Goals of Security

Understanding the CIA Triad

In this video, we're going to talk about the goals of security. They all revolve around what they call the Security Triad, or the CIA Triad. So the acronym is CIA. The C is for confidentiality. The I is for integrity, and the A is for availability.

Confidentiality

Confidentiality is all about limiting access to authorised individuals. When thinking about data, encryption is a primary method for achieving confidentiality. By encrypting or scrambling the data, only designated recipients with the key can unscramble and see the data. However, confidentiality isn't limited to data alone; it can apply to any asset.

For example, imagine controlling access to your home during a holiday to keep out unwelcome guests by using an access control list and a bouncer. This approach ensures that only authorised individuals have access to your home. Thus, confidentiality is about restricting access to crucial assets to those who are authorized.

Integrity

Integrity is focused on managing and controlling changes. It's not about preventing all changes but rather ensuring that changes are authorised and appropriate. There are two main concerns regarding changes:

  • Unauthorised individuals making changes.
  • Authorised individuals making unauthorised changes.

For instance, if someone alters your financial spreadsheet to show an incorrect balance, it can lead to poor financial decisions. Similarly, an example involving a porch box designed to deter thieves highlights issues when an authorised user unintentionally changes settings, compromising its effectiveness. Therefore, integrity involves monitoring changes to ensure they are made by authorised parties and are legitimate.

An important real-world example of the impact of integrity is the SolarWinds hack, where malicious code was inserted into a software update, representing both a breach of confidentiality and integrity. This incident underscores the importance of rigorous integrity monitoring to detect unauthorised changes.

Availability

Availability ensures that assets are accessible when needed. This concept is universally experienced, such as when a phone dies right when you need it most. Achieving availability often involves redundancy. In networking, redundancy ensures that systems remain operational, even if some components fail. The cloud's design exemplifies this principle, offering extensive redundancy to ensure reliable data access.

However, ensuring availability can be complex, requiring creative thinking to anticipate potential issues. As you address security, consider the wide spectrum of scenarios that could threaten availability.

Worksheet

Conclusion

The CIA Triad—Confidentiality, Integrity, and Availability—is fundamental to understanding and implementing security. When preparing for security certifications or assessing security measures, focus on these principles:

  • Confidentiality: Regulating access to assets.
  • Integrity: Managing and monitoring changes.
  • Availability: Ensuring assets are accessible when needed.

By mastering these concepts, you'll be well-equipped to tackle the next lesson on security threats. Stay tuned!