What is "Information Security" anyway?
by Simon Biles
So what is "Information Security" anyway? The traditional model that is taught to all InfoSec newbies is based around the “CIA Triad” – this isn’t some weird American-Chinese governmental underground society – rather it is the “holy trinity” of Confidentiality, Integrity and Availability that is used to define security. It’s been around for over 20 years, and, dig as I might, I couldn’t find the original source ( if anyone knows – please tell me ! ), it hasn’t stood unchallenged – more of that later – but certainly it is still in daily use, and, if your InfoSec professional doesn’t know what it stands for, it’s time to get a new professional ! In any case, it isn’t a bad place to start, so here are the component parts for you…
Please use this thread for discussion of Simon's latest column.
The traditional model that is taught to all InfoSec newbies is based around the “CIA Triad” – this isn’t some weird American-Chinese governmental underground society – rather it is the “holy trinity” of Confidentiality, Integrity and Availability that is used to define security. It’s been around for over 20 years, and, dig as I might, I couldn’t find the original source ( if anyone knows – please tell me ! ), it hasn’t stood unchallenged – more of that later – but certainly it is still in daily use, and, if your InfoSec professional doesn’t know what it stands for, it’s time to get a new professional !
The immediate origin of CIA is probably the TCSEC (or perhaps a related Canadian standard that I forget the name of) and later Common Criteria – it's ironical that a framework for evaluating security in products and services should be used for dealing with information security in businesses.
It started out with the Orange Book, of course, where confidentiality was the only factor (after all, it was a military standard). The other two properties came later, when the evaluation criteria were used by civilians.
It's ironical that C I or A are not defined by any of the 'standards' that I remember. That leaves the door open for reinterpretation by everone and his dog.
Integrity, for example, was once defined in terms of 'not allowing information within the system to be added, altered or deleted by unauthorized users'. Later, accidental modification by authorized users was added – which is the most common reason data goes bad. Even so, integrity does not relate to information quality – only what happens to the information while it is inside an information system. Nor does integrity deal with the question if the information is correct when in enters or leaves the system. (If it should, we need an authoritative definition of the term…)
That, however, is a problem for any manager of a decision support system if the input is garbage, the decisions will be poor. Clearly a business security problem. And I have seen people trying to redefine 'integrity' to include 'quality', only to discover that they have problem talking with other people who have not made a similar redefinition of the term. Altering the basic terminology of information security must surely also be a security risk … so the absence of definitions in, say, ISO 27002, is probably a security risk.
(Section 2.5 in that document makes the connection between information security and preservation of confidentiality, integrity and availability of information, but notes that authenticity, accountability, reliability, and other properties may also be involved. That kind of open-ended definition surely indicates that this particular type of definition by enumeration of properties is not a very good one.)
A definition I have found very useful is
Security is a measure of how well a system withstands the effects of unwanted events.
The thing I like about it is that it defines security as a single attribute of a system. If we don't have a system context established and still talk about security, we are very probably talking through our hats. And we don't have to deal with the problem of how three or six or eight categories are defined. (And I better say that 'system' refers to any 'system' in the sense it is used by general systems theory, not just computer or information systems. It's a very, very wide definition.)
Unfortunately, there is no good way of measuring effects of events, so it's not a definition that can be put to immediate practical use. I generally substitute 'is a measure of' with 'deals with the problem of', which tends to focus the attention on the unwanted events, which often is the best way of approaching the basic problems involved.
A definition I have found very useful is
Security is a measure of how well a system withstands the effects of unwanted events.
Very succinct, and conceptually I understand the desire to bring it down to a single liner.
I think that it creates a problem defining the scope of the "system" - clearly this works very well for availability - for integrity - I can see it as tolerable - however for the concept of confidentiallity your system scope immediately becomes massive as the ability of the company/military/country to cope with a leak in confidentiality is called into question. As you say "deals with the problem of" does somewhat mitigate this problem.
Incidentally, the Orange Book makes an issue of integrity - perhaps not as widely as the current interpretation, but certainly with regard to protective markings & "system integrity" - availability isn't mentioned at all in the Orange book though ! There are, however, within the rainbow series reference to the "National Policy on Secrecy, Integrity, and Availability", although I can find no further reference to this, it's publication date or content …
Si
Great reading.
Thanks.
Joe.