A
Three Legged Stool in a Chair’s World: A Look at the C.I.A. Triad
Samuel
Warren
IS461-Information
Security Overview
City University
of Seattle
Professor
Dan Morrill
31,
January, 2011
A
Three Legged Stool in a Chair’s World: A Look at the C.I.A. Triad
Introduction
For many, the
acronym C.I.A. induces the thought of shadowy figures making money or
intelligence drops to an informant. However, for those in the field of
Information Security, it conjures of a different image entirely. C.I.A. stands for
Confidentiality, Integrity, and Availability. While those terms are not quite
as prestigious as working for the Central Intelligence Agency could be, they
are nevertheless of the utmost importance when dealing with Security. The
importance of these concepts as both a security framework and a starting point
is unrivaled. This paper will discuss each concept, in brief, its importance,
and some of the drawbacks or more specific concerns that need to be addressed.
Confidentiality
As the internet
and other new technologies expand the digital horizon, propelling us into the
future, the need for confidentiality will increase along with it. History
teaches that criminals will exploit this information. Keeping a person’s
identity safe is a main pillar of Information Security. The way that is done is
by masking the personal information so that it is harder to see, use, miss-use,
or record. But how is that managed? Keeping one’s identity a secret used to be
relatively easy, prior to the popularity of the internet. One could choose to
have their phone number unlisted, maintain a centrally located Post Office Box
at their local mail-room. The person would be able to manage who knows them,
who can contact them, who they interact with and how much they interact with them.
In today’s world, that becomes increasingly complex and difficult. If a person
signs up on a site, such as their local bank, they put not only their name,
address, and telephone number, but a link to their account information and
Social Security information out where it could be intercepted.
While many places,
like banks, have a form of assurance, they willingly submit their customers to
risk every day that the customer’s information is out on the internet. Keeping
that information confidential is of the utmost importance for those companies
who wish to save money, and time, by having their customers transact online.
They must be able to assure that the information will not end up in the wrong
hands. The flip side of that is customers being willing to investigate the
safety of their information. While many do not, that does not preclude the need
for confidentiality. The standards must be raised to a level where information confidentiality
is one of the highest priorities. By creating centralized standards for confidentiality,
world-wide, Security professionals and other businesses that seek to transact
online will be able to have a level playing field of assurance that identities
are protected from those who wish to do ill with them. The issue at the heart of
confidentiality is trust. People need to trust that their identities are not
going to be stolen by another person. The problem with trust: depending on the
person, it could take quite a long time for the trust to be gained, but one
minor violation could spell disaster! In short, trust is hard fought, but
easily broken.
Few know the
importance of confidentiality more than those who serve as medical
professionals.
Apart from its
core role in professional integrity and trusting relationships, there are flatly
pragmatic benefits we derive from taking confidentiality seriously in health
care. Individuals share sensitive and perhaps embarrassing information about
themselves with health professionals because they trust that it will go no
further. Such trust is important for individual patients because it allows them
to get treatment (Wynia, 2007, p. 1)
In the medical field confidentiality
is not just a nicety, it is a necessity. With so many patients leaning on the
fact that their Doctor will keep their information not only from falling into
the wrong hands but also that their
Doctor knows what they are doing. Confidentiality is not the only thing that
needs to be weighed in this equation, although its importance cannot be argued
away, there is also the need for integrity.
Integrity
Integrity,
along with the aforementioned concept, is crucial to maintaining a secure
system. When integrity is spoken of, in its truest form, it means essentially
having accurate data. Data integrity is a tough concept to measure because no
two data sets are the same. In the context of a company, or broad, public
information (such as name, address, telephone number) data sets can be similar.
However, each company, or group organizes the data slightly differently as to
what makes sense for them. Another reason it can be hard to maintain is the
direct, almost constant, connection that humans have to the data sets. Because
humans make mistakes data integrity is a constant cycle of gather, verify,
edit, validate. As described in a blog by Chad Perrin, “The key to this
component of the CIA Triad is protecting data from modification or deletion by
unauthorized parties, and ensuring that when authorized people make changes
that shouldn’t have been made the damage can be undone (2007).”
However,
as many are undoubtedly aware, it becomes very hard to keep data integrity when
the data needs to change frequently. Often, when data is changed, it goes
through some sort of manual validation process. For example, when an individual
calls into a customer service center for their internet service provider (ISP),
their ISP may require the customer to verify their name, address, telephone
number or another account detail. While some account details do not change,
such as account number, addresses, phone numbers, and the like, are changing
very often. The process of applying the C.I.A. Triad in this case would become
very time consuming, because one has to factor in all the potential changes in
the data to allow for data integrity then recheck the data integrity every time
the data changes. How does a security specialist account for all the changes in
data? How each person determines to account for data integrity should be by
creating a careful balance between what can change and what should not change.
By creating that balance and regularly auditing data files against that
balanced model one can have a reasonably certainty of data integrity.
Availability
Having access to a
system, having the data that is needed available when it is needed and having
some sort of protection of the data available. If one were to approach data
security from an overly aggressive posture, for example not allowing any access
to anything regardless of the reasoning, work would not get done. It can be
very easy to lock down data too much in the quest to ensure data security.
However, one has to maintain balance. A perfect example of going to far with
security lockdown is found in the November 2007 “Dilbert” comic strip. The
first pane shows Mordac and his concept of security.
While one could
look at his position as a justified posture the fact that he refused to allow
anyone access to the system, even essential groups, is the best example of what
not to do. There needs to be a good balance between the triad. One cannot apply
the other concepts too much without balancing the need for access and the need
for available information.
Conclusion
The
C.I.A. Triad is a valuable tool to gain a minimal understanding of how well a
system is secure. Confidentiality, integrity, and accessibility (or
availability) are far from a perfect model. As Perrin puts it on his
aforementioned blog, “You may be noticing a trend here: the CIA Triad is
entirely concerned with information. While this is the core factor of most IT
security, it promotes a limited view of security that tends to ignore some
additional, important factors [sic]” (2007). Some other important factors deal
with the holes in physical security, the input methods. While some of the holes
can be plugged, using a more mature model that deals with a more complete set
of concepts will help to ensure that information is kept secure. As mentioned,
the triad is a tool to gain a very basic, minimal understanding. In many ways,
it can be likened to a three legged stool. Confidentiality, integrity, and
availability are the legs that support the weight of an organization. While a
stool is a good to support someone’s weight, there is no back support, and it
is far less stable than a chair. If an organization wants to be truly secure,
it can be done with a stool, but a chair provides much more in the realm of
comfort and ease of use. Sure it takes up more space (resource costs), but
being truly secure and having your customers trust is worth the loss of space.
References
Adams, S. (2007, November 16). Dilbert Strips. In Mordac,
the preventer of information services [Comic Strip]. Retrieved February 1,
2011, from http://dilbert.com/strips/comic/2007-11-16/
Perrin,
C. (2011, June 30). Blogs, IT Security. In The CIA Triad [Blog]. Retrieved
January 31, 2011, from TechRepublic website:
http://www.techrepublic.com/blog/security/the-cia-triad/488
Wynia,
M. K. (2007). Breaching Confidentiality to Protect the Public: Evolving
Standards of Medical Confidentiality for Military Detainees. American
Journal of Bioethics, 7(8), 1-5. doi:10.1080/15265160701577603
No comments:
Post a Comment