Confidentiality, integrity and availability of information

Ruslan Rakhmetov, Security Vision

In our digitally connected world, information has long ceased to be simply a collection of symbols: it has transformed into a critical resource, determining the existence of states, the economic stability of corporations, and the privacy of individuals. Just as the physical world is based on the laws of physics, the digital world is founded on fundamental principles of information security, which form the basis for trust in technology. In this article, we will examine the triad of informationsecurity: confidentiality, integrity аnd availability information (KDC, or CIA).

The concept of the triad didn't emerge overnight, but evolved as computing technology moved from closed military labs to the commercial sector and, ultimately, into the pockets of every user. As networks evolved, confidentiality became paramount; with the advent of global databases and e-commerce, integrity became critical; and in the era of cloud computing and real-time services, availability was added to the triad. Today, the CDC/ CIA triad is the universal language spoken by security professionals worldwide.

CONFIDENTIALITY - This is perhaps the most intuitive, yet technically complex element of the triad. In the strict sense, according to GOST R 50922-2006 is a mandatory requirement for anyone who has access to certain information not to disclose such information to third parties without the owner's consent. In a broader sense, information security (or confidentiality) is a guarantee that information is not accessible to the general public; it's like the "right to remain silent" for your data. If information becomes accessible to unauthorized individuals (hackers, competitors, or even unauthorized employees within the company), we speak of a leak, or a breach of confidentiality.

Imagine a bank with thousands of safety deposit boxes: to access the contents of a particular box, you need to go through several layers of security. First, there's security at the bank entrance ( the network perimeter ), then a bank employee checks your passport ( identification ), and then you and the employee go to the box, where you need two keys to open it (your personal key and the bank key, as in Multifactor authentication . Other bank customers can't see what's in your safe deposit box; the walls are opaque ( encrypted ), and if someone else looks inside or steals the contents, your privacy is compromised.

To secure their perimeter, companies use various security tools, which we've discussed previously. We've also written about identification, authorization, and multifactor authentication. Now, we'll focus on two aspects: what needs to be protected and how it works. Confidentiality isn't applied to everything; it focuses on critical information assets whose leakage would cause damage. We can identify three key categories:

 1) Personal data (PDn), a person's "digital identity": passport data, medical diagnoses, biometrics, transaction history, and other types of personal information are protected by Federal Law No. 152 in Russia, the GDPR in Europe, and other national laws.

 2) Trade secrets , like the soul of a business, include customer databases, unique algorithms (know-how), merger and acquisition plans, and pre-publication financial reports. A trade secret leak can instantly bankrupt a company or deprive it of its competitive advantage.

 3) State secrets , highly sensitive information concerning defense, intelligence, and foreign policy. The stakes here are extremely high, even reaching national security.

To ensure confidentiality, many measures are used, which we will divide into cryptographic and management:

 -  Encryption Encryption is the process of converting information into an unreadable form (ciphertext) using an algorithm and a key. Without a key, the data is a meaningless string of characters, but with a key (like the safe deposit box key in the example above), the cipher can be broken and the information read as usual. Encryption can also be divided into groups: symmetrical (when the same key is used for encryption and decryption) and asymmetrical (When a key pair is used: a public key for encryption and a private key for decryption). Data is encrypted in two states: at rest (on hard drives and flash drives, in databases, etc.) and in motion (through tunnels, inside which the data is invisible to outsiders, this is how it works HTTPS , TLS And VPN ).

 - If encryption is a safe, then access control - This is the security that checks the passes. This process includes identification (when the subject identifies himself, enters his login), authentication (when the subject proves that he is indeed him by entering a password or, for example, using a fingerprint) and authorization (when the system checks whether the user has rights to access a specific resource (file, folder).

Imagine a front door key: every family member (or trusted person) has identical duplicates, but if the key is lost, everyone needs to think about replacing the lock (or encryption key) as quickly as possible. This is how symmetric algorithms like AES -256, ChaCha 20, and Blowfish work. Asymmetric algorithms like RSA and ECC are slightly more complex, and can be compared to a mailbox where anyone can drop a letter (encrypt it with the public key), but only the owner of the door key (the private key) can open the box and retrieve the mail.

If privacy answers the question, “Who sees the data?” then INTEGRITY answers the question, "Can we trust this data?" It's the property of information to retain its structure and content unchanged during storage and transmission. In GOST terminology, integrity implies the absence of distortion (both malicious and accidental). If, for example, one figure in a financial report is changed, the document loses its integrity and, therefore, its reliability.

