Blog Post

Security Basics - The C-I-A Triad

,

In the course of giving my security presentations over the past year, I've learned that quite a few folks have never seen the C-I-A triad before. The C-I-A triad stands for:

  • Confidentiality
  • Integrity
  • Availability

It's often illustrated using a triangle like so:

 C-I-A Triad

 The C-I-A triad forms the basis of how to start thinking about information/data security. The three words mean the following when applied to security:

  • Confidentiality - Only people authorized to read the data can do so. Usually, the following is included: and they do so only through authorized means or methods.
  • Integrity - Only people authorized to change the data can do so. Again, the following is usually included: and they do so only through authorized means or methods.
  • Availability - The data is available to authorized people when they need it.

In security we often focus on the first two items and forget about the last, availability. To do this, however, is a mistake. Typically I find business users and development staff focused on the last, availability, and not so worried about the first two. again, this is a mistake. Good information security balances all three to ensure a reasonably secure system. What do I mean by reasonably secure? It depends on the data. If we're talking about who brought what to the bake sale, there's probably not a lot of security required there. But then again, if we're talking about intellectual property, such as something for which a patent, copyright, or registered trademark hasn't been filed on yet, we may want very good measures in place with respect to confidentiality and integrity.

With all that said, when looking at the initial architecture for a system or application, a good starting point from a security perspective is the C-I-A triad. It's high level enough to start asking the right questions to bake security into the system. And if security is baked in from the beginning, it's a lot cheaper than trying to retrofit a system later to fix security holes. Therefore, when talking with folks about initial development, I make sure they understand the C-I-A triad.

 

Rate

You rated this post out of 5. Change rating

Share

Share

Rate

You rated this post out of 5. Change rating