Hostman Blog
Infrastructure

Information Security (InfoSec): Definition, Principles Triad, and Threats

20 Oct 2025
Hostman Team
Hostman Team

Information security refers to various methods of protecting information from outsiders. That is, from everyone who should not have access to it. For example, a marketer typically has no reason to view the company's financial statements, and an accountant doesn't need to see internal documents from the development department.

Before the era of universal digitization, it was mainly paper documents that needed protection. They were hidden in safes, secret messages were encrypted, and information was transmitted through trusted people. Today, computer security is the foundation of any business.

InfoSec Principles
Copy link

Information security protection is based on three principles: availability, integrity, and confidentiality.

  • Confidentiality: data is received only by those who have the right to it. For example, application mockups are stored in Figma, with access limited to designers and the product manager.

  • Integrity: data is stored in full and is not changed without permission from authorized persons. Suppose there's code in a private repository. If an unauthorized person gains access to the repository and deletes part of the project, this violates integrity.

  • Availability: if an employee has the right to access information, they receive it. For example, every employee can access their email. But if the email service is attacked and made unavailable, employees won't be able to use it.

Adhering to these principles helps achieve the goal of information security: to reduce the likelihood of or eliminate unauthorized access, modification, distribution, and deletion of data. 

Many companies also adopt a zero-trust security approach that assumes no user or system should be trusted by default. This reinforces all three principles by requiring continuous verification.

What Information Needs Protection
Copy link

Understanding what data should be protected is what information security in a company depends on.

Information can be publicly accessible or confidential.

  • Publicly accessible: this data can be viewed by anyone.
  • Confidential: available only to specific users.

At first glance, it seems that information security measures don't apply to publicly accessible information, but this isn't true. Only the principle of confidentiality doesn't apply to it. Publicly accessible data must remain integral and, logically, available.

For example, a user's page on a social network. It contains publicly accessible information. The social network ensures its availability and integrity. If the user hasn't changed privacy settings, anyone can view their page. But they cannot change anything on it.

At the same time, the account owner can configure confidentiality, for instance, hide their friends, groups they're subscribed to, and musical interests.

Confidential information also comes in different types. These can be:

  • Personal user data.
  • Trade secrets: information about how the company operates and what projects it conducts and how.
  • Professional secrets, which must be kept by doctors, lawyers, notaries, and representatives of certain other professions.
  • Official secrets: for example, pension fund data, tax inspection information, banking details.
  • State secrets: intelligence information, data on economic conditions, foreign policy, science and technology.

This is not an exhaustive list, but rather an attempt to show how much data needs information security measures applied to it.

Possible Threats
Copy link

The enormous list of potential threats is usually divided into four types:

  • Natural: for example, hurricanes or floods.
  • Man-made: phenomena related to human activity. They can be unintentional (employee error) or intentional (hacker attack).
  • Internal: threats that originate from within the system, such as from employees.
  • External: threats that originate from other sources, such as attacks by competitors.

With the mass adoption of remote work formats, the number of man-made threats, both external and internal, intentional and unintentional, has noticeably increased. Because of this, the workload on information security specialists has grown.

Today's threat environment includes several increasingly prevalent attack vectors:

  • Ransomware attacks: malicious software that encrypts company data and demands payment for its release. These attacks have become more sophisticated and targeted, often crippling entire organizations.
  • Supply chain attacks: compromising software or hardware providers to gain access to their customers' systems. Attackers exploit trust relationships between organizations and their vendors.
  • AI-powered threats: artificial intelligence is being used to create more convincing phishing campaigns, generate deepfakes for social engineering attacks, and automate vulnerability discovery. At the same time, AI is also being deployed defensively to detect and respond to threats faster.
  • Social engineering and deepfakes: attackers use AI-generated audio and video to impersonate executives or trusted individuals, making fraudulent requests appear legitimate.

Protection Measures
Copy link

Organizational information protection measures are implemented at several control levels.

  • Administrative: the formation of standards, procedures, and protection principles. For example, developing a corporate security policy. At this level, it's important to understand what data you will protect and how.
  • Logical: protection of access to software and information systems. At this control level, access rights are configured, passwords are set, and secure networks and firewalls are configured.
  • Physical: at this level, physical infrastructure is controlled. This refers not only to access to equipment, but also to protection from fires, floods, and other emergency situations.

Despite digitization, physical information protection remains no less important. Antivirus software and access rights separation won't help if attackers gain physical access to the server. They won't save you in case of an emergency either. To eliminate such problems, Hostman uses infrastructure in protected data centers.