CIA triad

From Wikipedia, the free encyclopedia

CIA triad is a widely-used information assurance (IA) model which identifies confidentiality, integrity and availability as the fundamental security characteristics of information. The three characteristics of the idealized model are also referred to as IA services, goals, aims, tenets or capabilities.

Contents 1 Confidentiality 2 Integrity 3 Availability 4 Augmentations to the CIA Triad 4.1 Accountability 4.2 Non-Repudiation 4.3 Authentication 4.4 Utility 4.5 Possession 5 Variations on the Mnemonic 6 History 7 See also 8 References

[edit] Confidentiality

Confidentiality is assurance of data privacy. Only the intended and authorized recipients: individuals, processes or devices, may read the data. Disclosure to unauthorized entities, for example using unauthorized network sniffing is a confidentiality violation.

Cryptography is the art and science of storing and transmitting confidential data.

[edit] Integrity

Integrity is assurance of data non-alteration. Data integrity is having assurance that the information has not been altered in transmission, from origin to reception. Source integrity is the assurance that the sender of that information is who it is supposed to be. Data integrity can be compromised when information has been corrupted, willfully or accidentally, before it is read by its intended recipient. Source integrity is compromised when an agent spoofs its identity and supplies incorrect information to a recipient.

Digital Signatures and hash algorithms are mechanisms used to provide data integrity.

[edit] Availability

Availability is assurance in the timely and reliable access to data services for authorized users. It ensures that information or resources are available when required. Most often this means that the resources are available at a rate which is fast enough for the wider system to perform its task as intended. It is certainly possible that a confidentiality and integrity are protected, but an attacker causes resources to become less available than required, or not available at all. See Denial of Service (DoS).

High availability protocols, fully redundant network architectures and system hardware without any single points of failure ensure system reliability and robustness.

[edit] Augmentations to the CIA Triad

There have been attempts to augment the CIA triad with concepts such as accountability, non-repudiation, authentication, value, intended use (utility) and others^[1]. The triad, being a very simple model with narrow application, cannot adequately describe many important security objectives and augmentations may be an effort to broaden the applicability of the model. There is a perceptible incongruity, however, between the triad, which identifies fundamental security characteristics of information, and augmentations which identify security characteristics of processes (e.g. trusting, sharing, using or evaluating).

Some common augmentations to the triad are:

[edit] Accountability

Accountability is assurance in tracing all activities to a responsible and authorized individual or process within a reasonable amount of time and without undue difficulty.

[edit] Non-Repudiation

Non-Repudiation is assurance that:

• The sender of data is provided with proof of delivery
• The recipient is provided with proof of the sender's identity

In this case neither can later deny having processed the data. In e-commerce and legal terms this prevents the sender, an online vendor for example, from being obliged to ship replacement goods to a malicious customer who denies receiving the original data. The non-repudiation of sourcing information means that the sender can't deny submitting the information. This prevents the sender from anonymously spoofing messages with malicious intent.

[edit] Authentication

Authentication is the process to verify the identity of an individual, a computer, a computer program, or similar.

[edit] Utility

[edit] Possession

[edit] Variations on the Mnemonic

Other mnemonic variations are in use to represent the CIA triad. This is done to avoid confusion with the acronym for the U.S. Central Intelligence Agency (CIA).

Another mnemonic is PAIN:

• Privacy = Confidentiality
• Availabilty/Authentication
• Integrity
• Non-Repudiation

[edit] History

...the high-level security goals most often specified are that the system should prevent unauthorized disclosure or theft of information, should prevent unauthorized modification of information, and should prevent denial of service.

A Comparison of Commercial and Military Computer Security Policies, Clark-Wilson, 1987

In a 1987 survey document comparing commercial and U.S. Department of Defense (DoD) computer security by David D. Clark and David R. Wilson, the authors introduced the concept of the computer security integrity model. The paper formalizes the notion of information integrity as compared to DoD's Orange Book's emphasis on security labels and classification, i.e. security is confidentiality. Clark and Wilson argue that the existing computer security models such as Bell-LaPadula and Biba were better suited to enforcing data confidentiality rather than information integrity.

[edit] See also

• Parkerian hexad
• AAA protocol

[edit] References

• A Comparison of Commercial and Military Computer Security Policies, Clark-Wilson, 1987
• Stanford University - Classical Reference Models