There are many different “assurance” terms used to define various parts of the network and information stack.

For most needs, terms like “software assurance” and “information assurance” suffice. However, I cannot find any place that really compares the two other than software assurance is one portion of the more general information assurance.

Information Assurance

practice of assuring information and managing risks related to the use, processing, storage, and transmission of information or data and the systems and processes used for those purposes [wikipedia]

Software Assurance

the level of confidence that software functions as intended and is free of vulnerabilities, either intentionally or unintentionally designed or inserted as part of the software [DoD]

For a component stack, let us start with one like this used to compare Infrastructure-as-a-Service (IaaS), Platform-as-a-Service (PaaS), and Software-as-a-Service (SaaS) cloud architectures.

First, let’s make some simple modifications: flip it over, split application into software & services and ad the most important security element — people. Then we can more specifically visualize the difference between information and software (SwA) assurance:

While software assurance is fairly specific, information assurance is much more general and allows room for further division.

To fill out the remainder of the stack between software and information assurance, I propose the following terms and concepts:

Platform Assurance

the confidence that the platform functions as intended and its capabilities for managing risk and protecting the operating system platform, middleware, runtime, software, and services from exploits. This include protections such as stack protections and randomized memory space.

Infrastructure Assurance

the confidence that the infrastructure functions as intended and its capabilities to mitigate risk and improve the security and reliability of the operating platforms. This includes redundancy, failovers, and all hardware protection mechanisms.