In this “syndicated” post from ElectricFork, Ben Miller discusses the origins of Confidentiality, Integrity, and Availability (CIA) and ponders it’s effectiveness in today’s environment.
As part of our effort to let the Metro DC area know about the awesome infosec bloggers we have, our “syndicated” posts emphasize other local bloggers that discuss news, events, and resources relevant to infosec professionals in NoVA, DC, and MD. In each post we introduce the topic, syndicate the introduction and part of the content, and then link off to the source blog post for the rest of the content and conclusions.
(Note: As part of a campaign to bring forward some of our older posts that we feel still benefit the community, we’ve added this article to our Best Of category that will periodically get tweeted out. Please mention it to me on Twitter or contact us if there are any other posts you feel we should include in this category. This post was previously categorized under Infosec Blogs/Podcasts. [email protected]grecs)
Well onto today’s post…
“Let’s start with a list:
- “Our new company policy must protect Confidentiality, Integrity, and Availability”
- “The goal of information security is the protection of the CIA Triad”
- “Before we design this architecture, we need to assess the Risk of Availability, Integrity and Confidentiality”
Where did the concepts of the CIA trinity come from? So far I’ve pinpointed Confidentiality being addressed by LaPadula and Bell in 1976 in their mandatory access control model for Honeywell Multics. This, as you may have guessed, was to address the problem of disclosure to classified data on information systems.
Next, I found Clark and Wilson work in 1987 on Integrity recognizing the commercial sector’s primary focus was on the Integrity of the data on their information systems (think: accounting data).
Both of these were derived as “multilevel security” (think: orange book, 1983) as an operating system design principle. And the third leg that creates the triumvirate? Availability. I simply couldn’t find anything I could use as an authoritative source. If I were to guess, the Morris Worm may have had influence on Availability reaching the status it has. (Am I wrong?)
So when did we accept the wisdom that CIA is the core to information security? When did CIA become potential risk? When did we make the conscious decision to apply system design principles to complex systems of systems, policy, and more?”
See the rest of this post and it’s exciting conclusion over at the ElectricFork blog. If you are based in NoVA, DC, and MD and would like to have posts from your blog considered, please Contact Us or mention @grecs with the request on Twitter.