The Security Triforce

--Originally published at Debugging My Mind

security triforce

It is said that if you gather all three pieces of the security triforce, your software will be the most protected. In all seriousness, this is known as the CIA/AIC security triad and it refers to the most common topics that are focused on when protecting systems. It refers to Confidentiality, Integrity and Availability.

These next months my team and I will be creating a web application focused on helping the 2nd grade students of a particular school, where security will become a topic of importance for the development of this app.

At first glance you might be able to discern what these 3 terms mean from the word alone, but I’ll go through them quickly and specify what they represent, as well as how each of them will (or not) be necessary on the app that we’ll be developping.

confidentialityConfidentiality: It refers to the ability and the property of keeping delicate and important information hidden or encrypted in such a way that unauthorized individuals are incapable of accessing it, and even in the case of it happening, being unable to understand it.

In order to customize each of the children’s experience with the math mini-games we’ll be implementing in the application, as well as the reports the teachers will obtain, delicate and important information about them might be needed and stored within the app’s database.

Since the personal information of young children will be handled, we have to be very careful to keep it as confidential as possible, as well as making sure to not keep data that is no longer used (for example, children that have left the school or that just won’t be using the application anymore shouldn’t have their data kept after some time has passed). I believe this specific security property is the most important for this project, these children may choose to provide their information to specific sites or applications of their own will in the future, but today this is a choice made for them, and one that can’t be taken so lightly as to carelessly handle their information.

integirty

Integrity: This refers to the importance of data not being altered or destroyed by an unauthorized entity, may it be through the modification of a file, or a change to the system’s configuration. Usually this is found when a file is infected by a virus, or when data is modified mid-way transit through the network, like an email on the internet.

In this case, integrity doesn’t become a property of huge importance for our application, while there are still some measures to be taken, the system will be constantly storing and modifying the data used to customize the exercises for the students, so the corruption of one of these does not become a big deal as it will soon be replaced by another based on the children’s performance.
availabilityAvailability: As the name implies, this property refers to the ability of the system to continue being accessible even if there is an error or corruption of data. This is usually achieved through redudnancy so that if a piece of hardware fails, another one can take over for it and keep the system running and usable.

For our application and due to the limitations in hardware and resources available to us, achieving redundancy and constant availability can be complicated and something down the priority list. The biggest solution we can provide is hosting the application on a separate hired server, not hosting on a school’s computer which can lead to a hardware malfunction. While a hired server (like Amazon Web Services) give us the so liked and wished constant availability and a fault tolerant system (most of the times at least) , this requires a constant fee that ends up being up to the school if they decide to adopt or not.

All in all, regular users of software won’t have this triad in mind when using it, often taking things for granted, we as software engineers have to be careful and make sure our designs and implementations come as secure as possible (what our resources and abilities allow), and most importantly, have all of these features work by default. The default setting should always be the secure option.