The Pillars of Information Security

I’d like to begin this post by discussing information security threats in the context of what has come to be known as CIA -- confidentiality, integrity, and availability. The acronym CIA and the concepts for which it stands are commonly referred to as the security triad. One useful way of thinking about information security threats is that they are circumstances which have the potential to interfere with the confidentiality, integrity, or availability of an information system. Confidentiality, then, is simply the ability of the system to ensure that information assets are viewable or accessible only by authorized parties. Integrity, by contrast, is the ability of a system to ensure that information assets are modifiable or changeable only by authorized parties. Finally, availability refers to the ability of a system to ensure that information assets are usable by and accessible to all authorized parties. Confidentiality, integrity, and availability can also be seen as goals or objectives of information security, since together they represent three very desirable properties of an information system.

While the CIA security triad has been around for many decades, more recently other desirable system properties have also been identified; namely, authentication, non-repudiation, and auditability. With respect to the first two of these properties -- that is, authentication and non-repudiation -- we are referring here to information systems that support communication or messaging with other systems or other users. In this regard, authentication refers to the ability of a system to confirm the identity of the sender. For example, imagine that you receive a message from your boss which instructs you to immediately discontinue working on a critical organizational project, and instead direct your attention to another task. As the receiver of such a message, you would like to be able to confirm the identity of the sender; that is, you would like to be certain that it truly was your boss who sent the message to you. On the other side of technology-supported messaging is the concept of non-repudiation, which is a property of an information system in which a sender cannot convincingly deny having sent a message. Returning to our previous example, if you received a message from your boss instructing you to immediately discontinue working on a critical project, and if we assume that your boss genuinely did send that message, a desirable property of the system from your perspective would be to ensure that your boss could not deny having sent the message. Finally, we have auditability as a desirable system property. Auditability is simply the ability of a system to trace all actions related to a given information asset. If something goes awry in the future, auditability allows us to trace backward through time and determine who performed which actions at which times in order to ensure that responsible parties are held to account.

Together, these six concepts -- confidentiality, integrity, availability, authentication, non-repudiation, and auditability -- represent the pillars of information security.