When we talk about confidentiality, integrity, and availability, the three of these together, we’ll use the term CIA. CIA Triad is how you might hear that term from various security blueprints is referred to. To describe confidentiality, integrity, and availability, let’s begin talking about confidentiality.
Many times the term confidentiality we hear is related to encryption, and when we talk about encryption, we’re talking about the ability to hide or privatize our data. Sometimes we’ll use the term VPN or virtual private network, and the idea is to keep things private. In terms of encryption, there are several algorithms that we can use.
When we get into cryptography concepts, we’re going to talk about algorithms and such, but what we might be benefiting from at this point is talking about them a little bit ahead of time. We can use DES or Data Encryption Standard, which is 56-bit encryption.
We also have 3DES, which is another encryption standard that we can use, which is 168-bit encryption. We also have AES, aka Advanced Encryption Standard. AES comes in a 128-bit, 192-bit, or 256-bit encryption method, and those are standards that we use today.
3DES and AES are more appropriate these days than DES. DES is probably one that you’re not going to want to use these days, simply because it’s not very secure in terms of capabilities anymore. We use these encryption algorithms to hide our data, and once we do this, it involves the use of a key.
When we talk about keys, we first have to understand that there are two different types of keys. We have a symmetric key and an asymmetric key. When we talk about symmetric keys, we use the same key for encryption and decryption. For particular algorithms, a symmetric key can be used for real-time exchange, because it can happen very quickly.
For example, let’s say we have a VPN tunnel, but first, we should begin with having a computer sitting behind our VPN gateway. The VPN gateway could be a Cisco firewall, and then out on the internet, we have some type of connectivity. Maybe there’s another Cisco firewall on the other end, and we have a server on that side we want to talk to from our PC.
We’re going to have the firewalls build encryption for us, so they’ll put up a tunnel between the two of them, and they will do real-time encryption on our data. As we send that data, it’s going to be clear text or precise data, but once it’s going to hit the firewall’s interface, we are going to have encrypted data.
That encrypted data is then sent real-time across the network, and once we get to the firewall on the other side, the data is going to get decrypted using the symmetric key, and then we have clear data again when we talk to that server. This is what we typically use.
If we’re talking about asymmetric algorithms, we would be talking about something like RSA, aka Rivest, Shamir, and Adleman algorithm, or only the RSA algorithm. We use a public and private key pair in this case. Public and private, and it’s essential to understand because there is a difference.
Asymmetric algorithms are not necessarily a good algorithm to use for real-time encryption, but they are good to take some data, encrypt that data, and then later on, maybe use it to decrypt it. We can also use RSA algorithms for authentication. That’s the high-level overview of confidentiality.
We can provide confidentiality, using different encryption algorithms, and we’re going to go into more detail on the cryptography concepts shortly, but for now this is just a high-level overview of what confidentiality provides for us in confidentiality, integrity, and availability triad (CIA triad).
When we talk about is integrity, more specifically, data integrity, the idea is to make sure that data has not been modified. We have to be able to validate the integrity of our data. Usually, we use some type of hash function to verify the integrity of our data. Mostly, we have two significant protocols that we would look at. We have Message Digest 5, aka MD5, and we have SHA, aka Secure Hash Algorithm. MD5 is a 128-bit hash, and SHA is a 160-bit hash if we’re using SHA-1, but there are other SHA methods that we could use.
Imagine that we have our data, and we want to validate that this data has not been modified. We want to verify the integrity of the data. So, what we can do is this. We take the data, and we make a copy of it. We take that copy of the data, and we’re going to run it through a hash algorithm.
You might think of it as a kind of funnel, and that funnel could be MD5 or SHA. Whatever hash algorithm it is that we’re using, next we run it through that hash algorithm and once done, the date will come out with this big mangled bunch of almost nonsense. This is because it’s a hash, something that we can’t read. Next, we take that hash, and we attach it to the original data, and now we’ve got this hash attached to the original data, so now we can send that data and on the other side of the network. There, they can verify the integrity of the data. On the other side of the network, we get this data that comes across, and that data, whether or not it’s encrypted, has a hash. The other side knows the algorithm that we’re going to be using, so they already have the key. For this example, let’s imagine the other side already has those keys.
We use MD5 or SHA on the other side of the network too, and what happens, is that they take the data, make a copy of that data, run the copy through the hash algorithm, and then they take the hash that we sent and see if it equals to the hash that they’ve generated. If this is the case, then we can verify that the data has not been modified while it’s been in transit.
Another way we can describe how this works is this. Imagine that you are shipping a package to a friend. Imagine that we have this package, and we box it up, and we’re sending it to our friend, and we’re going to send this through a shipping company. Regardless of the company we use, there will be transport mechanisms, and once we hand the package over to this transport method, we don’t have any control over it. We can’t see the package, so we don’t know what’s going on with the data. Therefore, what we do is that we take the box, and we put the box on a scale. Our scale tells us that it weighs 10Kg, so we know how much it weighs when it leaves. We print out a shipping label, and the shipping label has the “TO” address on it, and the “FROM” address, and it also has a weight on it.
So now, we can imagine that this weight is the integrity hash. We have a weight, and that weight tells me that it’s 10Kg. We have fixed that with a sticker to the outside of our box, and then our shipping guy comes over, and he picks it up, and it’s in transit. Now it gets to the other side, and they deliver this box. I sent this box to my friend, and my friend calls me and says that he has got the box, so it made it there, but making it there is not enough. I need to know that integrity is still intact. So how do I do that? Well, my friend is going to look at this shipping label, and it’s going to weigh 10Kg.
He is going to take that box that I’ve just shipped, and he is going to put it on his scale, and he is going to look to see if it’s 10Kg. If it’s not, then he is going to know that something’s happened to this package in transit. Let’s say that the box when he receives it, only weighs 5Kg. Well, that is a big problem. We’ve lost 5Kg along the way, so at this point, we would understand that we have had some kind of an issue while it was in transit, and it is no longer a valid package.
If we’re talking in terms of data networking, and it’s a VPN, and that integrity hash fails, then we’re going to discard the package. We won’t read it; we don’t want to have anything to do with it, because it is not what we expected it to be. That’s integrity. Providing data integrity just means that we have a way to verify that the data has not been modified.
Availability, putting it simply, if our systems are not available, then the business will not work. It’s that simple. Availability has to do with making sure that the devices that we have are available in the network. That means that we have to maintain our hardware, and we also need to have a plan for failover to some degree for high availability to provide redundancy.
There’s a lot that goes along with availability. It’s essential to do things like upgrades and making sure that we follow a vendor’s upgrade path to make sure that we are using a stable software, something that doesn’t have any threats associated with it.
For example, Cisco is excellent about putting out information on current threats, letting us know that there is a problem with a particular software version. So, making sure that we follow our system upgrades as needed.
Making sure that we have the amount of bandwidth that we need in a network also lends itself to availability. Even necessary to make sure that we are preventing bottlenecks. If we get too much data and we start having traffic drop, and the network is no longer available, then that becomes a problem as well.
To put it simply, availability means that we make sure that the network is available, otherwise we are unable to conduct business. Later on when we start talking about some of the threats on a network, some of these threats will target the availability of a network. An example of that would be a denial of service attack. A denial of service attack would be trying to prevent the network, or devices on our network from providing the necessary services.