Protection Goals: CIA and CIAA

Protection Goals: CIA and CIAA

Management Summary

The traditional protection goals of information security are confidentiality, integrity and availability. These three protection goals are often referred to as the CIA triad (owing to the initial letter of the respective goals).
Meanwhile, another protection goal has gained in importance. First mentioned by the BSI as a sub-area of integrity, authenticity is now mentioned by many regulations and standards on an equal footing with the CIA triad.  Reading time: 4 minutes


Introduction

The central motivation of information security is to guarantee confidentiality, integrity and availability. However, there is a lively debate as to whether securing this triad, in fact, sufficiently guarantees the security of information. As a consequence, over the years the list of protection goals has been extended or and new models have been proposed.
One example of the former is non-repudiation: it must not be possible to repudiate actions on IT systems or information. An authentication method based on a password prompt, for instance, allows sharing of passwords among colleagues. Therefore, an authenticated user may deny an information security incident committed by their account. Because it is quite possible that a colleague has gained access with the help of the password. The object of non-repudiation is to avoid any such situations.
In the following, however, we would like to shed more light on another protection goal, namely authenticity. In the context of information security, this means the validity and trustworthiness of information as well as people. In the IT-Grundschutz-Kataloge (IT Baseline Security Catalogues), the Federal Office for Information Security (BSI) lists this attribute in the same breath as the aforementioned CIA triad and thus creates a quartet of information security.
Before we look at the reasons for the revaluation of authenticity, let us briefly recall the definition of the other protection goals.

Protection Goals

The aforementioned protection goals are often visualized by the so-called CIA triad (see Figure 1). The acronym CIA stands for the initial letters of the three protection goals confidendiality, integrity and availability. If this model is complemented by authenticity, we obtain the CIAA quartet (see Figure 1).

Evolution of Protection Goals

Figure 1: Evolution of Protection Goals

Confidentiality

The aim of confidentiality is to protect information from unauthorized access. This becomes particularly important in connection with personal data (such as customer or employee data), the protection of which is required, for example, by the General Data Protection Regulation (GDPR). But companies also have an interest in ensuring that sensitive data does not fall into the hands of the competition.
The confidentiality of information can be ensured by appropriate assignment of permissions in connection with authentication procedures and encryption.

Integrity

The term integrity refers to the correctness of data, in the sense that data is both complete and unchanged. For example, manipulating a customer’s bank details is a violation of integrity. In a broader sense, integrity also includes information such as metadata which, for instance, includes the date on which a document was last modified. On the other hand, integrity also refers to the correct functioning of IT systems.

Availability

Information, IT systems and applications are available if they are accessible to users and word as intended. Malware that encrypts company data and makes it unreadable or the failure of a server represent violations of availability.
Availability restrictions can in many ways lead to monetary and reputation losses for companies

Authenticity

A person is authentic if their identity and their statements about their identity match. Information is authentic if the stated author of the information is actually its originator. If the sender of an e-mail is exchanged, the e-mail loses its authenticity.
Authenticity also plays a major role in access to IT systems and applications. Before access is granted, a user must be able to authenticate. This can be done by entering a password. Depending on the protection requirements of the IT system or the applications, however, authentication methods can also query several so-called factors.

Further information on protection goals and other topics related to cyber security can also be found in our cybersecurity glossary.

he Role of Authenticity

There is a clear overlap between the terms integrity and authenticity, particularly in the context of information. Whether the author of a document actually composed it is a question of authenticity. If the stated author and actual author do not agree, however, the correctness of the document (or the metadata of the document) is compromised and therefore the integrity is also affected. The revaluation of authenticity by the BSI is therefore not due to the incompleteness of the existing CIA triad. The aim is to create a stronger awareness of authenticity.

