Understanding The CIA Triad with a $1M Business Deal
You learn “A”, “B”, and “C” as the first three alphabets to learn the English language. For CISSP, the equivalent characters are “C”, “I”, and “A”, also known as The CIA Triad — confidentiality, integrity and availability.
I want to form a fictional story to understand the CIA triad. The intent is to portray the concept creatively, so please disregard the logic.
Story Premise
Mr X, a successful and wealthy businessman, lives in a secluded mansion on the island. He wants to securely transfer $1M for the business deal to Dave, his potential client. There is no possibility of an electronic transaction; the only way to transfer money is via a private yacht. However, Mr X fears the pirates in the sea who may steal the money. What’s going to happen?
Confidentiality [C]
The island is guarded all the time with commandos. There is a team that monitors 24x7 footage from all the CCTV cameras. The money sits inside the secure vault. Only authorised personnel can access the vault with biometric security such as fingerprint and retina scans.
You can think of money as a passive object and whoever accesses money as an active subject. The relation between subject and object is access control, such as all the security measures. Hence, confidentiality ensures that only authorised personnel (users) can access the money (object).
Two months back, one of the pirates made a custom mask of authorised personnel and successfully exploited face recognition security control. However, one commando arrested the pirate right before he broke the vault.
Let’s put the encryption in the story and continue.
Mr X dispatched a team of six commandos in his private yacht. $1M is safe inside the secure briefcase with the secret key (encryption). Only Dave (the client) has a decryption key to open the suitcase. Sound secure?
Just wait.
Integrity [I]
One out of six commands double-crosses the game in the middle of the ocean. He is with pirates and is allowed a backdoor entry to the yacht.
The traitor commando also happens to know the decryption key. The pirate replaces $1M with fake money and runs away. The yacht reaches the harbour to deliver the money. None of the commandos is aware of tampered money except the traitor.
Dave’s team decrypt the key and opens the briefcase. Upon checking, they found out the money was fake! That’s what we call compromised integrity.
Integrity issue happens when data or objects compromise their original state, the real money with fake ones in our story. It can occur while data is stored, in use or transit. The other way to look at this is the traitor commando has also lost his integrity.
Was Dave furious?
Indeed. He was.
Mr X apologised to Dave. After investigating a hidden CCTV camera in the yacht, the commando arrests the traitor. However, the situation still wasn’t in favour of Mr X.
“I am afraid we can’t have this deal anymore, Mr X. I am on a tight deadline.”, said Dave
Mr X was persistent.
“Please give my commandos 10 minutes.”, said Mr X
— — — After 10 minutes — — -
The commando brings $1M for Dave in a new shiny briefcase. Dave’s team revalidated the money, and they look good.
Dave was surprised. He called Mr X.
“Thanks for turning this deal back to life. How did you do it?” asked Dave
Mr X laughed, saying, “We always have a backup in the secret location. That’s all you need to know. Thank you for the business.”
Availability (A)
How did the commandos manage to get $1M in 10 minutes?
Mr X believes in a backup plan. He put $1M in the secret vault on various shore parts (Damn! he is filthy rich). That’s how the availability works.
Availability is about your data (money) being available to authorised personnel (real commandos, don’t count that traitor) — no wonder why a redundant system is a crucial part of the design.
We hear Mr X’s static voice on the walkie-talkie, “Commandos. Did you find the pirate?”
“Sir…We are on it.” replied the commands.
Mr X pours his scotch and gazes at sunset from the balcony.
Understanding the CIA Triad is the stepping stone to cybersecurity. You should understand how data confidentiality and integrity are achieved. Check out my articles on the beauty of public key cryptography, establishing the friendship between Batman and Joker. Also, check out what happens behind the scene of digital signature and message digest.
I write articles on CISSP, information security, and cybersecurity insights using a digital sketch. Please subscribe to my newsletter and get notified when a new article is published.