What is Information Security?

Information security is the process of protecting all enterprise information, whether in digital or physical form. Organizations protect information related to their operations and customers to maintain their brand reputation, customer trust, and regulatory compliance. Information security outlines the processes, tools, and technologies that help ensure all information is viewed, copied, changed, or destroyed only after appropriate authorization.

Why is information security important?

Information security supports organizations by helping ensure the integrity, availability, and confidentiality of their private data and business systems. There are several reasons why information security is important.

Enabling business continuity

Effective information systems allow businesses to maintain uninterrupted access to their data and systems, even during unexpected security events. Planning for business continuity involves employing a range of security software, creating policies to follow during events, and implementing technical safeguards that help protect an organization.

Building customer trust

Information security reduces the likelihood of unexpected security events, enabling businesses to provide uninterrupted service to their customers. When organizations have a history of consistently complying with governance, following best practices, and implementing secure development practices, they show their customers that they take their user data seriously and will protect it.

Mitigating security risks

Depending on the industry in which a business operates, there may be several potential risks for which it must account. Information security helps enable implementation of technical and procedural controls for managing and mitigating risks.

Organizations can integrate new security management technology that reduces the likelihood of unexpected security events and improves the company’s ability to manage risk.

Protecting brand reputation

Information security protects a brand’s reputation by enhancing its ability to reliably provide services, protect its customers’ privacy, and meet operational demands. The occurrence of inadvertent security events can damage a brand’s reputation; however, effective information security practices reduce the likelihood of this happening.

What are the key principles of information security?

There are several key principles of information security that every business follows.

Confidentiality

Confidentiality helps ensure that any private business data is only accessible to those with authorization. This principle is both technical and physical, as you can implement access controls for digital files and also prevent unauthorized personnel from accessing an office. Confidentiality also extends to the use of encryption, securing data in transit and at rest, and ensuring that all company data is protected.

Integrity

Integrity refers to the accuracy, reliability, and consistency of data throughout its lifecycle within a company. This principle aims to protect data by ensuring it is accurate and has not been altered without the knowledge of its owners. Enforcing data integrity in information systems is about including digital data signatures, using cryptographic hashing, storing data in immutable ledgers, and validating data across its lifecycle.

Availability

Availability helps ensure that authorized users have access to any data they need, without delay or disruption. This principle seeks to implement backup and recovery strategies so that data is always accessible. Additionally, availability involves protecting against third-party disruptions, monitoring the health of storage in data centers, and designing fault tolerance into data architecture.

Nonrepudiation

Nonrepudiation helps ensure that every action taken regarding data is traced, monitored, and logged. By embedding nonrepudiation into information security systems, businesses develop an auditable trail behind every piece of data. Whenever a user interacts with information, changes it, accesses it, or approves its movement or changes, these factors are all logged into an immutable ledger.

Information assurance

Information assurance is the practice of protecting information systems by ensuring that mission-critical operations are supported. This is a broader principle that involves evaluating and adhering to security frameworks like ISO 27001, actively managing any emerging risks, regularly testing security systems, and continuously monitoring for potential threats.

What is an information security management system?

An information security management system (ISMS) defines how an organization manages its information security across the entire lifecycle of data. This system typically defines how people, processes, and technology work to provide comprehensive security controls for all information systems within the business.

What are some information security standards and frameworks?

International standards and frameworks provide descriptive and prescriptive guidance to help organizations with information and data security, as part of a compliance program. We give some example standards and frameworks that your organization can follow below.

ISO-27001

ISO-27001 revolves around four main themes: organizational, people, physical, and technological security improvements. Each of these categories seeks to enhance security in a different way, such as:

Conducting security training for employees in the people theme.
Implementing strict access control policies for offices in the physical theme.
Implementing encryption for data at rest and in transit in the technology theme.

Each contributes to a higher standard of information security.

AWS has certification for compliance with ISO/IEC 27001:2022. This means internally, we systematically evaluate our information security risks, taking into account the impact of threats and vulnerabilities.
We design and implement a comprehensive suite of information security controls and other forms of risk management to address customer and architecture security risks.
We have an overarching management process to help ensure that the information security controls meet our needs on an ongoing basis.

PCI-DSS

PCI-DSS is another widely used standard that helps ensure any card payments, including the storage, transmission, and processing of financial data, are done in a secure manner. Any entities that store, process, or transmit cardholder data (CHD) or sensitive authentication data (SAD), including merchants, processors, acquirers, issuers, and service providers, must certify under the PCI-DSS standard.

You can take a look at the list of AWS services in current scope for PCI DSS.

HIPAA/HITECH

HIPAA (Health Insurance Portability and Accountability Act) is a US federal law that helps ensure the protection of personal health information (PHI), for data confidentiality and to prevent unauthorized disclosure. HIPAA is applicable to “covered entities” (Health plans, Healthcare clearinghouses, and healthcare providers who transmit health information electronically) and their business associates.

