Security Basic Training: The CIA Triad

The CIA Triad Information Security is a game of tradeoffs. The most common way these trade offs are represented is the CIA Triad. It is often visually represented as a triangle with the three tenants (concepts, principles, whatever) written across each side. Then as the security of your project is being evaluated a dot will be drawn on each side of the triangle relative to the (evaluators perceived) level of each tenant.

In most cases the goal is to find an absolute balance so that the evaluation of your proposed security solution has dots in the exact center of each of the three sides. The idea is as security (confidentiality and integrity) is increased the availability (usability) will go down. In cases that require high security, this is absolutely acceptable.

The triad is broad and flexible enough that it can generally be used to gauge any product, project, problem or system. Because of this, the three tenets can often mean different things in different situations. I will explain them in the most general terms that will apply to most situations, but be aware that this is in no way exhaustive.

Confidentiality: Confidentiality is all about keeping things that are supposed to be secret… well… secret. Safeguards that would fall into this category include cryptography and anti-spyware. Attacks against confidentiality include sniffing, key logging and cryptanalysis.

Integrity: In the world of information security this is most generally likened to authentication. Non-repudiation is essentially what this one is all about. This can mean either proving you are who you say you are or the file has been unaltered. Other examples of how integrity comes into play in information security include code signing, file checksums, logins and biometrics or using PGP to digitally sign emails.

Availability: When most IT administrators think of the word ‘availability’ the first term that pops into their head is ‘up-time’. To be available is to be accessible by users. While that is still true in this case, it is also only a very small part of the availability definition. This is the one that often gets pushed lower as integrity and confidentiality get pushed higher. Availability can also be thought of as usability. How easy or hard is it for the end user to utilize your system.

Examples of situations that you could benefit from using the CIA triad could range from a user requesting to use their personal laptop at work to individual pieces of a new password policy.

A good example that was recently presented to me was the ballad of Bob (obviously not his real name). Bob works for Company A and Company B (obviously not the real companies, either) and splits his time between both with his laptop. Bob physically works from both offices and needs to access resources on the Active Directory domain of each company. Unfortunately, no trust relationship exists between these two domains.

The IT staff came to me with this dilemma and had three possible solutions; they wanted my input on which is the most ‘secure’.

Solution 1. Set Bob up with a network account under each active directoryCIA Triad: Example 1 domain: have him log in to which ever one he needs access to at the time. Although he may be physically working from Company A, he will likely still need to access resources from Company B and vice versa. Although this will allow both companies to stay in line with their security policy regarding expiring passwords and maximum password age, it introduces problems with file synchronization and having to login and out multiple times per day. Bob would likely perceive this to be a pain in the butt.

Solution 2.Create a local profile on Bob’s laptop and have him manually CIA Triad: Example 2map to the resources he needs access to and set his passwords to never expire on both domains. Bob would likely really like this solution as it involves less work and inconvenience for him. As you can see from the associated figure it would bring accessibility up on the triad while increasing the risk due to no password expiration.

Solution 3.Because Company A and Company B are both bound by internal andCIA Triad: Example 3 industry regulations regarding maximum password age, a third (hybrid) solution was developed. This involves Bob working from a local profile (as seen in solution 2) but having to log into each domain once per password cycle to change his passwords before expiration. As you can see by the figure, this provides and acceptable level of risk and accessibility.

From the above example you can see, even if you aren’t an information security professional, knowing and applying the CIA Triad is a good way to evaluate technology choices and serves as visual way to back up your decisions to management. Without much explanation management grasps why you would want the balance in the picture and will be more willing to follow your advice.

One Reply to “Security Basic Training: The CIA Triad”

  1. Pingback: IT Blogwatch

Comments are closed.