CIA and CIAA in Regulations

The CIA triad and its expansion including the fourth pillar of authenticity can be found in many legal texts, regulations and standards relating to the information security of companies. The following is a list of references to the three or four protection goals respectively:

  • IT-Grundschutz-Kataloge – IT Baseline Security Catalogues
  • IT-Sicherheitsgesetz (IT-SiG) – IT Security Law
  • Bankenaufsichtliche Anforderungen an die IT (BAIT) – Supervisory Requirements for IT in Financial Institutions
  • Versicherungsaufsichtliche Anforderungen an die IT (BAIT) – Supervisory Requirements for IT in Insurance Companies
  • General Data Protection Regulation (GDPR)

As described above, authenticity is already mentioned in the BSI’s IT-Grundschutz-Kataloge in the same breath as the CIA triad, namely in the listing of damage categories in information security. However, authenticity is subordinated to integrity as a sub-area, yet its increasing importance is made clear.
Nowadays, however, authenticity is on the same level as confidentiality, integrity and availability, as the IT-SiG proves. This amendment not only requires operators of critical infrastructures to take organizational and technical measures to secure the three classic protection goals with regard to IT systems, components and processes, but also to maintain authenticity. Moreover, the obligation to report significant disruptions of the protection goals to the BSI also takes authenticity into account.
The Federal Financial Supervisory Authority (Bundesanstalt für Finanzdiensleistungsaufsicht – BaFin) also uses the CIAA quartet in its texts, for example in the circulars BAIT and VAIT, which impose requirements on the IT of banks and insurance companies. For example, the third topic module of this circular, which formulates guidelines for information risk management, requires IT systems and associated IT processes to maintain integrity, availability, confidentiality and authenticity. And like the BSI, the BaFin speaks of an information security incident not only when one of the protection goals of the CIA triad is violated, but also when only authenticity is compromised.
Ultimately, the protection goals can also be found in the GDPR. Article 32 describes requirements for the confidentiality, integrity, availability and resilience of data processing systems and services, thus supplementing the CIA triad with resilience. Recital 49 mentions the collection of personal data to ensure network and information security as a legitimate interest, as this serves to protect availability, authenticity, integrity and confidentiality (again the CIAA quartet is mentioned here).

Sources

[1] Bundesamt für Sicherheit in der Informationstechnik: “IT-Grundschutz Kataloge”. https://www.bsi.bund.de/DE/Themen/ITGrundschutz/ITGrundschutzKataloge/itgrundschutzkataloge_node.html (25/07/2018)
[2] Deutscher Bundestag: “Gesetz zur Erhöhung der Sicherheit informationstechnischer Systeme (IT-Sicherheitsgesetz)”. https://www.bgbl.de/xaver/bgbl/start.xav?startbk=Bundesanzeiger_BGBl&start=//*%255B@attr_id=%27bgbl115s1324.pdf%27%255D#__bgbl__%2F%2F*%5B%40attr_id%3D%27bgbl115s1324.pdf%27%5D__1531743673579 (25/07/2018)
[3]Bundesanstalt für Finanzdienstleistungsaufsicht: “Circular 10/2017 (BA) from 03.11.2017: Supervisory Requirements for IT in Financial Institutions (Bankenaufsichtliche Anforderungen an die IT – BAIT)”. https://www.bafin.de/SharedDocs/Downloads/EN/Rundschreiben/dl_rs_1710_ba_BAIT_en.pdf?__blob=publicationFile&v=3 (25/07/2018)
[4] Bundesanstalt für Finanzdienstleistungsaufsicht: “Rundschreiben 10/2018: Versicherungsaufsichtliche Anforderungen an die IT (VAIT)”. https://www.bafin.de/SharedDocs/Downloads/DE/Rundschreiben/dl_rs_1810_vait_va.pdf?__blob=publicationFile&v=4 (25/07/2018)
[5] European Parliament and European Council: “Regulatin (EU) 2016/679 (General Data Protection Regulation)” https://gdpr-info.eu (25/07/2018)

Author

Carsten Reffgen