Unfortunately, the CIA triad is not as cool as it sounds. One can be forgiven for assuming it’s the wildest international intrigue since the Iran-Contra affair, but alas, the CIA triad is not a secret collaboration between American spies and Chinese gangsters.
If only…
Instead of bringing you into a world of international crime and subterfuge, we’re going to discuss some core information security principles:
- Confidentiality
- Integrity
- Availability.
The initials give us the CIA part, while the fact that there are three critical properties is where the triad comes in.
Our bible for today’s newsletter is ISO/IEC 27000:2018, which defines information security as the preservation of confidentiality, integrity and availability of information. So let’s delve into what each of these mean.
Confidentiality
According to ISO/IEC 27000:2018, confidentiality is the “property that information is not made available or disclosed to unauthorized individuals, entities, or processes”. In other words, confidential information is information that is only accessible to authorized parties. If the bad guys get it, it’s not confidential anymore. We use tools like encryption and access controls to help ensure that our sensitive data stays confidential.
Integrity
Integrity is the “property of accuracy and completeness”. If our data gets tampered with by attackers or becomes corrupted, it’s not going to be very useful to us. We use an array of techniques such as digital signatures to allow us to verify whether information is accurate and complete.
Availability
Availability is the “property of being accessible and usable on demand by an authorized entity”. There’s no point in having confidential data that maintains its integrity if we can’t access it when we need it. If you throw a USB stick packed with business secrets into the Mariana Trench, it’s going to maintain its confidentiality—it’s just not going to be available when you need it. The integrity is also going to be questionable once the drive is waterlogged.
Other critical properties
While these qualities form the core of information security, they aren’t the only ones we need to be aware of. There’s also:
- Authenticity – The “…property that an entity is what it claims to be”. Authenticity protections like digital signatures allow us to verify that someone is truly who they say they are.
- Non-repudiation – The “…ability to prove the occurrence of a claimed event or action and its originating entities”. Non-repudiation basically means that someone can’t repudiate (deny) that they were responsible for a given action. We want our systems to include things like unique user accounts with strong authentication and logs, so that if something malicious happens, we can prove who did it. If our system is sloppy, the guilty party may be able to plausibly deny that they were responsible. It’s a lot harder for someone to do this if you enforce protections like strong passwords and multi-factor authentication.
- Reliability – The “…property of consistent intended behavior and result”. Basically, we just want our systems to work as expected, every time. If we’re always getting errors or strange things keep occurring, this could compromise availability, or lead to overall security weaknesses that expose or corrupt information.
Each of these terms can often be interpreted in slightly different ways by various standards and legislation. There are also other important concepts that you may need to think about, such as privacy or the GDPR’s right to be forgotten. The latter can be critical for compliance if your service deals with data from European residents. Even concepts that we use in everyday language can come into play, like convenience and usability.
The point is that information security involves many properties that need to work together. The properties that matter, and in what portions will depend on the context. If the President wants to release a message to the world, he probably doesn’t care about confidentiality, but integrity and authenticity are super important. He wouldn’t want to encrypt it and keep it hidden from the public, but he would want to ensure that he has channels that only allow him to release messages under his name, with protections that prevent his messages from being altered.
Similarly, there’s no point in going overboard with your confidentiality and integrity protections if the ultimate result is that your data is often unavailable or unusable. Context is key, and the tools we use for information security need to be appropriate for our goals and constraints.
