Security Models: CIA and CIAAN

Information Security Wordle: PCI Data Security...

Image by purpleslog via Flickr

A simple & long-time applicable security model is the CIA triad; standing for Confidentiality, Integrity and Availability; three key principles which are guaranteed in any kind of secure system. As security continued to improve however, it has been clear that Authenticity and Non-Repudiation are also essential parts of a secure system. This newer principle is applicable across the subject of Security Analysis, from access to a user’s Internet history to security of encrypted data across the Internet. If any of these 5 pillars is in breach, it would mean serious consequences for the parties concerned.

Following, an in-depth analysis of the CIAAN model pillars:

1. Confidentiality

Confidentiality is assurance of data privacy. Only the intended and authorized recipients: people, processes or devices, may read the data. Disclosure to unauthorized entities, such as using unauthorized network sniffing is a confidentiality violation.

Cryptography is the art and science of storing and transmitting confidential data.

2. Integrity

Integrity is assurance of data non-alteration. Data integrity is having assurance that the information has not been altered in transmission, from origin to reception. Source integrity is the assurance that the sender of that information is who it is supposed to be. Data integrity is compromised when information is corrupted or altered, willfully or accidentally, before it is read by its intended recipient. Source integrity is compromised when an agent spoofs its identity and supplies incorrect information to a recipient.

Digital Signatures and hash algorithms are mechanisms used to provide data integrity.

3. Availability

Availability is assurance of timely and reliable access to data services for authorized users. It ensures that information or resources are available when required. Most often this means that the resources are available at a rate which is fast enough for the wider system to perform its task as intended. It is certainly possible that confidentiality and integrity are protected, but an attacker causes resources to become less available than required, or not available at all. See Denial of Service (DoS).

High availability protocols, fully redundant network architectures and system hardware without any single points of failure ensure system reliability and robustness.

4. Authenticity (strengthens integrity)

Authenticity is the assurance that the data, transactions, communications or documents (electronic or physical) are genuine. It is also important for authenticity to confirm that both parties involved are who they claim they are.

This is usually done via an approved third-party that signs off any digital-signatures which are widely used to confirm the parties involved are genuine

5. Non-Repudiation (strengthens integrity)

Non-repudiation is achieved through cryptographic methods which prevents a person or entity from denying having performed a particular action related to data for proof of obligation, intent, or commitment; or for proof of ownership.

Signing off a document is a case of non-repudiation showing that the signer is responsible for approval of the document being signed.

Modern times have thought us that it is not always enough to make sure data has integrity, confidentiality and is available when required.  It is also important to ensure modification is done with strict consent and that such actions are always logged and authenticated. These are the key pillars to guarantee assurance of data genuineness.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s