Confidentiality, integrity, and availability

One of the main components of ISO 27k is something called the CIA triad (of course, this has nothing to do with either the Mafia and/or the US Central Intelligence Agency).

In information security, the CIA triad is widely accepted as a model. It’s not a single doctrine, and there is no single author of it either. On the contrary, the model seems to have evolved over time, with roots that go back as far as modern computing. It appears that Ben Miller, vice president of Dragos, is the only one who has done any research into the triad’s origins. When he went looking for the origins of this model, more than a decade ago, he couldn’t find anything. Concepts appear to have been pulled from a variety of sources, including a 1976 Air Force report and a paper from the 1980s comparing commercial and military computer systems.

It’s mostly based on a triangle made of confidentiality, integrity, and availability, which are the main pillars of IT security.

Figure 1.1 – CIA triad

Whatever the case may be, the CIA triad includes the following three elements:

• A company’s data must be kept private to maintain confidentiality. This usually means that data should only be accessed or modified by processes and users who have been granted permission to do so.
• Integrity is the quality of being able to have confidence in one’s data. An accurate and authentic record should be kept in a safe place where it cannot be changed or tampered with.
• Authorized users should be able to access data at any time (availability), just as it is critical to keep unauthorized users out of an entity’s data in the first place. Maintaining a stable network of computers, servers, and other devices is to be considered an integral part of availability.

Let’s see an example to better understand these concepts.

You are sending an email to me because you’d like me to clarify some concepts you don’t understand (probably because they were badly explained by me – who knows). While preparing the email, you also attach a document in which there’s the part you don’t understand. Finally, you send the email.

In this case, confidentiality means that you sent this email to me and to me only. Unless a third party was involved in our email exchange, this email is sent exclusively to me.

If you send me a message with a few words, including Dear Mr., some sort of body text, some salutation at the end, and an attachment, I will receive exactly that message body and that attachment (this is integrity; if we want, we can measure the number of kilobytes used to send that message and you can bet that the body text and attachment are the same size).

Finally, we can log in to an email server at any time, 24/7, using our email client, and check whether there are new messages: that’s availability.

But, of course, this is just an example of how to adopt the CIA triad.

Access control methods such as two-factor authentication and passwordless sign-on are examples of confidentiality. However, it’s not just about allowing authorized users access; it’s also about preventing certain files from being accessed. Both accidental disclosure and malicious attacks can be prevented by using encryption.

Access control and encryption can help maintain data integrity, but there are many other ways to protect data integrity, both from attacks and corruption. It can be as simple as making a file read-only at times. In some cases, data can be audited using hashing or data checksums, which ensure the integrity of the data. In some cases, the integrity of a system may be shielded from external influences.

Availability refers to the ability of your systems to remain operational in the event of an attack. Distributed Denial of Service (DDoS) attacks, for example, are based on a lack of resources. You can ensure uptime by building redundancy into your systems to combat DDoS attacks. In the absence of an attack, systems can still fail and become unavailable, so load balancing and fault tolerance can be used to prevent systems from failing.

It is important for security professionals of all kinds to understand these concepts. For information security professionals, the triad of these three concepts makes it easier to think about the interrelationships, overlaps, and conflicts between them. Security professionals can use the tension between the triad’s three legs to determine their information security priorities and procedures.