Disclaimer: The opinions of the columnists are their own and not necessarily those of their employer.
Kenneth F. Belva

The CIA Triad: Theory and Practice

Recently Bloginfosec.com published an article by Warren Axelrod entitled, It’s About Availability and Integrity (not so much Confidentiality). It appears that the article generated a bit of controversy with a response by Jim Bird entitled, It’s About Confidentiality and Integrity (not so much Availability). It’s my contention that both authors are right and wrong when it comes to the CIA triad.

When it comes to theory, neither of the three components of the CIA triad can take precedence over any other one. They are all necessary conditions for security. Try to take away one condition and you will find that your protection is inadequate (or irrelevant). When it comes to pragmatism, both authors are still correct and incorrect. They are correct in that one can weight different aspects of the CIA triad but both are wrong because they fail to address the fact that these weights are situational and context dependent. As such, we find we are in a controversy that really does not exist.

Axelrod writes,

The loss of a working production system for a period of about a month will cost the bank, by some estimates, at least 60 million Euros.

And Bird writes,

Availability of systems and data is a devops problem that requires application developers and architects and operations engineers to work together. I don’t see where security experts add value in ensuring Availability – with the possible exception of helping architects and engineers understand how to protect themselves from DDOS attacks.

In the Axelrod quote, the context is about the failure of a production application. Bird’s context is one of a particular information security professional’s job responsibility. These are not contradictory viewpoints; they are just different contexts under which to analyze the CIA triad. We can change the scenarios slightly to emphasize the other’s point of view. In the Axelrod case, imagine the system does not fail but the data is open to being compromised. In Bird’s case, larger organizations have dedicated security professionals for business continuity of the application: surely BCP/DR is about availability and this infosec role supports Alexrod’s perspective. If we frame the context of the discussion from a slightly different perspective both authors can support the other one.

Let’s look further into the idea of situational and context dependent information security.

2 Comments

  1. Maureen Robinson Aug 6, 2012 at 9:42 am | Permalink

    This article does a great job of summarizing the aspects regarding CIA Triad. However, it’s important that security objectives are derived from examining every functional requirement in an application through the lens of confidentiality, integrity, and availability (CIA). More about the link between security objectives and CIA Triad: http://blog.securityinnovation.com/blog/2010/12/identify-security-objectives.html

  2. Anuj Sharma Jan 10, 2013 at 11:20 pm | Permalink

    Excellent write up. Context is not just important in security testing but in other non functional and functional testing as well.

    Context helps the stakeholders to take the right decision.

    Regards,
    Anuj Sharma

Post a Comment

Your email is never published nor shared. Required fields are marked *

*
*