You can take a look at the list of AWS services in current scope for HIPAA.

FedRAMP

FedRAMP (The Federal Risk and Authorization Management Program) is a US government-wide program intended to standardize the security assessment, authorization, and continuous monitoring for cloud products and services used by federal agencies.

You can take a look at the list of AWS services in current scope for FedRAMP.

GDPR

The GDPR (General Data Protection Regulation) is an EU legal framework that protects the data of EU residents. This is a global standard, as any business that wants to engage with EU customers in any way must comply with the GDPR. The GDPR aims to promote data minimization, help ensure a lawful basis for data collection, and provide users with the right to request the deletion of their data.

AWS customers can use all AWS services to process personal data (as defined in the GDPR) that is uploaded to the AWS services under their AWS accounts (customer data) in compliance with the GDPR.

FIPS 140-3

FIPS 140-3 is a cryptographic module that all US agencies operating in the federal sphere must utilize. This standard is a part of FedRAMP and requires companies to employ a wide range of protection and prevention security measures.

AWS provides a large range of FIPS Endpoints by service.

What are some information security technologies?

There are several main categories of information security programs that work together to secure workloads and applications.

Data protection

Data protection refers to any services that help to protect sensitive information, accounts, and workloads from unauthorized access. Core data protection services include the encryption of data both in transit and in storage, key management, and sensitive data recovery.

Network and application protection

Network and application protection technologies relate to any strategies and policies that your business deploys at network security control points. These technologies help to identify incoming traffic, filter it, and prevent any unauthorized connections from accessing your network. Core technologies involve firewalls, VPNs, endpoint detection, and other application-level boundaries that enhance the security of your network.

Identity and access management

Identity and access management (IAM) security tools enable your business to manage access controls, assign permission levels, and determine which accounts can access sensitive data. Identity controls help determine the level of access certain accounts have and what that access level allows them to view and interact with. It pertains to both data-level controls and account privilege systems.

Compliance and auditing

Compliance and auditing refer to the ability to follow best practices, monitor your environment, and help ensure that compliance standards are met across your organization. Depending on the industry your business works in, the exact standards that you should audit for and comply with will vary.

Physical security controls

Physical security controls are another form of access control that pertains to physical offices, servers, and business spaces. It involves secure site design, planning for availability, and implementing physical access policies. Physical and environmental security also extends to monitoring access, logging movements, and ensuring a trail of data is maintained for businesses to audit.

How does information security work in the cloud?

When a business uses cloud services, security and compliance become a shared responsibility between the cloud provider and the company. This dual responsibility is known as the shared responsibility model and refers to the respective tasks that each party must fulfill to help ensure cloud security.

The customer assumes responsibility for managing customer data, platform, applications, identity and access management, client data encryption, and network configuration, among other tasks. The cloud provider is responsible for any infrastructure that runs any services within the cloud, like hardware, software, or networking run by the cloud provider.

The specific nature of the shared responsibility will depend on the cloud provider that a company chooses to partner with. The division of that responsibility is commonly understood as security “of” the cloud versus security “in” the cloud.

How can AWS support your information security requirements?

At AWS, security is our top priority. AWS is architected to be the most secure global cloud infrastructure on which to build, migrate, and manage applications and workloads. This is backed by the trust of our millions of customers, including the most security-sensitive organizations like government, healthcare, and financial services.

Security is a shared responsibility between AWS and the customer. This shared model can help alleviate the customer’s operational burden as AWS operates, manages, and controls the components from the host operating system and virtualization layer down to the physical security of the facilities in which the service operates. We support a wide range of security standards and compliance certifications, including PCI-DSS, HIPAA/HITECH, FedRAMP, GDPR, and FIPS 140-3, helping customers meet compliance requirements worldwide. We also provide you with full control over your own data, allowing you to determine how your data is used, who has access to it, and how it is encrypted.

AWS security services can further support your information security efforts in the cloud. For example:

AWS auditing and configuration services give you a comprehensive view of your compliance status and continuously monitor your environment.
AWS data protection services, such as AWS Identity and Access Management (IAM), allow you to securely manage access to AWS services and resources. AWS CloudTrail and Amazon Macie enable compliance, detection, and auditing, while AWS CloudHSM and AWS Key Management Service (KMS) allow you to securely generate and manage encryption keys. AWS Control Tower provides governance and controls for data residency.
AWS detection and response services help you enhance your security posture and streamline security operations across your entire AWS environment.
AWS identity services help you securely manage identities, resources, and permissions at scale.
AWS network and application protection services help you enforce fine-grained security policies at network control points across your organization.

Get started with information security on AWS by creating a free account today.

What is Information Security?