, technology, and operations capabilities to establish variable barriers across multiple layers and missions of the organization." That is, security mechanisms (defenses) must be multi-layered so that the compromise of one security mechanism is insufficient to compromise a host or network. It represents an information security strategy that integrates human, technological, and organizational measures.

Alternative names found in various international standards, publications, and research: “Layered Security,” “Multi-layered defense.”

The key principles are:

• using a multi-layered defense system

• each security measure is arranged sequentially to make it difficult for the attacker to advance and to enable prompt detection

The Defense In Depth concept was finally established in the 1990s, when there arose a need to improve information security approaches to replace the conceptually outdated Air Gap and Castle and Moat, and companies such as Forrester, Gartner, and IDC began mentioning the term in the early 1990s and 2000s.

Types of approaches:

We can divide them into the following approaches:

• Compliance Based Security – an approach aimed at building a layered defense system based on the need to comply with legislation and information security standards

• Security Risk Management (SRM) / Continuous Threat Exposure Management (CTEM) – an approach focused on continuous monitoring and analysis of the threat/risk landscape, techniques and tactics of attackers, and building/adapting the defense system accordingly

• Development and adaptation of a layered defense system taking into account the specifics of the technologies and architectures used for the protected assets, and the feasibility of implementing defense measures

Concept summary:

At present, according to surveys by Gartner and Forrester, Defense In Depth is one of the most common concepts in the world. In fact, all our favorite FSTEC orders, GOST standards on protection measures declare this approach.

But modern realities and threats pose new challenges, and supposedly the approaches of this concept are not enough, and something more sophisticated needs to be devised against attackers — and let’s talk about this in the description of the next concepts.

Zero Trust «Нулевое доверие»

Origin:

The Zero Trust concept was proposed in 2010 by John Kindervag, an employee of Forrester. The company’s analytical report on Zero Trust sounded roughly like this: “If the current trust model is broken, how do we fix it? It requires a new way of thinking. The way we fix the old trust model is we begin at the beginning and look for a new trust model. Forrester calls this new model “Zero Trust.” The Zero Trust Model is simple: Security professionals must stop trusting packets as if they were people. Instead, they must eliminate the idea of a trusted network (usually the internal network) and an untrusted network (external networks). In Zero Trust, all network traffic is untrusted. Thus, security professionals must verify and secure all resources, limit and strictly enforce access control, and inspect and log all network traffic. Much of this can be automated so that it doesn’t become burdensome.”

Also, the U.S. National Institute of Standards and Technology has published an informational memo on Zero Trust architecture ("Special Publication", not an approved standard) - NIST 800-207. Although it does not introduce a definition of Zero Trust, from summaries and excerpts we can read the following: “Zero trust security models assume that an attacker is present in the environment and that an enterprise-owned environment is no different—or no more trustworthy—than any nonenterprise-owned environment…”

And the definition by NIST states: "A collection of concepts and ideas designed to minimize uncertainty in enforcing accurate, least privilege per-request access decisions in information systems and services in the face of a network viewed as compromised."

Thus, taken together, the term Zero Trust assumes that all internal network traffic is untrusted, that an attacker is present inside the perimeter, and that the “corporate” environment is no different (or no more reliable) than any “non-corporate” environment, and must be considered compromised.

On the one hand, this may sound rather unsettling for those authorized and responsible for ensuring information security, but on the other hand – quite intriguing.

Alternative names found in various international standards, publications, and research: “Perimeterless Security.”

The key principles are:

• Never Trust, Always Verify (“Never trust, always verify”), meaning that access subjects (users, devices, processes) should not be considered trusted by default. Every request to access an access object must undergo strict verification and authorization. Verification is carried out regardless of the user’s or device’s location

• Principle of least privilege (“Principle of least privilege”), meaning that a subject gets access only to the minimum necessary access objects and rights required to perform their tasks. Privileges are granted for a short period, as needed, and access rights and subject privileges are regularly reviewed

• Continuous Monitoring (“Continuous monitoring”), which primarily refers to network traffic. Checks for anomalies and logging of all network traffic between the subject and the access object, even if the subject has passed strict verification and authorization

• Assume Breach / Assume Compromise – the necessity of assuming that an attacker is already inside the protected environment

And as mentioned above, the concept of Zero Trust was proposed in 2010 by a Forrester employee, modernized into Zero Trust eXtended in 2018 by his colleague Chase Cunningham, but the idea itself had been in the air since the 1990s, when it became clear that the Castle and Moat concept was outdated and insufficient to cover the threat landscape of that time.

