Tuesday 18 September 2007, 7:53 PM

Confidentiality, Integrity and Availability

Posted by robnewby

Anyone coming into the world of security today learns this straight off the bat: CIA. Confidentiality, privacy of information, is required to keep information secret. Integrity of information is required to make sure data remains the same in any transaction, and availability of information is vital for any sort of transaction to occur in the first place.

All too often this gets ignored by business, and availability is made king. Confidentiality is often an afterthought, and what of integrity?

Consider for a moment, your network. The fact that you have a network means that someone has invested in availability. What was the first piece of security they put in place? Probably a firewall. All a firewall does is restrict access, so this is anti-availability isn't it? Yes, but it also creates an element of confidentiality. Granted it is protecting computer ports from external attack, and not much else, but it is still a form of confidentiality, and in fact, it should help to provide integrity, system integrity of anything behind the firewall. I will talk about this in more detail in a coming post.

What else does every network have these days? Antivirus perhaps. AV is a case in point for integrity. AV is there to protect your systems and networks from any rogue viruses and malware which might infect them. The very definition of integrity. However, the best way to protect integrity is to disallow anything to happen to a system. The way most AVs work is to screen traffic entering a system and compare against a known list. Thus 0day viruses are still beating even the most up to date systems, and always do the most damage before they are caught.

So, I don't consider AV a true integrity system, merely a reaction to a problem. No, few people understand integrity properly. One who does is Fred Cohen, an acquantaince from my previous job:

"Here's one to put to a friend in the military. Which would be worse?

* The enemy can forge electronic communications.
* The enemy can cut off all electronic communications.
* The enemy can listen in on all electronic communications.

It's a more interesting question in this case, but I think you will find that most military people will tell you that the loss of integrity is far worse than the loss of availability or secrecy. Without integrity, we can be ordered to kill our own troops. Without secrecy, the enemy will know our plans. Without availability, we have to alter our fighting style."

Integrity is often difficult to envisage, and confidentiality can be given too much emphasis. I now work for an encryption company, so I'm glad that people are interested in confidentiality as never before, however I am constantly surprised at the lack of interest in integrity.

With the range of new compliance measures coming in, there will be increasing pressure on business to consider confidentiality and integrity, if not to understand it fully. Emphasis is shifting from network security to data security, which brings with it the relatively quiet but massively important question of user security. From availability the market is moving towards confidentiality as more is understood in these areas. Integrity is coming in quietly behind it's bigger brothers.

It is no surprise to me that identity theft is the fastest growing crime in the world when user security and integrity are largely misunderstood and ignored.

• 0 comments  | 
• Post a comment  | 
• TrackBack  | 
• Clip Link
•  |  Viewed 92 times

• Share this post:
• 
• 
• 
• 
• 
•