Talk:CIA triad

Origin of the CIA Triad
Does anyone know the origins of the C-I-A model? Who originally identified these three characteristics of information as being of key importance from the perspective of securing information? Mike 05:39, 9 November 2006 (UTC)
 * Good point. I'd like a reference to the Triad. My guess is a DoD reference that got refined and boiled down. Probably started in the Orange Book Luis F. Gonzalez 16:11, 9 November 2006 (UTC)

Obviously not the origin, but certainly a reasonably early and succinct definition was given in ITSEC Jun 1991 by the European Commission: "IT security means, - confidentiality - prevention of the unauthorised disclosure of information; - integrity - prevention of unauthorised modification of information; - availability - prevention of unauthorised witholding of information or resources."

If you take this security operational perspective then nothing more is needed. Of course it's possible that a rootkit may nestle harmlessly in your system, and if so it doesn't matter, my view is that it's a threat I want to keep out because of what it might do (hence a risk), I could also argue that as an unauthorised addition it breaches my integrity. Spam (and other misrepresenting email) reduces the availability of information because it is at best clutter that occuppies users' time (a resource). Successful repudiation affects the integrity of my information (what I know to be accurate is now deemed inaccurate), therefore I must have controls in place to prevent it.

In my view hexads and other accretions on CIA are at best confused and woolly thinking, but more likely guys trying to sell books or courses by complicating simple issues. Nfe 05:55, 1 March 2007 (UTC)

Mention from 1987
Someone has posted some PDFs of a lot of the early MITRE/DoD research (Bell-Lapadula, Clark, etc) here. The earliest mention I can find to the concepts of confidentiality, integrity, and availability grouped together is in Clark87.None of the Bell-La Padula documents I read (published 1973, 1975 and 1976) seem to be aware of the C-I-A Triad (they were mostly interested in confidentiality and access control). Landwehr's Formal Models of Computer Security (1981) doesn't seem to group C-I-A together, either. Clark-Wilson was a survey document, but it's conceivable that this was the first time C-I-A were grouped together, in that order and given the kind of prominence the triad is often given today. I have no evidence that this is the first "modern use" of the triad, but at least it confirms that the concept goes back to 1987.

If someone has access to the ACM or IEEE online libraries, it might not be hard to find earlier references. I let my ACM and IEEE memberships expire, but maybe one of these days I'll search the abstracts.

It's an interesting contrast between the way Clark-Wilson mention C-I-A (as the most often cited goals) versus the way the C-I-A Triad is often mentioned today --- as the fundamental goals of information security (for example, see the definition of "computer security" in the American National Information Assurance (IA) Glossary). -- Mike -- 08:17, 11 November 2006 (UTC)

Clark-Wilson
After reading more of Clark-Wilson 1987, I'm leaning more to the belief that the C-I-A Triad originated with this document. The paper is partially a critique of the DoD/Orange Book thinking: that security==confidentiality. C-W note that DoD have well-developed models, methods and policies for protecting secrets, but in the commercial world, data integrity is a huge security concern and Orange Book thinking is inadequate for dealing with this class of security problems.

Anyway, I've only read half the paper at this point. But it looks like part of intent of this paper is to promote a "new" way of thinking about information security. -- Mike -- 08:47, 11 November 2006 (UTC)

Purpose of the Model
Although I often see C-I-A described as security "principles", "goals", and "objectives", I think it is overstating what the triad is. I really think that it's simply a model that is helpful in information security analysis. It identifies 3 salient characteristics of information and allows you to abstract away everything else. Then you can use the abstracted characteristics in your analysis. I'm leaning towards the viewpoint that designating C-I-A as anything other than a model is what leads to people adding "non-repudiation" or "value" to the triad. I think it's reasonable for someone to use this model for identifying security principles or goals, but it's over-stating it to say that the C-I-A Triad are the actual goals/principles. Thoughts? Mike 07:11, 9 November 2006 (UTC)


 * I've seen the three used in the terms of IA Services. CISSP materials always refer to the triad, with augmentations. For example, the service of Confidentiality can be implemented in FIPS 197. I'd like for C-I-A to stay static with each leg as a model, but it's too entrenched, especially in DoD as each leg being a service. I'd prefer model. Luis F. Gonzalez 16:08, 9 November 2006 (UTC)


 * I don't think I understand the term "service" when describing confidentiality. Is this jargon specific to a particular field within information security?


