With the rise of hackers security has become a hot button issue. A simple search of the word “hacker” reveals numerous stories about hackers finding ways to compromise sensitive information or breach supposed secure systems. Hackers have proliferated and formed organizations where they pool their resources and talents to achieve a number of objectives. Organizations such as “LulzSec” have pulled off some of the most unthinkable hacking jobs that have made news headlines.
Before delving into implementing security it is important to identify a clear security policy as the guide to making decisions. Security professionals use many different tools to evaluate which kinds of policies should be used. The most important thing that any IT professional needs to learn is that there is no such thing as perfect security, and there are tradeoffs to any security policy that must be understood. Instead of asking, “How do I make this perfectly secure?”, what they should be asking instead is, “What am I protecting and how important is it to protect?”
The CIA Triangle
To understand why this second question is important security policy writers usually turn to the CIA triangle. CIA stands for confidentiality, integrity, and availability. One can never accomplish one of these objectives fully without sacrificing the other two to some extent.
Confidentiality – This axis in the triangle refers to how limited access to the information is. This covers both access granting and access restrictions. To put it simple only people that need the information should have access to only that information which they need and are authorized to view.
Integrity – This axis refers to how trustworthy the data is. Integrity can be compromised in multiple different ways. Some common ways include a person changing records in a table either accidentally or on purpose, corruption of data being stored or in transmission, or databases and views being out of sync with each other. The goal of high integrity is to make sure the data is perfect when viewed by showing the correct amount of records and values of the data.
Availability – This axis refers to how easily accessible the data is. It is important that those who need the stored information can access it easily enough. If you can’t get to it, you might as well not have it. On the other hand if the data is exposed, it is vulnerable to denial of service attacks or data can be corrupted by malicious or uncareful users.
So for example, if you want the data to be extremely available then you will have to reduce the confidentiality because you will have to implement fewer and easier to bypass security measures. On the other hand you might have to sacrifice some of the integrity of the data by allowing more users to edit the data. The key is to figure out just how secure, available, and reliable the data must be and, implement the procedures and policies that are appropriate for the parameters. Now this tool is not a definitive end all to security considerations. One of its main draw backs is it is focused on information, and it does not consider physical security as well as hardware resources. That is why this model is a good starting point that sets the tone for how complete security policies should be made, and should be fleshed out to include all kinds of regular security considerations.