Software security can be such a broad concept; there are so many places where we can let our mind wander and so many things to learn that it can sometimes become a bit daunting, but before trying to delve into more complicated things we need to understand the basic ways of how software can be secure. This is where the CIA triad comes in, and yes, this is in fact does not refer to the Central Intelligence Agency, but to the Confidentiality, Integrity and Availability of data, so lets cover these concepts in a bit more detail.
Confidentiality
At first glance, confidentiality seems to revolve around keeping the information private, though this isn’t all there is to it, rather, it’s keeping the “right” information private. Information needs to be handled in a need-to-know basis. Imagine a school website where students can check their own grades, you don’t really want a student being able to look at grades that aren’t his.
We have to remember that information has value, so it should be in you best interests to keep said information safe. This can be done with the use of encryption, so that only people that know the key can access the information. Encryption is so widespread now a days that there really isn’t an excuse for not using it to protect data.
Integrity
This concept refers to making sure that data isn’t being tampered with. Simple enough right? We can actually divide this into data being sent, and data being stored. In the case of the first one, we need to verify that the information being sent is valid and that it wasn’t modified along the way; as for data being stored, we have to make sure that data isn’t changed by unauthorized parties, usually through access control.
A common way of keeping integrity would be through the use of hashes. A hash of a set of data is calculated as the message is sent along the original message, where the data received will be compared to the hash.
Just as in Confidentiality, every piece of information has its own value, in Integrity, information only has its value if it’s correct.
Availability
This can be the most straightforward of the three concepts. As the name would imply, it’s simply making sure that the information is available to the user when it is needed, which can be at any moment; here, information has it’s value only in the correct time. DDoS attacks can be a concern in this area, since they deny the user access to the information, but they aren’t our only worry; We also have to deal with other external disasters such as a power outage or natural disasters, maybe even a squirrel chewing on the cables.
The issue here can be reduced through backups and redundancy of the data, maybe even having an offsite location so that service can be restored as soon as possible.
Finishing thoughts
The CIA triad is a model that can be very simple, but there is more depth than it seems to every area, such that other models like the Parkerian hexad expand upon each of the three concepts of the CIA, adding other three new concepts.
In my opinion, while other models do exist and have to be updated, the CIA model can help to remind us at a very basic level what we should be thinking about when it comes to security in our software, but it should only be a guideline and not a limiting factor; the more we can make our software more the secure the better.
Just as a warning, we do need to be aware about trade offs. sometimes it’s going to be impossible to fully implement each of these three concepts, so we always need to keep in mind what is most important for our software. We should also think about ease of use, is too much security making our software unusable for some people? How much should we sacrifice to make things more accessible? These are not trivial questions and one needs to think about them at least on a personal basis, but that is a post for another time.
Bytes of Mind 