Overview
The five elements of information security

Aristotle accepted the doctrine that all Earthly matter was formed of four elements – earth, air, fire, and water – combining in different proportions. He was wrong, but at the time it was a cool idea.

There are three widely accepted elements of information security: confidentiality, integrity, availability – often abbreviated to CIA. Sometimes the number is enlarged to include accountability (CIA²) and, less often, assurance (CIA³). And more often they are called aims, characteristics, goals, objectives, principles, qualities, or requirements…

confidentiality

Confidentiality is the requirement that private or confidential information not be disclosed to unauthorized individuals. Confidentiality protection applies to data in storage, during processing, and while in transit. For many organizations, confidentiality is frequently behind availability and integrity in terms of importance. Yet for some systems and for specific types of data in most systems (e.g., authenticators), confidentiality is extremely important. — NIST SP 800-33

Confidentiality is primarily an information security concern. Historically, confidentiality has been the primary security concern of the US Department of Defense, the fount of a great deal of the “philosophy” of information security. Hence, confidentiality is – or, at least, was – often seen as the most important issue. However, the other elements are at least as important for commercial information security.

integrity

Integrity has two facets: (a) Data integrity (the property that data has not been altered in an unauthorized manner while in storage, during processing, or while in transit); (b) System integrity (the quality that a system has when performing the intended function in an unimpaired manner, free from unauthorized manipulation). Integrity is commonly an organization’s most important security objective after availability. — NIST SP 800-33

6 × 9 = 42: For those who are unaware of the significance of this deliberately wrong (?) equation, it is a reference to the central conundrum of the late Douglas Adams’s The Hitchhicker’s Guide to the Galaxy (a trilogy in five parts). I guess there must be some people out there who don’t know that…

Sometimes there are no necessary changes, so the information is preserved intact. Sometimes necessary changes can be the destruction of the information. Note that information that is neither accurate nor complete in the first place can still have integrity… After all, I might need to ensure that the message 6 × 9 = 42 is delivered intact.

availability

Availability is a requirement intended to assure that systems work promptly and service is not denied to authorized users. This objective protects against: (a) Intentional or accidental attempts to either perform unauthorized deletion of data or otherwise cause a denial of service or data; (b) Attempts to use system or data for unauthorized purposes Availability is frequently an organization’s foremost security objective. — NIST SP 800-33

Availability is also an element of both service management (which might add …within agreed service levels!) and contingency planning.

accountability

Accountability is the requirement that actions of an entity may be traced uniquely to that entity. Accountability is often an organizational policy requirement and directly supports non-repudiation, deterrence, fault isolation, intrusion detection and prevention, and after-action recovery and legal action. — NIST SP 800-33

In some cases it is emphatically not appropriate; e.g., to preserve anonymity and personal privacy.

assurance

Assurance is the basis for confidence that the security measures, both technical and operational, work as intended to protect the system and the information it processes. The other four security objectives (integrity, availability, confidentiality, and accountability) have been adequately met by a specific implementation when: (a) required functionality is present and correctly implemented; (b) there is sufficient protection against unintentional errors (by users or software); and (c) there is sufficient resistance to intentional penetration or by-pass. Assurance is essential; without it the other objectives are not met. However, assurance is a continuum; the amount of assurance needed varies between systems. — NIST SP 800-33

Historical, up to about 1990, confidentiality was the most important element of information security, followed by integrity, and then availability. By 2010, availability will be at the top of this list of priorities. The first goal of information security will be to ensure that systems are predictably dependable in the face of all sorts of malice, and particularly in the face of denial of service attacks.

But – as NIST SP 800-33 points out – none of these elements can be considered in isolation…

Confidentiality is dependent on integrity, in that if the integrity of the system is lost, then there is no longer a reasonable expectation that the confidentiality mechanisms are still valid.

Integrity is dependent on confidentiality, in that if the confidentiality of certain information is lost (e.g., the superuser password), then the integrity mechanisms are likely to be by-passed.

Availability and accountability are dependent on confidentiality and integrity, in that:

• if confidentiality is lost for certain information (e.g., superuser password), the mechanisms implementing these objectives are easily bypassable; and
• if system integrity is lost, then confidence in the validity of the mechanisms implementing these objectives is also lost.

All of these objectives are interdependent with assurance. When designing a system, an architect or engineer establishes an assurance level as a target. This target is achieved by both defining and meeting the functionality requirements in each of the other four objectives and doing so with sufficient “quality”. Assurance highlights the fact that for a system to be secure, it must not only provide the intended functionality, but also ensure that undesired actions do not occur.

Are these elements the be all and end all of information security? Perhaps… but actually achieving information security needs something a little more concrete!