The CIA Triad – Security Blog #2

No, I’m not going to talk about the Central Intelligence Agency (Responsibles to provide national security intelligence to the US). This particual triad -which some people call AIC to avoid the confusion with the regular CIA- stands for Confidentiality, Integrity and Availability.

5762931134_1cfeb64df6_o
“CIA Bitchessss” by Erik bij de Vaate (CC BY-NC-ND). From https://www.flickr.com/photos/mediadeo/5762931134

In general, confidentiality is the property in charge to limit the information, integrity is the assurance of accurate and trustworthy information and availability  is the guarantee of authorized people to information. These concepts conform a model to help people think security-wise.

Confidentiality

The purpose of this is to ensure that every piece of information reaches the adequate people and that no sensitive information is breached.

And to make sure this is done, to enforce levels of authorization and authentication of information access is necessary. As well as creating categories and collections of information and stablish discretion functions.

Some methods used to ensure confidentiality are: Data encryption, two-factor authentication, biometric verification, security tokens. In extreme cases air gapping, or doing hard copies of the information is made.

Integrity

The purpose of this component is to protect data from unauthorized modifications or to make sure that an option to undone changes is always available. Also, integrity involves making sure that data is always consistent, accurate and trustworthy.

Some methods used to ensure integrity are: Typical system file permissions, user access control, version control. Data might include checksums. Backups and redundancy is important to restore breaches of integrity.

Availability

This is very straightforward. This property assures the availability of the data. All kinds of systems for protection must be up to provide the informationwhen requested. Power outages and hardware upgrade and failure must be taken into account when making the availability design. Attacks of the DoS and DDoS kind might compromise the service.

Some approaches to ensure availability are: Adequate bandwidth, redundancy, failover and high availability clusters. Disaster recovery is essential in case of loss of data. Backups are a must.

Now, I found an interesting article that talks about the challenges of the CIA paradigm.

It talks about 3 concepts that poses an extra challenge for the CIA

  • Big data

The high volume of data can pose a big challenge to make sure the information is safeguarded, mainly because the high quantity of differetn sources of the data and the high costs of mantaining dupplicates and disaster recovery plans.

  • IoT Privacy

One IoT device might not generate important information, but multiple devices can provide relevant data in case of a breach.

  • IoT Security

This topic has been mentioned in class many times. There are so many IoT devices that aren’t patched, updated or without safe passwords, that these devices are an excellent source for thingbots and eventual botnets.

And that’s it for this post.

Each topic is getting more related to each other now.

Miguel A. Montoya
Esperanto enthusiast
ʕ•ᴥ•ʔ

Anuncios

Responder

Introduce tus datos o haz clic en un icono para iniciar sesión:

Logo de WordPress.com

Estás comentando usando tu cuenta de WordPress.com. Cerrar sesión /  Cambiar )

Google photo

Estás comentando usando tu cuenta de Google. Cerrar sesión /  Cambiar )

Imagen de Twitter

Estás comentando usando tu cuenta de Twitter. Cerrar sesión /  Cambiar )

Foto de Facebook

Estás comentando usando tu cuenta de Facebook. Cerrar sesión /  Cambiar )

Conectando a %s