You learn “A”, “B”, and “C” as the first three alphabets to learn the English language. For CISSP, the equivalent characters are “C”, “I” and “A”, also known as The CIA Triad – confidentiality, integrity and availability.
I want to form a fictional story to understand the CIA triad. The intent is to portray the concept creatively, so please disregard the logic.
Mr X, a successful and wealthy businessman, lives in a secluded mansion on the island. He wants to securely transfer $1M for the business deal to Dave, his potential client. There is no possibility of an electronic transaction, and the only way to transfer money is via a private yacht. However, Mr X is afraid of the pirates in the sea who may steal the money. What’s going to happen?
The island is guarded all the time with commandos. There is a team that monitor 24×7 footage from all the CCTV cameras. The money sits inside in the secure vault. Only authorised personnel can access the vault with biometric security such as fingerprint and retina scans.
You can think of money as a passive object and whoever access money as an active subject. The relation between subject and object is access control, such as all the security measures. Hence, confidentiality ensures that only authorised personnel (users) can access the money (object).
Two months back, one of the pirates made a custom mask of authorised personnel and successfully breached the island’s inside the perimeter. Although he was close to breaking the vault, the biometric system failed to recognise its fingerprint, and the commando arrested the pirate.
Let’s put the encryption in the story and continue.
Mr X dispatched a team of six commandos in his private yacht. $1M is safe inside the secure briefcase with the secret key (encryption). Only Dave (the client) have a decryption key to open the suitcase. Sound secure?
In the middle of the ocean, one out of six commands double-crosses the game. He happens to be with pirates and is allowed a backdoor entry to the yacht.
The traitor commando also happens to know the decryption key. The pirate replaces $1M with fake money and runs away. The yacht reaches the harbour to deliver the money. None of the commandos is aware of tampered money except the traitor.
Dave’s team decrypt the key and opens the briefcase. Upon checking, they found out the money was fake! That’s what we call compromised integrity.
Integrity issue happens when data or objects compromise their original state, the real money with fake ones in our story. It can occur while data is stored, in use or in transit. The other way to look at this is the traitor commando has also lost his integrity.
Was Dave furious?
Indeed. He was.
Mr X apologised to Dave. After the investigation from a hidden CCTV camera in the yacht, the commando arrests the traitor. However, the situation still wasn’t in favour of Mr X.
“I am afraid we can’t have this deal anymore, Mr X. I am on a tight deadline.”, said Dave
Mr X was persistent.
“Please give my commandos 10 minutes.”, said Mr X
—– After 10 minutes —–
The commando brings real $1M for Dave in a new shiny briefcase. Dave’s team revalidated the money, and they look good.
Dave was surprised. He called Mr X.
“Thanks for turning this deal back to life. How did you do it?” asked Dave
Mr X laughed and said, “We always have a backup. That’s all you need to know. Thank you for the business.”
How did the commandos manage to get $1M in 10 minutes?
Mr X believe in a backup plan. He put $1M in the secret vault on various shore parts (Damn! he is filthy rich). That’s how the availability works.
Availability is about your data (money) being available to authorised personnel (real commandos, don’t count that traitor)—no wonder why a redundant system is a crucial part of the design.
We hear Mr X’s static voice on the walkie-talkie, “Commandos. Did you find the pirate?”
“Sir…We are on it.” replied the commands.
Mr X pours his scotch and gazes at sunset from the balcony.