Types of approaches:

The approaches are as follows:

• Zero Trust platform (ZTP) – this term, introduced by Forrester, represents an approach that unifies and combines core security technologies into a single platform, serving as the foundation for using other security tools, applications, processes, and technologies to implement the Zero Trust concept.

• BeyondCorp – this term, introduced by Google, represents an approach implemented by Google to realize the ideas of the Zero Trust concept, also featuring architecture and technologies that are an alternative to VPN and ZTNA.

Summary of the concept:

At the moment, in the global information security market, the Zero Trust concept is breathing down the neck of, and perhaps has already overtaken, the Defense in Depth concept, according to Gartner and Forrester surveys. As for the concept itself, it can be noted that it is not as universal as, say, Defense in Depth, and is not applicable to all areas of activity and certain types of protected objects. I can’t imagine the reaction of industrial control system (ICS) representatives if told about what a wonderful modern Zero Trust concept exists and how great it would be to use it in the technological segment. Although in my experience, there are precedents, and in the same “regulatory” framework there is no direct prohibition on remote access to critical information infrastructure, and when remote access is necessary, the use of classes of information security solutions that foster the ideas of Zero Trust is mandated. The main thing is that it’s not just pretty marketing, but actually works—and that’s another story.

Cyber Resilience

Origin:

The concept of Cyber Resilience originates from a broader concept outside the world of information security – Resilience Engineering. According to NIST, the definition of the term is as follows: “The ability to anticipate, withstand, recover from, and adapt to adverse conditions, stresses, attacks, or compromises on systems that use or are enabled by cyber resources.” That is, Cyber Resilience is the ability to anticipate, withstand, recover from, and adapt to information security incidents.

Alternative names found in various international standards, publications, and studies: “Cyber-readiness”, “Assume Breach”, “Assume Compromise”.

The key principles are:

• Assume Breach / Assume Compromise – the need to assume that a malicious actor is already inside the protected environment

• Site reliability engineering (SRE) – ensuring continuous operation of the protected object

The concept began to gain popularity and to be mentioned (Gartner reports, Forrester, World Economic Forum) around 2014.

Types of approaches:

Let’s try to divide into the following approaches:

• Disaster recovery - focusing on preparing for the worst-case scenarios of the consequences of malicious actions and employee negligence, developing recovery plans to restore the normal functioning of the protected object, including:

  • reservation

  • clustering

  • fault tolerance

• Detection and Response - focusing on detecting and responding to the malicious actor who has already infiltrated the protected environment

Summary of the concept:

A rather ambiguous concept, which may raise the question from management “then why do we need your cybersecurity if the attacker bypassed it?” i.e., essentially questioning the Defense in Depth concept.

The Cyber Resilience concept pragmatically acknowledges that investments in cybersecurity do not guarantee the absence of successful attacks and recommends being prepared for the worst-case scenarios.

The main idea of this concept is the understanding that cybersecurity should not only answer the question “How to protect against threats?”, but also the question “What to do if damage is inflicted?”.

And the well-worn phrases from vendors and system integrators “no one can guarantee 100% security,” “everything can be hacked and bypassed if desired” actually draw attention to Cyber Resilience and distinguish it as an independent concept.

Digital Immune System «Digital immunity»

Origin:

According to Gartner , the Digital Immune System concept is: “The digital immune system (DIS) approach includes practices and technologies for software design, development, automation, operation and analytics, and uses these to create a superior user experience and to reduce system failures that impact business performance.” In other words, the Digital Immune System is a set of practices and technologies for software design, development, automation, operation, and analytics aimed at preventing prolonged failures and automatically recovering the system. The analogy of the immune system of living organisms and their ability to combat biological threats is used.

