--Originally published at #CParravirgen
This is a post that I’ve been wanting to write since it is basis of Information Security, and is about the 3 pillars of this subject: Information Integrity, Availability and Confidentiality (that’s the IAC, or the not-Trumps-CIA as I like to call it).
So, right to the chest: why they are the 3 most important things in IT security? Because if you can ensure the 3 of them all the time at the same time, then you would become God of IT, with higher powers than the Power Rangers or Linus Torvalds.
Ensuring those 3 things all the time for any system sounds easy, but it isn’t really. You have to make sure that one doesn’t block the other but it doesn’t affect it either. For example: I could make public a big data base, so is available and in compliance with integrity, but is so available that affects confidentiality, so I’m missing one side of the triangle.
Pretty much all the systems try to be in compliance of these 3 things all the time, many of them achieve it for some time, until an update comes or an issue rises or someone tries to play the “smart-ass” and do dirty things into the system, ruining the complete triangle sometimes.
So, let’s define each of the parts:
- Integrity: Assurance that the data being accessed or read has neither been tampered with, nor been altered or damaged through a system error, since the time of the last authorized access.Read more: http://www.businessdictionary.com/definition/information-integrity.html
- Availability: In the context of a computer system, refers to the ability of a user to access information or resources in a specified location and in the correct format.Read more: https://www.techopedia.com/definition/990/availability
- Confidentiality: Is whether the information stored on a system is protected against unintended
unauthorized access. Since systems are sometimes used to manage sensitive information, Data Confidentiality is often a measure of the ability of the system to protect its data.Read more: http://hitachi-id.com/concepts/confidentiality.html
I guess, you can see why this topic is so important, since pretty much any system you use either for fun or at work or wherever, it is the base of any shared system that more than 1 person uses at some time.
Going deeper in the 3 topics, I found this read in the WhatIs webpage. I really recommend it and I leave the abstract of the 3 pillars here:
Confidentiality:
Confidentiality is roughly equivalent to privacy. Measures undertaken to ensure confidentiality are designed to prevent sensitive information from reaching the wrong people, while making sure that the right people can in fact get it: Access must be restricted to those authorized to view the data in question. It is common, as well, for data to be categorized according to the amount and type of damage that could be done should it fall into unintended hands. More or less stringent measures can then be implemented according to those categories.
Sometimes safeguarding data confidentiality may involve special training for those privy to such documents. Such training would typically include security risks that could threaten this information. Training can help familiarize authorized people with risk factors and how to guard against them. Further aspects of training can include strong passwords and password-related best practices and information about social engineering methods, to prevent them from bending data-handling rules with good intentions and potentially disastrous results.
A good example of methods used to ensure confidentiality is an account number or routing number when banking online. Data encryption is a common method of ensuring confidentiality. User IDs and passwords constitute a standard procedure; two-factor authentication is becoming the norm. Other options include biometric verification and security tokens, key fobs or soft tokens. In addition, users can take precautions to minimize the number of places where the information appears and the number of times it is actually transmitted to complete a required transaction. Extra measures might be taken in the case of extremely sensitive documents, precautions such as storing only on air gapped computers, disconnected storage devices or, for highly sensitive information, in hard copy form only.
Integrity:
Integrity involves maintaining the consistency, accuracy, and trustworthiness of data over its entire life cycle. Data must not be changed in transit, and steps must be taken to ensure that data cannot be altered by unauthorized people (for example, in a breach of confidentiality). These measures include file permissions and user access controls. Version control maybe used to prevent erroneous changes or accidental deletion by authorized users becoming a problem. In addition, some means must be in place to detect any changes in data that might occur as a result of non-human-caused events such as an electromagnetic pulse (EMP) or server crash. Some data might include checksums, even cryptographic checksums, for verification of integrity. Backups or redundancies must be available to restore the affected data to its correct state.
Availability:
Availability is best ensured by rigorously maintaining all hardware, performing hardware repairs immediately when needed and maintaining a correctly functioning operating system environment that is free of software conflicts. It’s also important to keep current with all necessary system upgrades. Providing adequate communication bandwidth and preventing the occurrence of bottlenecks are equally important. Redundancy, failover, RAID even high-availability clusters can mitigate serious consequences when hardware issues do occur. Fast and adaptive disaster recovery is essential for the worst case scenarios; that capacity is reliant on the existence of a comprehensive disaster recovery plan (DRP). Safeguards against data loss or interruptions in connections must include unpredictable events such as natural disasters and fire. To prevent data loss from such occurrences, a backup copy may be stored in a geographically-isolated location, perhaps even in a fireproof, waterproof safe. Extra security equipment or software such as firewalls and proxy servers can guard against downtime and unreachable data due to malicious actions such as denial-of-service (DoS) attacks and network intrusions.
After all this information, you now have a better idea and understanding of why the CIA of computer science is basic for any system you may find, since is what supports everything, and without it, a lot of systems wouldn’t have the success they do now, like Facebook, Twitter, or any other social network; or the banks systems to keep your money to you and only you. Also, helps you understand that these 3 things won’t always be succeeded all the time, and that is when the problems come.
So, this is all for now, but as always, good day, good luck, be safe, eat well, move your ass at the gym or somewhere else, take your vitamins, talk to interesting people, don’t text and drive, have enough sex (even if it has to be with yourself), learn things, share things and try to make the world a better place, move on on achieving your definition of “success” and drink more coffee!
