Confidentiality, Integrity and Availability (CIA) of data

The Confidentiality, Integrity and Availability (CIA) concept:

The CIA Triad is a respected, recognized model for information security policy development which is utilised to identify problem spheres and significant solutions for information security. This paper examines the CIA Triad and the application thereof by the MSR and Parkerian Hexad models and contrasts these two models against each other.

The term CIA refers to Confidentiality, Integrity and Availability. The focus is on the Confidentiality, Integrity and Availability of information. Organisations design security measures to protect one or more facets of this CIA triad:

 

These facets of the CIA triad are elaborated to be[1]:

Confidentiality: Understood to be the protection of information from disclosure to unauthorized parties. A key component of confidentiality would be encryption. Encryption ensures that only authorised people are able to read encrypted information. Loss of confidentiality occurs when information is accessed by unauthorised persons.

Integrity: Understood to be the protection of information from unauthorized modification. The value of information is directly related to its correctness. As with confidentiality, cryptology has a major role to play to ensure data integrity. Loss of integrity occurs when information is modified in unexpected and/or unauthorised ways.

Availability: Understood to be ensuring that information is accessible to authorised parties when required. Information only has worth if accessible by the right people at the right time. Backups, redundancy and disaster recovery procedures are integral to ensuring availability of information. Loss of availability occurs when authorized persons are unable to access information that they require.

Analysing the CIA triad from the viewpoint of potential attackers, confidentiality of data would be compromised via data theft, data manipulation would compromise integrity and taking down the system or deleting data would remove availability.

The underlying strength of the CIA Triad is the conveyance of the overall goals of information security to both information technology and business professionals in a simplified way. From a security angle, the Triad’s three elements cover a vast majority of actions when it comes to information protection in all sizes of organizations. When considering information security attacks in terms of the CIA paradigm, a better understanding of various defensive and offensive techniques is achieved. As an example, some prevalent basic techniques used by attackers – sniffing network traffic, formatting of hard drives, and system file modification are explained in terms of the CIA Triad:

  • Sniffing of network traffic is an attack on Confidentiality because it allows the attacker to see that which is not supposed to be seen.
  • Writing modified system files has compromised the Integrity of the target system.
  • Formatting of a victim’s hard drive is an attack on the Availability of the system.

The CIA Triad’s primary weakness is its sole focus on information. Although information is core to IT security, it advocates a narrow view of security that tends to discount other important factors. An example would be that while Availability ensures access to system resources when information is required, the focus on information security by itself does not guarantee that unauthorized use of hardware resources is not occurring.

Alternative Models for Information Assurance

The MSR Model

Developed by John McCumber, the McCumber model defined three dimensions of security based upon characteristics in line with the CIA Triad:[2]
Maconachy, Schou, and Ragsdale (MSR) expanded the services category of the McCumber model by adding authentication and non-repudiation. (This also brings the model in line with the “5 Pillars of Information Assurance” model[5]) The resulting MSR model also introduces a fourth dimension: time because introducing new technology and emerging threats over time will require modification to other elements of the model to restore system security:[6]

Authentication’s goal is to ensure that the request for information and transmission thereof is legitimate and that those requesting and receive information have the authority to access the information whereas non-repudiation provides the senders of information with proof of delivery and recipients with proof of source. Non-repudiation is especially important for information such as financial transactions.

A key strength of the MSR model is its emphasis on people controls over time, and the management of the behaviour of people to achieve required information assurance outcomes.

There is however an interdependence between the five characteristics. Efforts to align goals in one may frustrate or interfere with goals of a different characteristic.[7] Considering availability, it introduces conflict with the other characteristics, specifically integrity, confidentiality and authentication. An increase in availability of information reduces control over the information whereas increasing control over information access will have an adverse effect on availability.

Parkerian Hexad

The Parkerian Hexad is a definition of a set of components added to the CIA Triad to model a more comprehensive and complete security model[8]:

The atomic components of the Parkerian Hexad are:

  • Based on the CIA Triad :Confidentiality, Availability and Integrity
  • Additions: Possession/Control, Authenticity and Utility. [9]

The addition of the Possession/Control component to the CIA Triad has the intent of protecting information from possession or control by unauthorized parties or individuals. The Authenticity component revolves around proof of identity, assurance that information is from the source that it claims to originate from. Usefulness of information is covered by the Utility component.[10] Even tough information may meet defined criteria for confidentiality, integrity, availability, authenticity and possession/control it still needs to be in a useful state to be of value.

