10) The CIA triad - CONFIDENTIALITY, INTEGRITY, AVAILABILITY
The CIA triad defines the baseline or the foundation for discussing security issues. Security professionals use this triad to map the various attacks and abnormalities arising when dealing with their systems.
10.1) Confidentiality : Its similar to a situation where a class teacher tells the students that she will be disclosing the result of the tests conducted exactly at 3 pm, but before that this result will be handed over ONLY to the class head, who will be in charge of taking care of this result and warning that other students are not allowed to access this result. I hope I tried to provide a common scenario so that the concept will last long in our minds. Its simple, consider the result as the data which the teacher needs to protect from other students(except the class head), the class head is the only authorized person to access this CONFIDENTIAL data. Thus by taking the above mentioned step, the teacher has attempted to keep the data confidential (before 3 pm) and this is nothing but confidentiality.
10.1.1) What is the difference between confidentiality and privacy then?
In simple terms, confidentiality is related to data where as privacy is related to the person. Lets talk about privacy first. Privacy is the measure taken to decide who can access you(who can interact with you) and who cannot. We heard people saying this often "please give me some privacy". Consider this statement from a celebrity's point of view. Then, here, it means that any tom dick and harry are not allowed to meet(interact) with the celebrity now and then, but only his close associates are allowed to do so. Another perspective for privacy can be when a newspaper publishes a celebrity's very personal story(which might be quite embarrassing for that celebrity). Now the celebrity apparently expects that such information should not be openly disclosed. Disclosing his personal story nothing but a breach of that celebrity's privacy. Next, how is it differing from confidentiality? Confidentiality is about keeping a secrecy about the data. If you have followed about America's Manhattan project, this term would be familiar to you. Its application(bombing of Hiroshima and Nagasaki) was successful only because this "bombing" activity was kept a secret or confidential.
10.2) Integrity : Integrity in simple terms would be "oneness" of data. In other words, while the data is being transmitted across various entities it should not get tampered or changed(deviation from the original). This would cause wrong information to be communicated between the concerned parties and in many cases could cause severe financial losses. The concerned parties should take measures to ensure that while the data is being transmitted, no unauthorized entity would breach this transmission. The original data which was sent should be received as it is at the receiving end.
10.3) Availability : Imagine that one day you log in to your favorite gmail.com and alas ! the page says your emails and attachments cannot be shown as the server is down(not functioning). Taking the cause of this from a security perspective, we can conclude that the server might be compromised by some malicious intruders. Thus Availability is the access to our data when we need it . Not only our emails and attachments but also, may be, our photos, our records, our data stored on cloud services, etc.
Any issue in information security, when arises, can be mapped to the above three foundations and measures can be taken accordingly. There is also a concept of PARKERIAN HEXAD which adds three more baselines to the above three, making the number to 6, hence the name "Hexad".
10.4) Possession or control : This deals with the physical security of the data. If we have stored our data on portable hard disks, measures should be taken to ensure that no one would steal those hard disks under any circumstances. A laptop containing confidential information, should be protected from the breach of physical security.
10.5) Authenticity : I-cards, Biometrics (will be covered later) all such entities ensure that you are a genuine person associated to the concerned organisation. Authenticity is a check of genuineness and originality.
10.6) Utility : It ensures that how useful the data is. For example, if you have encrypted the data on your storage device and someone steals this device, it would not be of much USE to him/her because the data is unreadable(assuming this thief is not an expert cryptanalyst).
The CIA triad defines the baseline or the foundation for discussing security issues. Security professionals use this triad to map the various attacks and abnormalities arising when dealing with their systems.
10.1) Confidentiality : Its similar to a situation where a class teacher tells the students that she will be disclosing the result of the tests conducted exactly at 3 pm, but before that this result will be handed over ONLY to the class head, who will be in charge of taking care of this result and warning that other students are not allowed to access this result. I hope I tried to provide a common scenario so that the concept will last long in our minds. Its simple, consider the result as the data which the teacher needs to protect from other students(except the class head), the class head is the only authorized person to access this CONFIDENTIAL data. Thus by taking the above mentioned step, the teacher has attempted to keep the data confidential (before 3 pm) and this is nothing but confidentiality.
10.1.1) What is the difference between confidentiality and privacy then?
In simple terms, confidentiality is related to data where as privacy is related to the person. Lets talk about privacy first. Privacy is the measure taken to decide who can access you(who can interact with you) and who cannot. We heard people saying this often "please give me some privacy". Consider this statement from a celebrity's point of view. Then, here, it means that any tom dick and harry are not allowed to meet(interact) with the celebrity now and then, but only his close associates are allowed to do so. Another perspective for privacy can be when a newspaper publishes a celebrity's very personal story(which might be quite embarrassing for that celebrity). Now the celebrity apparently expects that such information should not be openly disclosed. Disclosing his personal story nothing but a breach of that celebrity's privacy. Next, how is it differing from confidentiality? Confidentiality is about keeping a secrecy about the data. If you have followed about America's Manhattan project, this term would be familiar to you. Its application(bombing of Hiroshima and Nagasaki) was successful only because this "bombing" activity was kept a secret or confidential.
10.2) Integrity : Integrity in simple terms would be "oneness" of data. In other words, while the data is being transmitted across various entities it should not get tampered or changed(deviation from the original). This would cause wrong information to be communicated between the concerned parties and in many cases could cause severe financial losses. The concerned parties should take measures to ensure that while the data is being transmitted, no unauthorized entity would breach this transmission. The original data which was sent should be received as it is at the receiving end.
10.3) Availability : Imagine that one day you log in to your favorite gmail.com and alas ! the page says your emails and attachments cannot be shown as the server is down(not functioning). Taking the cause of this from a security perspective, we can conclude that the server might be compromised by some malicious intruders. Thus Availability is the access to our data when we need it . Not only our emails and attachments but also, may be, our photos, our records, our data stored on cloud services, etc.
Any issue in information security, when arises, can be mapped to the above three foundations and measures can be taken accordingly. There is also a concept of PARKERIAN HEXAD which adds three more baselines to the above three, making the number to 6, hence the name "Hexad".
10.4) Possession or control : This deals with the physical security of the data. If we have stored our data on portable hard disks, measures should be taken to ensure that no one would steal those hard disks under any circumstances. A laptop containing confidential information, should be protected from the breach of physical security.
10.5) Authenticity : I-cards, Biometrics (will be covered later) all such entities ensure that you are a genuine person associated to the concerned organisation. Authenticity is a check of genuineness and originality.
10.6) Utility : It ensures that how useful the data is. For example, if you have encrypted the data on your storage device and someone steals this device, it would not be of much USE to him/her because the data is unreadable(assuming this thief is not an expert cryptanalyst).
No comments:
Post a Comment