Posted Mar 1, 09:18 PM by ben
Let’s start with a list:
Where did the concepts of the CIA trinity come from? So far I’ve pinpointed Confidentiality being addressed by LaPadula and Bell in 1976 in their mandatory access control model for Honeywell Multics. This, as you may have guessed, was to address the problem of disclosure to classified data on information systems.
Next, I found Clark and Wilson work in 1987 on Integrity recognizing the commercial sector’s primary focus was on the Integrity of the data on their information systems (think: accounting data).
Both of these were derived as “multilevel security” (think: orange book, 1983) as an operating system design principle. And the third leg that creates the triumvirate? Availability. I simply couldn’t find anything I could use as an authoritative source. If I were to guess, the Morris Worm may have had influence on Availability reaching the status it has. (Am I wrong?)
So when did we accept the wisdom that CIA is the core to information security? When did CIA become potential risk? When did we make the conscious decision to apply system design principles to complex systems of systems, policy, and more?
CIA is good; it is good as an anchor while architecting a system.
I’m hesitant to say CIA is good in wider contexts. Indeed, I cringe when it’s used outside of system design principles. It’s oversimplification which has the Risk of creating blind spots in thought. For instance, CIA does not address mis-use of the system, especially when that mis-use does not have a functional impact. If a system has a loss of positive control (say, it’s part of a botnet) and begins sending spam out at a rate of 10 messages/minute, does it impact CIA? See Tragedy of the Commons.
I’m also not convinced CIA can truly represent secure systems of systems (networks) in any meaningful (indeed, measurable) manner due to the asymmetric conditions. Ignoring high complexity, the pace of change to networks is too rapid to create a secure state that can be enforced. A simple addition of one device could completely unbalance any CIA which was perceived to be in place.
// :: brainstorming/ security-religion
Commenting is closed for this article.
This work by http://electricfork.com is licensed under a Creative Commons Attribution-Noncommercial-Share Alike 3.0 United States License.
I lead an information security ops and response team. This site is a collection of interesting notes and brainstorms on the protecting from, detecting of, and responding to badness. You can read more about me or my site here.
You can subscribe to my blog via rss 
, or if you're looking for older items check out my archive of previous posts.
I organize a small infosec meetup in baltimore called charmsec. If you are looking for charmsec details you probably want to go here.
RSS
Botnet membership implies loss of integrity and/or confidentiality. That the botnet may merely observably be no more of an integrity and/or confidentiality detriment than say, a SETI@Home install doesn’t change things.
CIA is just a map. The map is not the territory.
— Grant Stavely · Mar 1, 11:13 PM · #
sure, it’s a map; just not /the/ map.
— ben · Mar 2, 09:54 AM · #
CIA is the standard, but it is not the only standard. One alternative that comes to mind is the Parkerian Hexad (http://en.wikipedia.org/wiki/Parkerian_Hexad).
Unfortunately none of the competing standards has proven to be of sufficient use to displace the CIA triad. How will these other schemes help us to make decisions or carry out processes that are faster, better, cheaper, more accurate, easier to understand? Right now the pernicious challenges are how to define system boundaries, how to prioritize security activities and how to implement effective, efficient continuous monitoring. CIA can still be useful in all these activities. Is there an alternative which is demonstrably superior?
As Mr. Stavely said, there are ways to model the botnet problem in the CIA triad.
How does CIA fall short of a definition of Secure Systems/Networks (Is there a point in drawing a distinction between systems and networks?)?
Not quite sure that I understand what you mean by “asymmetric conditions”.
This debate surfaces every couple of years. I find it interesting, but very rarely does it go anywhere new and useful.
— Mark C. Wallace · Mar 16, 12:38 PM · #