Confidentiality, Integrity, Availability, and Safety – CompTIA Security+ SY0-401: 2.9

December 4, 2019 posted by

The fundamentals of
security are often rolled up into a set of
principles called the AIC triad. This stands for availability,
integrity, and confidentiality. The availability
part of the triad is referring to systems
being up and running. You want to maintain
availability of all of your servers
and all of your networks and make them
available for everyone. The integrity side
means that as traffic is traveling from
one side to another, you want to be sure
that nobody makes any changes to that information. When it’s received,
you want to be sure the integrity of
the data is maintained all the way through the system. And with
confidentiality, we want to be sure that
the only people who are able to view
this information are the ones that have the
rights and permissions to do so. With confidentiality,
only certain people shouldn’t have access to
certain types of information. We can manage this in a
number of different ways. One very common way
is through encryption. You can encrypt information,
send it to another. And that person can
then decrypt the data, but anywhere along the way
you have that data private. Nobody’s able to
see the information that you were sending. You can also provide
confidentiality through access controls. You set rights and permissions
to a file or a resource, and you can apply
those permissions to groups of people
or individuals so that only those
people would be able to view that information. You can even provide
confidentiality in unexpected ways, like using
something like steganography. This means that you’re
concealing information and data within another piece
of information. We commonly see
steganography used to hide data or
information within pictures and then send those
pictures across the network or post them to a web page. For people who are surfing the
net, they’re viewing the page and looking at normal images. But if you’re somebody who knows
that that information is hidden in the image, you can download
it and extract that information directly from inside
of those pictures. In the security
world, integrity means that when we send information
from one point to another, that information is not
changed anywhere in between. And everything that
we have received is being received and stored
exactly the way it was intended when it was set. That means if any
part of this data has changed anywhere
in that transmission, that we are aware that
this change has occurred. One way to maintain
integrity is to create a hash of what we’ve sent. And on the other end, after this
information has been received, the other end can
perform exactly the same hashing algorithm and
then compare the original hash with the ultimate
hash the was received. This way we’re able to be
sure that what we received was exactly what was sent. A more advanced
form of integrity might be something like
a digital signature. This is a mathematical
scheme that allows the sender of the
data to digitally sign the information
that’s being sent. And on the other end, that
signature can then be checked. And the signature
is also maintaining the integrity of the data. If the digital
signature doesn’t match when it gets to the other
side, then something has either changed with
the signature or the data. And clearly there’s a problem
with the integrity of the data that was received. The digital signatures
usually work in conjunction with certificates. These certificates are used
to sign this data originally so that on the other side the
certificate is then compared. Generally, certificates are
also associated with individuals or resources so you can
be sure that the data came from exactly who you expected. If someone has digitally
signed some information and they’ve sent
it to you and you were able to verify the digital
signature and the integrity of the data, that’s something
that we call non-repudiation. That means the person who
sent the data would not be able to say that anything
had been changed within that. They would not be
able to repudiate what was received
by you, because you are able to confirm that the
information you’ve received is exactly the same
information that was sent. The idea of availability means
that your information is always going to be something
you can access. If you need to get a
report from a server, it should always be there. If there’s a video
you need to watch, that video needs to be
instantly available. One way to provide
this availability is through redundancy. That means we have
multiple systems available to provide
access to these services. We might have multiple
routers or multiple switches or even multiple servers
located in different locations. That way, if anything
was to happen, we would be assured that
this service would maintain its availability because you’d
have a complete duplicate still running somewhere else. This is very similar to a design
that might be fault tolerant. That means there is
absolutely a failure of some kind within
the system, but it’s going to continue to run. In a fault tolerance
system, you could even have the system running not as
effectively as it was before. But at least the services
would still be available. We don’t usually think of
patching our operating systems or our applications
as availability. But indeed this does
help, because you’re creating a more
stable environment. And in the case of
security patches, you’re making sure that
the bad guys aren’t able to affect the
availability of those systems. Another important
security concern is the safety of the people
within your organization and the data that your
organization has as an asset. These are things where you would
create escape plans and routes. So if there was a problem
with the building or a fire, everyone would know
the best way to get out of the building or the best way
to get out of the entire area. To do this, you would commonly
run drills to make sure that everybody could
get out of the building, go to the correct location. And you could do it as
quickly as possible. Once those drills
are complete, you can analyze how
quickly people were able to get to their
proper locations and then adjust and
make any changes that might be appropriate. It’s also very common
to run digital tests against your systems
and your protections to make sure that people don’t
have access to your data. You want to keep
your data just as safe as you keep your people. And that way, you’ll be
able to maintain the uptime and availability of
all of your systems.

1 Comment

One Reply to “Confidentiality, Integrity, Availability, and Safety – CompTIA Security+ SY0-401: 2.9”

  1. JARED KINDALL says:

    AIC and CIA interchangeable? Just curious cause the Security+ book I read uses CIA instead.

Leave a Comment

Your email address will not be published. Required fields are marked *