The first consideration of the triad is confidentiality. Confidentiality means only authorized person/party/process is allowed to access the information (no matter whether the information is 'confidential' or not). This is to prevent 'unauthorized access' to information. Put it simple, if you are allowed to access the data, you can access. If you are not allowed to do so, you are unable to access. If this scenario is observed, the confidentiality is said to be done.
The second pillar of the triad is data integrity. Data integrity ensure the accuracy and completeness of the data. To be precise, for example, when a person/party/process is authorized to access the data, the data must be presented in an intact state with nothing added, nothing loss and in the correct order. This is to prevent the data being modified or stolen in an unauthorized or undetected manner.
The final pillar of the triad is availability. Take for an example, if some authorized person is unable to access the information due to whatever reason, his/her authority is actually meaningless. He is effectively the same as an un-authorized person. So, this pillar is to guarantee that authorized person must be able to access the information at any time on his will.
Noted that this definitions just denote the concept, it does not specify how to do so. It does not specify what hardware, devices, software, tools, processes nor procedures to be applied to achieve the security requirements. For example, to achieve confidentiality, the information can be encrypted and only authorized person has the decryption key. Or, it can be locked inside a safe with the physical key held by authorized person. Both methods can guarantee confidentiality. In shorts, whatever methods/tools can be used to achieve the security requirements.
The first letters of Confidentiality, Integrity and Availability thus form the 'CIA' of information security. For years, many thinks that just 3 pillars, C.I.A., seems not enough. There should be some areas need to be addressed and taken into consideration.
As you can see, this CIA pillars are mainly from the INFORMATION point of views. These 3 pillars seems related to the 'state' of the information. The information should be kept in a 'confidential' state for presenting to authorized/unauthorized client. When given to that authorized client, the information should be in an 'integrity' state. At last, the information should always be in the 'available' state for the authorized client. In other words, these 3 pillars relate closely to the 'information', NOT so directly related to the CLIENT, the ultimate user of information security. The CIA pillars can only see the shadows of the clients in the definition. In the next blog The CDE of Information Security, I will introduce the consideration related to the client in the world of information security.
Alvin SIU
2020-06-17
| Copyright/Licence Information: All information and coding in this article is offered at no charge for NON-COMMERCIAL PERSONAL USE only. This blog and the coding is copyright. Reproduction of this blog and its coding in whole or in part in paper or digitally or in any other forms without the explicit written permission of the author is strictly prohibited. |
| Disclaimer: All information in this article is distributed "as is" and is UNSUPPORTED. NO WARRANTY of any kind is expressed or implied. You use AT YOUR OWN RISK. The author will not be liable for any data loss, damages, and loss of profits or any other kind of tangible or intangible loss while using or misusing wholly or partly of the information. |
No comments:
Post a Comment