The AIC triad is an important concept in security. In this video, you’ll learn about confidentiality, integrity, availability, and safety.
<< Previous Video: Cold Site, Hot Site, and Warm SiteNext: Malware Overview >>
The fundamentals of security are often rolled up into a set of principles called the AIC triad. This stands for availability, integrity, and confidentiality. The availability part of the triad is referring to systems being up and running. You want to maintain availability of all of your servers and all of your networks and make them available for everyone. The integrity side means that as traffic is traveling from one side to another, you want to be sure that nobody makes any changes to that information. When it’s received, you want to be sure the integrity of the data is maintained all the way through the system.
And with confidentiality, we want to be sure that the only people who are able to view this information are the ones that have the rights and permissions to do so. With confidentiality, only certain people shouldn’t have access to certain types of information. We can manage this in a number of different ways.
One very common way is through encryption. You can encrypt information, send it to another. And that person can then decrypt the data, but anywhere along the way you have that data private. Nobody’s able to see the information that you were sending.
You can also provide confidentiality through access controls. You set rights and permissions to a file or a resource, and you can apply those permissions to groups of people or individuals so that only those people would be able to view that information. You can even provide confidentiality in unexpected ways, like using something like steganography. This means that you’re concealing information and data within another piece of information.
We commonly see steganography used to hide data or information within pictures and then send those pictures across the network or post them to a web page. For people who are surfing the net, they’re viewing the page and looking at normal images. But if you’re somebody who knows that that information is hidden in the image, you can download it and extract that information directly from inside of those pictures.
In the security world, integrity means that when we send information from one point to another, that information is not changed anywhere in between. And everything that we have received is being received and stored exactly the way it was intended when it was set. That means if any part of this data has changed anywhere in that transmission, that we are aware that this change has occurred.
One way to maintain integrity is to create a hash of what we’ve sent. And on the other end, after this information has been received, the other end can perform exactly the same hashing algorithm and then compare the original hash with the ultimate hash the was received. This way we’re able to be sure that what we received was exactly what was sent.
A more advanced form of integrity might be something like a digital signature. This is a mathematical scheme that allows the sender of the data to digitally sign the information that’s being sent. And on the other end, that signature can then be checked. And the signature is also maintaining the integrity of the data. If the digital signature doesn’t match when it gets to the other side, then something has either changed with the signature or the data. And clearly there’s a problem with the integrity of the data that was received.
The digital signatures usually work in conjunction with certificates. These certificates are used to sign this data originally so that on the other side the certificate is then compared. Generally, certificates are also associated with individuals or resources so you can be sure that the data came from exactly who you expected.
If someone has digitally signed some information and they’ve sent it to you and you were able to verify the digital signature and the integrity of the data, that’s something that we call non-repudiation. That means the person who sent the data would not be able to say that anything had been changed within that. They would not be able to repudiate what was received by you, because you are able to confirm that the information you’ve received is exactly the same information that was sent.
The idea of availability means that your information is always going to be something you can access. If you need to get a report from a server, it should always be there. If there’s a video you need to watch, that video needs to be instantly available.
One way to provide this availability is through redundancy. That means we have multiple systems available to provide access to these services. We might have multiple routers or multiple switches or even multiple servers located in different locations. That way, if anything was to happen, we would be assured that this service would maintain its availability because you’d have a complete duplicate still running somewhere else.
This is very similar to a design that might be fault tolerant. That means there is absolutely a failure of some kind within the system, but it’s going to continue to run. In a fault tolerance system, you could even have the system running not as effectively as it was before. But at least the services would still be available.
We don’t usually think of patching our operating systems or our applications as availability. But indeed this does help, because you’re creating a more stable environment. And in the case of security patches, you’re making sure that the bad guys aren’t able to affect the availability of those systems.
Another important security concern is the safety of the people within your organization and the data that your organization has as an asset. These are things where you would create escape plans and routes. So if there was a problem with the building or a fire, everyone would know the best way to get out of the building or the best way to get out of the entire area.
To do this, you would commonly run drills to make sure that everybody could get out of the building, go to the correct location. And you could do it as quickly as possible. Once those drills are complete, you can analyze how quickly people were able to get to their proper locations and then adjust and make any changes that might be appropriate.
It’s also very common to run digital tests against your systems and your protections to make sure that people don’t have access to your data. You want to keep your data just as safe as you keep your people. And that way, you’ll be able to maintain the uptime and availability of all of your systems.