CIA of Security

posted on Thursday, May 28, 2009 4:18 PM

A few recent blog posts, including my own, have attempted to address the encryption conundrum. My original post talked about how you probably do not necessarily need encryption everywhere (including internal LAN); but have the ability to apply encryption anywhere there’s a potential risk/threat when sensitive data is being transmitted. Granular access control all within the context. Today Lori MacVittie posted an interesting article talking about some of the challenges of deploying encryption on the internal LAN as a follow up to a Network World article discussing encrypting all internal PCI traffic.

Encryption, however, is only one part of Information Security. The hallmarks of Information Security are Confidentiality, Integrity and Authenticity (some also say Availability). Encryption falls into the Confidentiality category – making sure that the information being transmitted stays private. Integrity means that the message itself hasn’t been altered in any way during the communication. Things like hashes and message digest ensure the communication stays intact. And Authenticity &/or Availability. Authenticity is the verification process that ensures all participants ‘are who they say they are’ and the guarantee that all parties are real. Authenticity is usually achieved with the use of digital certificates. Availability of the data, sort of speaks for itself :-)

There are many opinions & challenges when considering end-to-end encryption & I wasn’t necessarily commenting on the blogs mentioned but they did get me thinking about the basic pillars of Information Security.

5 Comments

Feedback

6/3/2009 2:48 PM
		As a certified security consultant I appreciate your coverage of security issues. My experience was always that the "A" is availability and had never heard it described as authenticity. Here's where I come from on the subject.
Lawrence

6/3/2009 3:34 PM
		Thanks for the note! Things like this always interest me - different interpretations of Acronyms. I was taught (years ago) it was Authenticity but being an F5er, I always think about availability :-) I did see the Wikipedia link while writing this (why I added it & Lori makes mention in a previous blog) but also ran across this: http://www.webupon.com/Security/CIA-Internet-Security-and-Privacy.135612 It was more to understand if I had been mislead way back when. Put it this way, I do agree with you and have seen it both ways - yet learned it slightly different. How does that jive?
psilva

6/3/2009 4:46 PM
		...one more thought, maybe it's morphed over time? Authenticity might have been the original intent or used initially due to the 'security' aspect of it all. Now, in a 24/7 global, regulatory contained, highly competitive marketplace, Availability of the data has become more paramount. Two frames of thought along with two somewhat independent reference links. gotta love it. I must admit, now that I've searched deeper, I've found more references to availability than authenticity yet plenty of opinions. Interestingly, I also found a link: (http://www.hitachi.com/rd/sdl/people/info_security/02.html) that had two references for 'I.' Integrity, of course and 'Accordingly, the "I" in "CIA" is also taken to mean "Identification".' Getting ID'd is a form of authentication. couple more: http://en.wikipedia.org/wiki/Parkerian_hexad http://securestate.blogspot.com/2008/07/take-a-out-of-cia-model-for-information.html http://www.brighthub.com/computing/smb-security/articles/29153.aspx (this article lists both Authenticity & Availability. We all win!! :-) ps
psilva

6/4/2009 5:42 PM
		CIA of Security II
Pete Silva

7/14/2009 12:10 PM
		Pete, In my training over the years I definitly see the same thing that you experienced. the reference to Availability and Integrity have changed over the years and I think that reflects not only changes in available technology but changes in how systems are being attacked. Five years ago encryption was a great tool to help secure communications. Now it is being used to attack systems covertly. Encryption is just a character obfuscator now and in no way denotes a secure connection without the Idenity and Authentication piece as you denoted. People need to think and evolve those thoughts as the industry does. The terms will change again and again to reflect different needs in the security climate. We are no longer, nor have we been for a long time, in an industry that is static. Computer communications in general are one of the MOST dynamic industries and Security is even more so. Thanks for the post and creating a thread of conversation on this. Mahalo bra, Tim
Tim Cullen

Let Me Know What You Think

Please use the form below if you have any comments, questions, or suggestions.

Title:

Name:

Email: (so we can show your gravatar)

Website:

Comment: Allowed tags: blockquote, a, strong, em, p, u, strike, super, sub, code

Remember Me?