Imagine the cells inside your own body. They contain a unique code, DNA, and a change in it (mutation) disrupts its integrity and can lead to disease or changes in the body's properties.

To ensure integrity, various mathematical algorithms are used to detect even the slightest changes, for example:

 -  Hashing is the process of converting data of any size into a unique, fixed-length string ( hash ). It's easy to obtain a hash from data, but it's impossible to reconstruct the file's contents. If even one comma in the original text (for example, in the book "War and Peace") is replaced with a period, the resulting hash will change beyond recognition.

 -  Electronic digital signature (EDS) – this is the pinnacle of integrity protection. A digital signature guarantees not only that a document has not been altered (integrity), but also that it was created by a specific person (authenticity) and that the author cannot deny this (non-repudiation).

 -  Version control systems ( Git ) also serve as a tool for integrity, allowing you to track every change to your code and revert to a "clean" state if needed.

 - Modern systems use a blockchain, where the hash of each subsequent block depends on the hash of the previous one. This makes unauthorized modification of historical data mathematically impossible without recalculating the entire chain.

Imagine running a book through a magical New Year's salad-making robot: the result is a unique dish. You can't reconstruct the book from the salad, but if you have the original, you can run it through the "salad maker" again and compare the results with the standard. If they are identical, the book hasn't been altered, but if the "test run" notices a change in flavor, color, or a new ingredient, it means the book has been substituted. That's how algorithms work. SHA -256 and SHA -3 , but outdated methods like MD 5 and SHA -1 They're no longer considered reliable due to situations where two identical "herrings under a fur coat" could be cooked from two different books. A digital signature combines this type of hashing and asymmetric encryption: the sender creates a hash of the document, encrypts it with a private key, and the resulting "Olivier salad" is the digital signature. The recipient takes the document, calculates its hash themselves, decrypts the signature with the sender's public key, obtaining the original hash, and compares the dishes. If both hashes match, the document is authentic and immutable.

AVAILABILITY, the final component of the triad, is the property of information and resources to be ready for use upon request. Simply put, it guarantees unimpeded access to a service at the right time: if an online store is unavailable on Black Friday, it loses revenue; if an air traffic control system is unavailable, lives are at risk. Unlike privacy, which hides data, availability requires its active provision.

Imagine a highway leading to an airport. The road is wide and the pavement is excellent, but if a traffic jam forms, you'll miss your flight and might be late for a New Year's Eve celebration with family or friends who live far away. In this example, the airport (server) is operational, planes are flying (data is available), but you can't reach them. A distributed denial-of-service ( DDoS ) attack is the artificial creation of such a traffic jam by thousands of empty bots. Another way to compare availability is to the electricity in a socket used to plug in Christmas lights. We think it's always there, but if there's a power outage at the substation (the service is unavailable), instead of Christmas lights, you'll likely need to decorate your house with candles. To ensure availability, we buy generators and uninterruptible power supplies, and IT systems in companies are built around fault-tolerance principles (for example, through redundancy) components ).

Ensuring accessibility is more of an architectural challenge that can be addressed using the following approaches:

- Redundancy, where each critical component has a backup. This is how RAID arrays work (storing data on multiple hard drives simultaneously, so that if one drive fails, the data is not lost and the system continues to operate), server clustering (with load balancing), and geo-redundancy (when data centers are located in different cities, and traffic is switched to another region in the event of a disaster).

- Backup, the last line of defense, allows you to restore a previous version of your data. The golden rule of backup is 3-2-1: three copies of your data are stored on two different media (e.g., a disk and a cloud), and one copy is stored offline (physically disconnected from the network to prevent ransomware from accessing it).

- There are also specialized traffic filtering systems (for protection against DDoS attacks or traffic jams on the way to the airport). They act like giant "sieves," allowing useful user requests through and filtering out junk bot traffic, ensuring unimpeded access even during the most powerful attacks.

Accessibility conflicts with other elements of the triad, acting as a system of checks and balances:

  a) To ensure maximum privacy, we implement complex passwords, biometrics, channel encryption, and restrict access from external networks. All of this creates complexity and makes the system less accessible (in terms of speed and usability).

  b) Integrity checking (for example, verifying the hash of each transmitted data packet) requires computing resources. And if we check every byte, the system's performance will decrease, which may be perceived by the user as a decrease in service availability.

In a world where information assets are more valuable than gold, neglecting any element of the triad inevitably leads to losses. This could be encryption for protecting correspondence, hashing for file version control, or backing up family photo archives... each of us uses the principles of the digital security triad every day, even if we don't think about it.