--Originally published at The Hitchhiker's Guide to information security… according to me!
I will start by asking the real questions here. What does security even mean?
A definition right out of the dictionary will tell us that it is the precaution taken to guard against danger, crime, attack, sabotage, espionage, etc., but if it was that easy then we will all be burying our hard drives in a freaking hole in an unknown location that is unknown even to us. IS THIS EVEN PRACTICAL?! What if I want to see my data in this moment? Do I need to dig a hole each time? What if I want to share it? No one will be allowed to see it because it isn’t safe?
Security it’s not always about extreme prevention, but about knowing the right amount of protection. “But Edy, how do we know which amount of protection is the right amount?” Well kids, you’ve come to the right blog.
CIA Triad
No, it does not refer to that agency that makes everyone paranoid. It refers to a modelling tool that help us decide the security goals and the approach that we could implement in order to achieve them. CIA stands for confidentiality, integrity and availability and we will now proceed to cover them in detail… Wait for it… NOW!
Confidentiality
People, you may think this is pretty obvious, but in fact it gets confused a lot with integrity, so pay attention. Confidentiality refers to your data only being able to be seen by people you want. It does not mean neither unmodifiable nor unsharable. This is extremely important for delicate information like the addresses and family members of all the employees in a company. Now let’s watch the concept in practice.
Example: Your girlfriend/boyfriend doesn’t know the password of your phone, but your best friend does. Even though your
Integrity
This concept refers to the data being protected by unwanted modifications. “But wait, if nobody can see it the data, isn’t it included in the confidentiality part” — asked the confused reader… No, is not the same. Some data is extremely important that remains unmodified, for example, I don’t know, maybe, THE MONEY INSIDE YOUR BANK ACCOUNT! Here comes the…
EXAMPLE: continuing with the previous line of thought, you want your best friend to see your messages so that he can give advices or something, but you don’t want him to be able to send a message, you want the state in which you left those messages stays the same even though he can see them, so your data is not confidential to him, but has integrity and it’s protected from unwanted changes. De nada.
Availability
Now this refers to the accessibility of the data for the right people at the right time. Sometimes you need to make sure that the data can be accessed 24/7 by someone and being able to protect your data from evil doers that won’t let you (denial of service attack post coming soon) is crucial for information security.
Example: Let’s change the concept. Imagine you’re are a little child and your mother told you, you can have a cookie from the conveniently reachable jar in the kitchen, but your evil big brother wants you to suffer so he puts the jar in a no so conveniently reachable place for you. You can’t reach the jar now! Is the jar is extremely confidential? I don’t think so, it’s right there, everyone can see it. It has tight integrity? No, it’s an open jar, everyone can put or take a cookie. Is it accessible to you who are righteously entitled to grab a cookie? NO! That’s a security breach right there!
Putting it all together
Some data need more of one concept than the other. Some just need maybe one or to concepts or maybe none at all. A web page may need a lot of integrity and availability, but little confidentiality. A database may need integrity and confidentiality, but not a lot of availability. The triad helps us design which concepts are really needed in order to plan the right amount of security that needs to be provided.
So now you should start wondering if those dirty files are really in the right place, if you even have those… Just saying… Not judging here.
