Open in app

Sign in

Write

Sign in

A little more than the CIA Triad!

Raja Srivathsav
Coinmonks
6 min readOct 15, 2020

--

Photo by Franck V. on Unsplash

Any student or professional in the domain of cyber security is well aware of the CIA Triad. Confidentiality, Integrity and Availability are thought to be the infinity stones of the cyber-sec universe and that organizations should consider them from an information security design, implementation and assurance standpoint. In this ever evolving domain that is stuck in a loop of rise-fall-rise (Develop — Get-hacked — Upgrade) there are few more things to focus on in addition to the CIA triad.

I am referring to one of the Information Assurance & Security (IA&S) model known as the Reference Model of Information Assurance and Security (RMIAS Model) which was proposed by Yulia Cherdantseva and Jeremy Hilton. Here’s the complete paper.

This model divides the complete Security architecture of an organization into four main blocks, which are Security Development Life Cycle, Information Taxonomy, Security Goals and Security Countermeasures.

Yes, all of these terms may seem familiar and may give an impression of nothing new to a veteran of Cyber security. However, our main focus in this article will be on the Security Goals this model proposes and proving that there are 8, not three infinity stones in the Cyber-sec universe.

The Security Goals of the RMIAS Model

I’d strongly recommend you read the paper before or after you read this article as it has a lot more to it than the security goals which we will be discussing. However, we will emphasize on the overall involvement and importance of these Security goals to be incorporated into any developmental phase of an Informational Technology project (as a best practice). The following are the 8 security goals,

  • Confidentiality
  • Integrity
  • Availability
  • Accountability
  • Privacy
  • Authenticity and Trustworthiness
  • Non-Repudiation
  • Auditability

Confidentiality

This means that any information system capable of storing, accessing and modifying data should provide the consumer a state of confidentiality. Every action performed on the data should be authorized and no unauthorized access should be allowed.

Implementations of confidentiality in information systems include Access Level Restrictions (ACLs), Usage of Cryptographic algorithms while storing and transferring information etc.

Integrity

This feature makes sure that the data accessed by the consumer is in no way contaminated. Any unauthorized modification, either during storage or during the time of transmission should not be possible. It ensures that the data consumers store or an application processes will be genuine and is not tampered by any unauthorized parties.

Usage of anomaly checks and hashing on both storage applications and processing applications are few integrity implementations.

Availability

Availability is how readily accessible the informational asset is to the authorized user or owner with highest efficiency and no interruptions. It also includes how a potential information processing system is redundant against attacks like Denial of Service and Distributed Denial of Service. In this digital world, availability of an informational asset is directly proportional to success of the organizational functioning.

Implementations like Load balancing, Distributed asset storage and Decentralized architecture contribute a ton to strong availability.

Accountability

It is the authority of information systems to successfully scrutinize the actions of an entity and hold them accountable for the aforementioned actions.

Let’s not confuse this with confidentiality — confidentiality makes sure that that data in question isn’t tampered with whereas Accountability comes into place once an authorized change is done to the information. No entity (either an authorized actor or the owner itself) should be able to deny the changes made.

Implementation of digital signatures, usage of asymmetric cryptography, digital certificates are few notable accountability mechanisms.

Privacy

The feature that gives the ability to refrain from sharing who/what owns an asset and the associated attributes. The asset owner depending upon the implementation of the information system should be able to decide the norms on which access and work on that information is performed.

It also involves complying to various legislation and political problems surrounding them like GDPR, Privacy Framework by NIST etc.

Authenticity and Trustworthiness

Any system in the information system tree should be able to successfully establish trust and authenticity before acting on the mutual motive of the interaction i.e. before the key purpose to be achieved, the two entities engaging in the communication should be able to trust and authenticate each other. Once this is achieved, the actual transaction can go ahead.

For example, each time we visit our banking page we can make sure that we did actually visit the original page of the bank and not any phishing site by checking certain things like the SSL keys, Certificate and the domain registration details etc. Similarly, the bank can also authenticate us by asking us to enter the unique ID associated with our bank account that we use either to login , make a transaction and also in some cases an O.T.P via S.M.S or an Authenticator if available.

Non-Repudiation

Any subject that has acted on a particular information object should be able to confirm the action performed and must not get away by denying the change otherwise proven.

For example, when a friend of mine sends me an email, I can clearly verify the email address used, the originating IP and the digital signature that is specific to my friend and his email service provider. A system’s failure of not being able to provide its users with non-repudiation might lead to serious impersonation attacks.

Auditability

Every change or action performed on an informational asset should be in a position to be audited. This is achieved by recording and validating every change ever made to an asset and storing them for a future audit. These changes should include ones done by both humans and information processing systems. Both external, internal audits should be possible and must lead towards compliance. It should be also applicable for a both centralized and decentralized information system tree.

However, the extent of auditability, storage and applicable laws may vary depending upon the industry utilizing the informational systems. For example, an organization dealing with payment information of clients may have to follow a stricter regulatory compliance guidelines when compared to an organization that maintains the daily token count of a particular subway station.

Knowing these 8 Security goals didn’t make much of a difference to me initially. But, Once I tried putting these goals to use in my approach on different projects I realized how mature my thought process had become and helped me transform my analyst’s perspective to that of an ideal security architect.

This brings us to the end of the article. Please consider the point that the above article is a combined and simplified version of all open sourced materials available on the internet and I’ve tried to simplify it as much as possible. Also, I’m open to suggestions and any corrections required to make this a better resource for everyone! Feel free to reach out to me via LinkedIn or to follow me on Twitter!

Also, Read

Cybersecurity
Cybersecurity Awareness
Cyber Security Solutions
Cyber Security Services
Cyber Security Training

--

--

Raja Srivathsav
Coinmonks

Written by Raja Srivathsav

320 Followers

Admirer and practitioner of lucid writing || MSc In Cybersecurity & Management

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams