Security

The CIA Triad

The CIA Triad is a venerable, well-known model for security policy development, used to identify problem areas and necessary solutions for information security. Read on for an introduction to the CIA Triad's strengths and weaknesses.

In "Knowing the superficial side of security is important, too," I mentioned the CIA Triad as an example of the sort of "industry standard" terms that the user should know. You could go look it up elsewhere yourself, of course, but I'll help you get started.

Central Intelligence Agency?

The meaning of CIA that is probably most familiar to my readers is the Central Intelligence Agency -- "an independent US Government agency responsible for providing national security intelligence to senior US policymakers." In this case, however, the CIA in CIA Triad stands for something else: Confidentiality, Integrity, and Availability.

The CIA Triad is a security model developed to help people think about important aspects of IT security -- or maybe to give someone a way to make money on another buzzword. I don't know enough about the origins of the term to know for sure. Let's just go with the optimistic interpretation that it was created with the best of intentions.

Confidentiality

In "Privacy is security," I discussed the importance of protecting your most sensitive information from unauthorized access. Roughly synonymous with privacy as a security concern is the Confidentiality part of the CIA Triad.

Protecting confidentiality hinges upon defining and enforcing appropriate access levels for information. Doing so often involves separating information into discrete collections organized by who should have access to it and how sensitive it is (i.e., how much and what type of damage you would suffer if confidentiality was breached).

Some of the most commonly used means of managing confidientiality on individual systems include traditional Unix file permissions, access control lists, and both file and volume encryption.

Integrity

The I in CIA stands for Integrity -- specifically, data integrity. The key to this component of the CIA Triad is protecting data from modification or deletion by unauthorized parties, and ensuring that when authorized people make changes that shouldn't have been made the damage can be undone.

Some data should not be inappropriately modifiable at all, such as user account controls, because even a momentary change can lead to significant service interruptions and confidentiality breaches. Other data must be much more available for modification than such strict control would allow, such as user files -- but should be reversible as much as reasonably possible in case of changes that may later be regretted (as in the case of accidentally deleting the wrong files). For circumstances where changes should be easy for authorized personnel, but easily undone, version control systems and more traditional backups are among the most common measures used to ensure integrity. Traditional Unix file permissions, and even more limited file permissions systems like the read-only file flag in MS Windows 98, can also be an important factor in single system measures for protecting data integrity.

Availability

The last component in the CIA Triad refers to the Availability of your data. Systems, access channels, and authentication mechanisms must all be working properly for the information they provide and protect to be available when needed.

High Availability systems are those computing resources whose architectures are specifically oriented toward improving availability. Depending on the specific HA system design, it might target power outages, upgrades, and hardware failures to improve availability, it might manage multiple network connections to route around network outages, or it might be designed to deal with potential availability problems such as Denial of Service attacks.

Many approaches to availability improvements exist, such as HA clusters, failover redundancy systems, and rapid disaster recovery capabilities as in the case of image-based network boot systems. If your business models or other needs require maximum effective uptime, such options should be investigated in depth.

A limited model

You may be noticing a trend here: the CIA Triad is entirely concerned with information. While this is the core factor of most IT security, it promotes a limited view of security that tends to ignore some additional, important factors. For instance, while Availability might serve to ensure that you do not lose access to resources you need to provide information when it is needed, thinking about information security in and of itself in no way guarantees that someone else isn't making unauthorized use of your hardware resources.

You should know about the CIA Triad and how it is often used to plan and implement good security policy, and understand the principles behind it. You should also understand its limitations, that it is not the the sum total of good security policy requirements and should not be used as a checklist for security matters without realizing it's only a starting point. Like any formalized framework, it gives the appearance of a tempting holistic security model, and it might even be very helpful as a beginning to security policy development, but it should never be treated as the end.

About

Chad Perrin is an IT consultant, developer, and freelance professional writer. He holds both Microsoft and CompTIA certifications and is a graduate of two IT industry trade schools.

11 comments
Doug Vitale
Doug Vitale

Don't forget the other big triad in information security - AAA, authentication, authorization and accounting.

BALTHOR
BALTHOR

One virus in the DSL and the whole thing goes down.

apotheon
apotheon

The CIA Triad deals with three important factors of security: 1. Information Confidentiality 2. Information Integrity 3. Information Availability What other factors do you consider important for developing a comprehensive security policy?

Digger Dave
Digger Dave

My 'periodic table' of security properties includes CIA and adds a 4th 'element' Accountability - defined as tracking the identity of persons or processes and their actions applied to the information asset. These 'elements' can be used to construct other 'molecules' such as non-repudiation. The controls to prevent the compromise of the CIAvAc properties can be grouped into a number of categories, for example: policy technical (& physical) architecture people process governance

mad2223
mad2223

With the rise in online transactions, as well as increased remote access and wireless connectivity, probably the addition of authentication and non-repudiation are good add-ons to the triad. Authenticating the person into a system and making sure they are who they say they are seems like an obvious requirement. With the addition (expansion?) of multi-factor authentication methods throughout our everyday lives, this seems like an issue that needs to be taken very seriously. The days of using only a username/password combo are fading fast. Non-repudiation deals with verifying that messages are sent by identifiable and verifiable senders - the sender cannot deny his message once he sends it.

NotSoChiGuy
NotSoChiGuy

...Information Accountability. This covers InfoSec policies being enforceable, being widely known, and all stakeholders being properly educated.

xman_rbs
xman_rbs

I'd also like to suggest another A for Auditability. This implies logging and analysis of those logs. Being able to see who did what is a very important part of any overall security program.

apotheon
apotheon

I was hoping someone would come up with Accountability. It's a commonly overlooked, but very important, element of security policy.