 * The opening paragraph doesn't precisely state what the triad actually is ("tenets, aims, goals, concepts, etc").  A quick survey of online material shows that this isn't a problem unique to this article.  Descriptions of the triad seem to emphasize that it's important, widely-accepted and fundamental.  But short of explaining what the letters stand for, I don't see much consistency in explaining this concept.  While I may think it's harmless to describe confidentiality as a goal of information security (and I do), I think it's incorrect to define it as a goal/tenet/aim etc of information security. (Maybe I only want to assess/measure the confidentiality of a system, rather than achieve it -- that's a legitimate infosec activity, isn't it?).


 * If there is inconsistency in how people explain the triad, and I think there is (is it a principle? is it an aim? is it merely a concept?), I do not think that it is because the concept is controversial or suffering from lack of agreement. I think the inconsistency comes from either describing the triad in an open-ended manner (this article being an example) or by describing it from the perspective of a particular application of the triad (for example, in a policy document).


 * So my take on this is the following: The C-I-A Triad is a model.  Specifically, it appears to be what the Standford Encyclopedia of Philosophy calls an Aristotelian idealized model  (I just looked that up!).  It's a sufficiently precise description of the triad that doesn't preclude C-I-A also being used as the goals, aims or tenets of various information security activities.  In short, it's a model that is applied in a variety of ways when doing infosec work.
 * I would describe the model this way:


 * CIA triad is a widely-accepted information security model which identifies confidentiality, integrity and availability as the fundamental security characteristics of information.


 * Would a definition like that ruin this article? Thoughts? Mike 22:11, 10 November 2006 (UTC)


 * I think the definition of the C-I-A Triad as a model would improve the article, and I would add something like the following:


 * ''CIA (or C-I-A) triad is a widely-accepted information assurance (IA) model which identifies confidentiality, integrity and availability as the fundamental security characteristics of information. The three characteristics of the idealized model are also referred to as IA services, goals, aims and tenets.


 * I would also add a section that the entire point of the model is to protect and provide data (in-transit or at-rest) and services somewhere in the article. I'm kind of burnt from work but I think widely-accepted may be weasel-wording (or else I'd look it up). Anyways, I need a beer. Luis F. Gonzalez 22:48, 10 November 2006 (UTC)


 * I'm also not sure "widely-accepted" is the most meaningful phrase either. Perhaps "widely-used".  There certainly are enough examples to cite (BS7799, NIST, Government of Canada Security Policy, NZ and Australia security policies, etc) to support that.  I'm not sure what the difference is between information security and information assurance.  Are there pros-cons to either wording?


 * Information Assurance (IA) is closely related to information security (INFOSEC). The terms are sometimes used interchangeably but from my experience IA has a broader connotation also explicitly includes reliability/availability. It also emphasized strategic risk management at a corporate level over specific  products and tactics. In addition to defending against malicious hackers and viruses, IA includes other corporate governance issues such as privacy, compliance, audits, business continuity planning (BCP), and disaster recovery planning (DRP). Therefore some people, especially IA consulants, consider IA as a superset of information security. Freely copied from the IA article. Luis F. Gonzalez 21:10, 12 November 2006 (UTC)


 * I like how this suggested definition can lead into a blurbs about various uses and applications of the triad (eg. the IA models/methodologies, risk analysis, trust relationships, stuff like that). -- Mike -- 08:26, 11 November 2006 (UTC)

Is this a Model?
This divides IA into three sub-topics. Does that constitute a model?


 * I don't think it is widely accepted or a model. Furthermore, it is not much more than three of the many security topics.  I think it should be considered for removal.    John 01:35, 13 September 2007 (UTC)