Alternative names found in various international standards, publications, and studies: “Self-Healing Systems”.

The key idea of the concept is that cybersecurity should become an integral part of the protected object and should naturally appear during the creation and implementation within systems, rather than as an overlay of protective measures. In essence, the emphasis is on:

• well-thought-out and built-in protection measures within the protected environment

• clean source code of the protected object, free of errors and vulnerabilities

And ideally, of course, the operation of these built-in protection measures should occur automatically, with minimal human intervention.

The key principles are:

• Secure by Design – developing systems with security requirements in mind

• Secure by Default – developing systems where security measures are enabled by default

• Observability – continuous monitoring of the protection target’s state and user behavior in real time

• Site reliability engineering (SRE) – ensuring continuous operation of the protection target

• Auto Remediation – automatic problem fixing and recovery to a stable working state of the protection target without personnel involvement

• AI-augmented testing – automatic testing of the protection target using AI

• Chaos engineering – simulating extreme loads, failures, and worst-case downtime scenarios for the protection target in order to identify weak points

Mentions of the concept appeared in the early 2000s, with active use of the term starting around 2010.

Types of approaches:

• DevSecOps / Secure SDLC – developing software with security requirements integrated at all stages of the development lifecycle

• Runtime Application Self-Protection (RASP) – a method for detecting and preventing attacks on an application in real time, embedded into the application or runtime environment

• Cyber Immunity – Kaspersky’s approach, referring to the “cyber immune development approach, allowing creation of inherently secure (secure by design) systems that do not require additional protection measures”

• Software supply Chain Security – securing the software supply chain for creating the protection target, without excluding the use of additional protection measures

Concept summary:

The concept may sound a bit futuristic, especially when comparing and attempting to replicate the properties of a living organism’s immunity and elements of self-regeneration. Evolution has created an almost perfect tool, adapting to Earth’s threats and developing mechanisms and structures in existing living organisms.

If we look at the concept and its individual technologies pragmatically through the lens of Industrie 4.0 and the upcoming Fifth Industrial Revolution, the concept is entirely viable, and the cybersecurity market already offers products implementing the methodologies and technologies of this concept.

Final conclusion

If we summarize the key distinguishing features of each concept in slogans, we get the following:

• Air Gap (“Воздушный зазор”) – “Isolation from the outside world!”

• Castle and Moat (“Замок и ров”) – “Perimeter protection from the outside world!”

• Defense in Depth (“Эшелонированная защита”) – “More layers of defense!”

• Zero Trust (“Нулевое доверие”) – “Always verify everyone and trust no one!”

• Cyber Resilience (“Устойчивость к кибератакам”) – “Always looking for villains within and ready for a breach!”

• Digital Immune System (“Цифровой иммунитет”) – “Only secure code and automation!”

If we make a general conclusion, it can be noted that almost all the data concepts in the article are relevant, although some are logically and technologically outdated, while others are just technologically maturing. And within one company, different concepts can be applied to various protection objects, and there is no indication that one concept is good while another is not.

In fact, if we talk about Russian legislation in the field of information security, the ideas of the above-described concepts are reflected to some extent in orders 17, 21, 31, 239 of the FSTEC, and in GOST 57580.

And it doesn’t matter which concept and what technologies are applied, the main thing is that the approach to ensuring information security requirements is reasonable, economically feasible, protects not only financial interests but also considers the protection of people and the environment, and does not contradict the general goals of the company’s activities. Ideally, of course, in a utopian sense, it would be great if the implementation of information security requirements not only didn't incur financial costs but also generated profit.

The purpose of the article was to organize the heap of terms related to concepts, approaches, and technologies in the world of information security and give it a narrative tone. I hope I have managed to do this to at least a small extent. I would be glad to hear constructive criticism and remarks from you, so I can make changes and improve the quality of the information presented in the article.