An effective information security system has to adhere to the CIA. No, not the famed clandestine organization. It is an acronym used in the information technology sphere. The operations of information security experts largely remain obscure to the public. CIA is an acronym for confidentiality, integrity and availability. These 3 concepts form the pillar that props up all activities carried out by the information security kindred. Further to these basic concepts are the Authentication and Non-repudiation concepts. These are addendum to the initial concepts. They are germane, however, to the successful implementation of a fully satisfactory information security system. I discuss the importance of these 5 concepts in this post.

Confidentiality: This concept focuses on ensuring that only allowed persons can work with or see digital resources. The major task is to prevent theft of data. The usual means of achieving this is to encrypt data in motion and at rest. A business representative attending a meeting who needs the input of his associates would not be happy if anyone and everyone can see the details of such a discussion. Intimate conversations between loved ones really need to be kept arcanum. Justification for confidentiality abounds, thus, its importance.

Integrity: Integrity seeks to ensure that only allowed persons can change digital resources. The concept deals with the trustworthiness of data. Tampering of data is the ominous event to be mitigated here. Encryption, Authentication and Non-repudiation work together to achieve this feat. A Man-In-The-Middle (MITM) attack is a popular method used to compromise the integrity of data in motion. The business associate mentioned hitherto must be able to trust that the feedback is from his associates and not a rogue agent. It would be pretty awkward if loved ones later realize their conversations had other sentences or words added that did not originate from the expected source. The integrity of conversations is paramount to building trust in the viability of laid out systems.

Availability: A system that is well set up to meet the thresholds required of Confidentiality and Integrity but gets disrupted has failed to secure the digital resource in its care. Authorized persons must be able to access data as at when needed. The system must be setup to ensure that data is always available for the right persons. A popular attack against availability is the Distributed Denial Of Service attack (DDOS). If the associate could not communicate safely with those providing inputs, they could make decisions that are ignorant and wrong. We often feel isolated when we cannot communicate with loved ones. It is important to note that while Confidentiality and Integrity are very important, achieving those concepts in our system and rendering the data inaccessible defeats the entire purpose of the system. The post explaining the security triangle delves more into this.

Authentication: This is the first of two concepts not originally part of the Elements of Information Security. Authentication seeks to ensure that digital resources have the quality of being genuine. As previously mentioned, processes found in this conceptual process help guarantee the integrity of data and confidentiality. Hashing can authenticate data at rest, while we can use encryption for data in motion. Also, identification using a username and password or a Multi-factor authentication system helps ensure we limit access to these systems to authorized persons only. The business associate would be more comfortable if they limited access to the communication method to persons who have authorized themselves only. The knowledge that devices being used to communicate with loved ones have performed an authentication while initiating contact would add a sense of security to participants of the conversation. Authenticity is there to keep the uninvited out.

Non-Repudiation: The second and last of the addendum concepts deals with the providence of guarantee or assurance of digital resources. It ensures that there is a record of those who manipulate and access data. The concept also seeks to ensure that activities carried out by this group of people have records and thus prevent denials. The common and effective way to achieve this is first ensuring proper authentication and also keeping a record of every action taken by both authorized and non-authorized persons that try as well as those that successfully access the secured system. We refer to this record as Logs. Logs are critical for knowing what happens and when within a system. This helps in disaster recovery when an incidence occurs. It also helps to catch bugs and errors within a system. The use cases of logs are many and it is imperative to keep them safely. Compromising the logs of a security system would immensely open the system to a breach. In the event they need a reference for evaluation, both the business associate and the loved ones in communication would want to know exactly who was in the conversation, as well as the security setup of said conversation. While Non-repudiation certainly eliminates plausible deniability, it can also provide a verifiable alibi.

These 5 concepts are germane in the setup of an information security system, both for data in motion and data at rest. Can you now identify information security processes around you and where they fall within these concepts?