For this and more, check out my book, Alice and Bob Learn Application Security and my online training academy, We Hack Purple!
This article is for beginners in security or other IT folk, not experts. :-D
The mandate and purpose of every IT security team is to protect the confidentiality, integrity and availability of the systems and data that the company, government or organization that they work for. That is why the security team hassles you about having administrator rights on your work machine, won’t let you plug unknown devices into the network, and all the other things that feel inconvenient; they want to ensure these three things. We call it “The CIA Triad” for short.
Let’s examine this using examples with our friends Alice and Bob. Alice has type 1 diabetes and uses a tiny device implanted in her arm to check her insulin several times a day, while Bob has a ‘smart’ pacemaker that regulates his heart, which he accessed via a mobile app on this phone.
Availability
If Alice’s insulin measuring device was unavailable due to malfunction, tampering or if it ran out of batteries, she may end up being inconvenienced. Since Alice usually checks her insulin levels several times a day, but she is able to do manual testing of her insulin if she needs to, it is somewhat important to her that this service is available.
Bob, on the other hand, has irregular heartbeats from time to time, and never knows when his arrhythmia will strike. If Bob’s pacemaker was not available when his heart is behaving erratically, this could be a life or death situation if enough time elapses. It is very important that his pacemaker is available, and that it reacts in real-time when an emergency happens. Bob works for the federal government as a clerk managing secret and top-secret documents and has for many years. He is a proud grandfather and is trying hard to live a healthy live since his pacemaker was installed.
Confidentiality
Alice is the CEO of a large fortune 500 company, and although she is not ashamed that she is a type 1 diabetic, she does not want this information to become public. She is often interviewed by the media and does public speaking, serving as a role model for many other women in business. Alice works hard to keep her personal life private, and this includes her health condition. She believes that some people within her organization are after her job and would do anything to try to portray her as ‘weak’ in efforts to undermine her authority. If her device where to accidentally leak her information, show itself on public networks, or if her account information became part of a breach, this would be highly embarrassing for her, and potentially damaging to her career. Keeping her private life private is very important to Alice.
Bob, on the other hand, is very open about his heart condition and happy to tell anyone that he has a pacemaker. He has a great insurance plan with the federal government and is very grateful that when he retires that he can continue with his plan, despite his pre-existing condition. Confidentiality is not a priority for Bob in this respect.
Integrity
Integrity in data means that the data is correct and accurate. Integrity in a computer system means that the results it gives you are precise and factual. For Bob and Alice, this may be the most important of CIA factors: if either of their systems give them incorrect treatment it could result in death. For a human being (as opposed to a company or nation-state), there does not exist a more serious repercussion than end of life. The integrity of their health systems is crucial to ensuring they both remain in good health.
The next time you IT Security team is enforcing a new policy or asking for security requirements as part of your project, I challenge you to try to figure out which of the CIA triad they might be trying to protect with their actions. Sometimes it is a combination of 2 or of the triad. More importantly, I challenge you to ask yourself when you work if you are ensuring each of these three factors of security are being protected by your actions, as the IT Security team cannot succeed alone.
Top comments (2)
This is an interesting take on it, and one I've never really considered before. I know that sometimes, changing policies can be an inconvenience for the end user especially when it comes to changing passwords. However, by framing it within the CIA triangle, it's easier to relate.
Agree with author above 👏