Monday, March 1, 2010

CIA Triad

Let’s start with a list:


  1. “Our new company policy must protect Confidentiality, Integrity, and Availability”
  2. “The goal of information security is the protection of the CIA Triad”
  3. “Before we design this architecture, we need to assess the Risk of Availability, Integrity and Confidentiality”


Where did the concepts of the CIA trinity come from?  So far I’ve pinpointed Confidentiality being addressed by LaPadula and Bell in 1976 in their mandatory access control model for Honeywell Multics.  This, as you may have guessed, was to address the problem of disclosure to classified data on information systems.
Next, I found Clark and Wilson work in 1987 on Integrity recognizing the commercial sector’s primary focus was on the Integrity of the data on their information systems (think: accounting data).
Both of these were derived as “multilevel security” (think: orange book, 1983) as an operating system design principle.  And the third leg that creates the triumvirate?  Availability.  I simply couldn’t find anything I could use as an authoritative source.  If I were to guess, the Morris Worm may have had influence on Availability reaching the status it has. (Am I wrong?)

So when did we accept the wisdom that CIA is the core to information security?  When did CIA become potential risk?  When did we make the conscious decision to apply system design principles to complex systems of systems, policy, and more? CIA is good it is good as an anchor while architecting a system.

I’m hesitant to say CIA is good in wider contexts.  Indeed, I cringe when it’s used outside of system design principles.  It’s oversimplification which has the Risk of creating blind spots in thought.  For instance, CIA does not address mis-use of the system, especially when that mis-use does not have a functional impact.  If a system has a loss of positive control (say, it’s part of a botnet) and begins sending spam out at a rate of 10 messages/minute, does it impact CIA?  See Tragedy of the Commons.

I’m also not convinced CIA can truly represent secure systems of systems (networks) in any meaningful (indeed, measurable) manner due to the asymmetric conditions.  Ignoring high complexity, the pace of change to networks is too rapid to create a secure state that can be enforced.  A simple addition of one device could completely unbalance any CIA which was perceived to be in place.

No comments:

Post a Comment