The MSR and Parkerian Hexad Models Compared

Confidentiality and Possession/Control

A breach of confidentiality results in a breach of possession/control, however the opposite is not true for breaches in possession/control. Although an adversary may have possession and control of information, they may not be able to access the information. Confidentiality would thus not be breached. The MSR model does not address violation of copyright. Exposure of information in the public domain does constitute a breach of confidentiality if executed without information owner approval. Re-use of copy written material in the public domain does however constitute a violation of control as per the Parkerian Hexad.

Availability and Utility

Availability in terms of the MSR model is not concerned with the usability/utility of information. The focus of Utility is on the content of information. Even if information meets the requirements of confidentiality, availability, integrity, possession and authenticity it still needs to be of use; this aspect is overlooked by the MSR model. Another inherent goal conflict of the MSR Model is that confidentiality is recurrently achieved at the expense of availability, with the information being made available with higher limitations[11]. This aspect is addressed via the Parkerian Hexad utility paradigm.

Conclusion

The CIA triad has grown to be a very fundamental concept in security. Ensuring that the three facets of the CIA triad are addressed is the foundation of any secure system. There are however limitations to the model specifically around authentication, non-repudiation, time, possession and utility, which McCumber, Maconachy et al. and Parkerian attempted to address in their models.

Current online information storage and dissemination capabilities introduce new threats that the original CIA model does not cover adequately. Although the MSR model’s inclusion of the time element for control over time presents a step forward, its’ lack of the concept of utility and control is deemed to be a serious omission. The online nature for current day information systems and portability of information storage (via laptops, USB-devices, mobile phones) brings the concept of possession to the fore – an attribute of the Parkerian Hexad model that puts it ahead of the other models in the present information age.

None of the models address the concept of context. If data is collated without a proper understanding of context, more harm than good may result in use of that information.[12]

Sources

Alam, M.N., Paul, S.P. and Chowdhury, S., “Security Engineering towards Building a Secure Software”, International Journal of Computer Applications, Vol. 81, No.6, November 2013, pp. 33-34.

Dardick, G.S., “Cyber Forensics Assurance”, Proceedings of the 8th Australian Digital Forensics Conference, Edith Cowan University, Perth Western Australia, November 30th 2010

Jirasek, V., “Practical application of information security models”, Information Security Technical Report, United Kingdom, Volume 17, No. 8, 2012, pp. 1-8.

Karlsson, F., Hedström, K., Goldkuhl, G., “Practice-based discourse analysis of information security policies”, Computers & Security, 2016, pp. 9-11.

Kasinath, G., & Armstrong, L., “Importance of verification and validation of data sources in attaining information superiority.”, Proceedings of Australian Information Security Management Conference, Perth. School of Computer and Information Science, Edith Cowan University, 2007, pp. 127-134.

Maconachy, V.W., Corey, D. S., Ragsdale, D., and Welch, D., “A Model for Information Assurance: An Integrated Approach”, Proceedings of the 2001 IEEE, Workshop on Information Assurance and Security, United States Military Academy, West Point, NY, 5-6 June, 2001, pp. 306-310.

McCumber, J.R., “Information Systems Security: A Comprehensive Model”, Proceedings of the 14th National Computer Security Conference. National Institute of Standards and

Technology. Baltimore, MD. October 1991, pp. 1-6.

Parker, D.B., “Our Excessively Simplistic Information Security Model and How to Fix It”, The ISSA Journal, Portland, Oregon, USA, July, 2010, pp. 12-21.

Wilson, K.S., “Conflicts Among the Pillars of Information Assurance”, IT Pro Magazine, Published by the IEEE Computer Society, July/August 2013, pp. 44-49.

  1. Alam et al., 2013, p. 33-34.
  2. McCumber, J.R., 1991, pp. 2-4.
  3. Adapted from : McCumber, J.R., 1991, p. 4
  4. Adapted from : Maconachy, et al, 2001, p. 307
  5. Dardick, G.S., 2010, p. 59-60.
  6. Maconachy, et al., 2001, p. 309.
  7. Wilson, K.S., 2013, p. 44.
  8. Jirasek, V., 2012, p. 3
  9. Parker, D.B., 2010, p. 13
  10. Parker, D.B., 2010, p. 17
  11. Karlsson, et al., 2016, p.10.
  12. Kasinath et al, 2007, p. 133