About

Archive

Search

Confidentiality, Integrity, Availability: The three components of the CIA Triad

2012-08-20 by Terry Chia. 4 comments

This is a community blog for IT Security Stack Exchange. More community blogs are available at Blog Overflow.

Subscribe via RSS

In this post, I shall be exploring one of the fundamental concepts of security that should be familiar with most security professionals and students: the CIA triad. What is the CIA triad? No, CIA in this case is not referring to the Central Intelligence Agency. CIA refers to Confidentiality, Integrity and Availability. Confidentiality of information, integrity of information and availability of information. Many security measures are designed to protect one or more facets of the CIA triad. I shall be exploring some of them in this post. Confidentiality When we talk about confidentiality of information, we are talking about protecting the information from disclosure to unauthorized parties. Information has value, especially in todays world. Bank account statements, personal information, credit card numbers, trade secrets, government documents. Every one has information they wish to keep a secret. Protecting such information is a very major part of information security. A very key component of protecting information confidentiality would be encryption. Encryption ensures that only the right people (people who knows the key) can read the information. Encryption is VERY widespread in todays environment and can be found in almost every major protocol in use. A very prominent example will be SSL/TLS, a security protocol for communications over the internet that has been used in conjunction with a large number of internet protocols to ensure security. Other ways to ensure information confidentiality include enforcing file permissions and access control list to restrict access to sensitive information. Keeping valuable algorithms secret This is an excellent question on Security.Stackexchange that covers how to keep important information confidential. Similar questions can be found here. Integrity Integrity of information refers to protecting information from being modified by unauthorized parties. Information only has value if it is correct. Information that has been tampered with could prove costly. For example, if you were sending an online money transfer for $100, but the information was tampered in such a way that you actually sent $10,000, it could prove to be very costly for you. As with data confidentiality, cryptography plays a very major role in ensuring data integrity. Commonly used methods to protect data integrity includes hashing the data you receive and comparing it with the hash of the original message. However, this means that the hash of the original data must be provided to you in a secure fashion. More convenient methods would be to use existing schemes such as GPG to digitally sign the data. Why arent application downloads routinely done over HTTPS?

Latest Articles
QoTW #50: Does password protecting the BIOS help in securing sensitive data QoTW #49: How can someone go off-web, and anonymise themselves after a life online? Attacking RSA through Sound Debunking SQRL Stump the Chump with Auditd 01 view all posts

Topics
Access Controls (6) Attack (14) Authentication (11) Business (14) Community (10) Configuration (14) Crypto (17) Data (4) ethics (2) Firewall (1) Hijack (7) Network (5) News (10) Password (12) Question of the Week (27) Risk (12) Standards (8) Uncategorized (6) Virtualisation (1) Wireless (2)

Twitter
This is a question regarding data integrity, with several suggestions on how to protect data integrity. You can find more questions with the integrity tag here. Availability
Follow @StackSecurity on Twitter!

Latest Comments
Availability of information refers to ensuring that authorized parties are able to access the information when needed. Information only has value if the right people can access it at the right times. Denying access to information has become a very common attack nowadays. Almost every week you can find news about high profile websites being taken down by DDoS attacks. The primary aim of DDoS attacks is to deny users of the website access to the resources of the website. Such downtime can be very costly. Other factors that could lead to lack of availability to important information may include accidents such as power outages or natural disasters such as floods. How does one ensure data availability? Backup is key. Regularly doing off-site backups can limit the damage caused by damage to hard drives or natural disasters. For information services that is highly critical, redundancy might be appropriate. Having a off-site location ready to restore services in case anything happens to your primary data centers will heavily reduce the downtime in case of anything happens. Generated with www.html-to-pdf.net Conclusion
user40199: Hint to changing ID,
remember information about you is exact science otherwise you have to be who it sees....

shookees: Truly nice insights! 24 hr locksmith,: very sweet blog and

it content about Why do we lock our computers? very useful information also so...

Shalin: I draw these kinds of network

diagrams and I know how important they are to understand network concepts. Its...

Importance of Mining sector in economic growth of Australia:

Page 1 / 3

power outages or natural disasters such as floods. How does one ensure data availability? Backup is key. Regularly doing off-site backups can limit the damage caused by damage to hard drives or natural disasters. For information services that is highly critical, redundancy might be appropriate. Having a off-site location ready to restore services in case anything happens to your primary data centers will heavily reduce the downtime in case of anything happens. Conclusion The CIA triad is a very fundamental concept in security. Often, ensuring that the three facets of the CIA triad is protected is an important step in designing any secure system. However, it has been suggested that the CIA triad is not enough. Alternative models such as the Parkerian hexad (Confidentiality, Possession or Control, Integrity, Authenticity, Availability and Utility) have been proposed. Other factors besides the three facets of the CIA triad are also very important in certain scenarios, such as non-repudiation. There have been debates over the pros and cons of such alternative models, but it is a post for another time. Thank you for reading. Filed under Business Tagged:
availability

computers? very useful information also so...

Shalin: I draw these kinds of network

diagrams and I know how important they are to understand network concepts. Its...

Importance of Mining sector in economic growth of Australia:

Thanks for sharing your real experience. This will help...

confidentiality

integrity

Exploiting ATMs: a quick overview of recent hacks | QOTW #33 Communications infrastructure after a nuclear explosion

4 Comments
Subscribe to comments with RSS.

Marinus says:
2012-09-18 at 8:37 am

The problem is that the debate hasnt progressed. http://telicthoughts.blogspot.com/2009/02/whenone-thinks-of-securing-information.html

Reply to this Comment

Changing your ssh servers port from the default: Is it worth it? | major.io says:
2013-05-15 at 4:43 am

[...] Before I go any further, lets settle the security through obscurity argument. (This could probably turn into its own post but Ill be brief for now.) Security should always be applied in layers. This provides multiple levels of protection from initial attacks, like information gathering attempts or casual threats against known vulnerabilities. In addition, these layers of security should be applied within the environment so that breaking into one server after getting a pivot point in the environment should be just as difficult (if not more difficult) than the original attack that created the pivot point. If security through obscurity tactics make up one layer of a multi-layered solution, Id encourage you to obscure your environment as long as it doesnt affect your availability. [...]
Reply to this Comment

Major Hayden: Changing your ssh servers port from the default: Is it worth it? | NIXway.com says:
2013-05-17 at 9:35 am

[...] Before I go any further, lets settle the security through obscurity argument. (This could probably turn into its own post but Ill be brief for now.) Security should always be applied in layers. This provides multiple levels of protection from initial attacks, like information gathering attempts or casual threats against known vulnerabilities. In addition, these layers of security should be applied within the environment so that breaking into one server after getting a pivot point in the environment should be just as difficult (if not more difficult) than the original attack that created the pivot point. If security through obscurity tactics make up one layer of a multi-layered solution, Id encourage you to obscure your environment as long as it doesnt affect your availability. [...]
Reply to this Comment

CIA (Confidentiality, Integrity, Availability) | Handisonj says:

2013-09-16 at 5:17 pm

[] http://security.blogoverflow.com/2012/08/confidentiality-integrity-availability-the-threecomponents… []
Reply to this Comment

Generated with Leave awww.html-to-pdf.net comment

Name (required)

Page 2 / 3

Leave a comment
Name (required)

Log in
with Stack Exchange

or

Mail (will not be published) (required) Website

Type the text

Privacy & Terms

Submit comment

Stack Exchange 2014 Entries (RSS) and Comments (RSS). CC-Wiki

Generated with www.html-to-pdf.net

Page 3 / 3