Enter the code shown above:

Please add 6 and 8 and type the answer here:

		February, 2012 (2)
		January, 2012 (6)
		December, 2011 (5)
		November, 2011 (6)
		October, 2011 (14)
		September, 2011 (10)
		August, 2011 (11)
		July, 2011 (5)
		June, 2011 (7)
		May, 2011 (13)
		April, 2011 (5)
		March, 2011 (6)
		February, 2011 (14)
		January, 2011 (10)
		December, 2010 (6)
		November, 2010 (9)
		October, 2010 (8)
		September, 2010 (26)
		August, 2010 (17)
		July, 2010 (4)
		June, 2010 (5)
		May, 2010 (8)
		April, 2010 (13)
		March, 2010 (16)
		February, 2010 (4)
		January, 2010 (3)
		December, 2009 (6)
		November, 2009 (3)
		October, 2009 (6)
		September, 2009 (6)
		August, 2009 (7)
		July, 2009 (2)
		June, 2009 (1)
		May, 2009 (3)
		April, 2009 (2)
		March, 2009 (3)
		February, 2009 (2)
		January, 2009 (7)
		November, 2008 (1)
		October, 2008 (1)
		August, 2008 (1)
		November, 2007 (1)

CIA of Security

Feedback

Let Me Know What You Think

Links

Blog Stats

Tags

Post Categories

Archives

Getting Around DevCentral

82,243 Members in 102 Countries and Growing!

About DevCentral

Got It !

Get In Touch With Us

		Cloud Computing
		Security
		SSL VPN
		Information security
		pci
		PKI
		application attacks
		malware
		mitigation
		client security
		compliance
		notification laws
		social media
		social networks
		twitter
		facebook
		youtube
		digg
		peter silva
		social media stats
		ipv6
		ipv4
		2012
		context
		contextual aware
		user centric
		decision
		game show
		granular
		control
		identity
		cloud security
		virtualization
		sys-con
		cloud expo
		virtual
		glenn brunette
		sun microsystems
		Bruce Schneier
		Schneier on security
		research
		2009
		blog
		2010
		threat
		pci dss
		regulations
		espionage
		pentagon
		crown jewels
		tower of london
		health care
		banking
		prediction
		cybercrime
		cybercrime kits
		dyi
		dnssec
		dummies
		l0pht
		2600
		breach
		privacy
		breaches
		web security
		spam
		trojan
		gogrid
		blogger
		personal
		business
		H1N1 flu
		emergency preparedness
		disaster recovery
		network security
		oracle
		sso
		single sign on
		big-ip
		oracle access manager
		f5
		personal devices
		mobile devices
		mobile security
		windows
		microsoft
		windows 7
		desktop
		games
		gaming
		online games
		DDoS
		scams
		consolidation
		data center
		tech sector
		single purpose
		dedicated
		management
		access security
		policy enforcement
		utm
		processing power
		video
		audio
		multi-media
		dns
		webinar
		interview
		ioactive
		kaminsky
		dan kaminsky
		partner
		rsa
		xml
		splunk
		instructional
		in 5
		education
		training
		idc
		smart city
		smart grid
		infrastructure
		web 2.0
		standards
		inter-cloud
		interoperability
		application mobility
		peering
		confusion
		cloud confusion
		cloud survey
		edge gateway
		v10.1
		history
		words and meanings
		lists
		fun
		patent
		intellectual property
		trade secrets
		confucius
		cloudfucius
		series
		blog series
		a-z
		law
		constitution
		court
		fourth amendment
		gps
		government
		legal
		vmotion
		vmware
		case study
		interop
		v10.2
		database
		csrf
		asm
		adc
		arx
		data manager
		netapp
		storage
		WAN optimization
		application delivery
		optimization
		compression
		whitepaper
		statistics
		cloud research
		cloud stats
		LTM VE
		travel
		firepass
		encryption
		music
		humor
		uptime
		cloud outage
		SLA
		availability
		customer
		vmworld
		yankee group
		sports
		NFL
		performance
		acceleration
		peoplesoft
		rman
		recovery manager
		oow
		openworld
		replication
		integration
		apm
		wi-fi
		numbers
		firepass
		risk
		open source
		authentication
		smart card
		kerberos
		Business Challenges
		evidence
		SSL
		SSL offload
		NIST
		2048-bit
		certificate
		rss
		blog analytics
		web traffic
		e-cards
		hardware
		support
		diagnostics
		iHealth
		apple
		iPhone
		iPad
		iOS
		itunes
		smartphone
		v10.2.1
		citrix
		vdi
		parody
		satire
		entertainment
		andriod
		virus
		google
		mac
		comscore
		ID theft
		social security
		ssn
		synthetic ID theft
		credit report
		data privacy
		cyber threat
		reports
		50 ways
		2011
		trade show
		silva
		emc
		emc world
		ixia
		viprion
		ssl tps
		vCMP
		outtakes
		acting
		theatre
		tokens
		vpn
		remote access
		intrusion 2.0
		toys
		v11
		ajax
		SANS
		devcentral
		whitehat
		sentinel
		waf
		scanner
		grossman
		iApps
		wan op
		file virtualization
		hawaii
		emea
		ipexpo
		london
		UK
		human behavior
		risk managment
		tech center
		secure vault
		fips
		appliance mode
		copyright
		pearl harbor
		Dec 7
		punchbowl
		honolulu
		staffing
		jobs
		irules
		AppSec
		TradSec
		icsa
		v11.1
		community