The Magic Triangle of IT Security

The myths of the CIA triad

Have you ever considered taking a role as the most senior person for information security working at a large corporation? Then you must be prepared to understand the key principles of information security—and how they really apply to life and business.

We all understand the typical C-I-A triad (written in this sequence because it’s so easy to remember with the 3-letter agency acronym), where C stands for Confidentiality, I for Integrity and A for Availability. But, what I have realized and seen from many people during my professional life—people who are well-educated about security and who are really committed to keeping secure the information of the company they are working for—is this: They all overstate the importance of confidentiality.

Sure, I don’t need to tell you that confidentiality is in fact important. But, if you really think about it, what is the true business impact if some confidential information leaks? It certainly depends on the specific circumstances. Has intellectual property been compromised? Have marketing plans been shared with another sales department? Or even price lists? Or has a major planned acquisition been become public knowledge and suddenly the stock price of the acquisition target goes through the roof? Maybe you will have to deny any such plans, wait until the stock price has normalized and perform the acquisition afterwards. Or sue the thief who stole and/or used your intellectual property. Or make your clients aware of unfair business practices of the competitor who uses that price information. Anyway, the immediate (please note the emphasis) business impact in most cases is not as high as you may have thought.

Even after a competitor has gained that extra knowledge which may take away an edge of your competitiveness (there are in fact fair-playing competitors who might give it back to you without using a copy of it)—before this really arrives into your balance sheet, months and years can go by, and you have time to respond and react to it.

But now, realize why IT is used today in almost all businesses, industries, and organizations of any size. And realize that the availability of the IT systems and data is of utmost importance. Let’s say your major ERP system goes down for a day or two. What kind of outcry from the business, board room attention, and extra money (available to fix the issue immediately) would be guaranteed?

It is because this kind of “breach” is an immediate, measurable, direct loss, which impacts—or in the worst case interrupts—the companies’ ability to make money. You will be amazed, that suddenly there is no more RO(S)I discussion, budget restriction, or similar pain we all have been through. Because everyone up to the board level immediately understands that this kind of loss needs action—because it is a direct foundation of the company’s stability and even existence.

Once you have realized this, the next most important security parameter is integrity.

Yes, the systems and data must not only be available, they must in fact store and produce reliable, accurate data which allows for good business decision making, correct financial reporting and proper forecasts.

A single integrity fault is not as bad, and it will be (under typical circumstances) recognized quickly and there are procedures in place to verify integrity and “guarantee” it. However, going back to the model described above, you realize that any impact on your data and system integrity will have an impact within the near term, at the latest during your next SOX (Sarbanes Oxley Act) audit (or SEC trial for that matter, as SOX is a law with teeth), but it can be as early as your next sales proposal getting rejected because of wrong price information or bad contact data (i.e. fax number—the delivery report shows probably “OK” in many cases, regardless if the fax number used was “123” (for correct) or “124” (for wrong)). Several integrity faults (following the Gaussian error propagation rule) will create an even bigger and more immediate business problem, so the integrity parameter becomes number 2 on the immediate business impact scale.

Number three, as mentioned, is confidentiality. GLBA, PCI, HIPPA and other regulations and standards all provide for security, including confidentiality or “privacy”. Recent data breaches and the grown publicity due to the adopted rules in almost all of the United States and several other countries requiring “going public” (where it hurts companies the most) have all shown that it is good practice for corporations to secure the confidentiality in their own best interest.

The best you can do is realizing that all these 3 parameters are in fact important, and you should address them all (building it up from the ground as shown in Figure 1 above).

The exponentially growing threat surfacethat bad) as shown below:

Now let’s make this a bit more complicated and realize that the threat space (call it vulnerabilities if you’d like) is growing almost exponentially every year, and has been for the last 20 years or more. Remember the Internet (or Morris/MIT) worm in 1988? There are many very smart and highly educated people (not only) in the eastern European countries who like to use their leisure time to verify the security of web applications or other systems of large or small corporations. The recently published Verizon Business threat report of 2009 reveals an increase of 9% alone in the last year of attacks coming from those countries. That means we deal with a “moving target”—a continuously growing attack space without an increase of the green space (security money is always tight—you know, what you can’t see can’t be

Recent industry studies from leading providers such as McAfee, Symantec or Verizon clearly show this very clear picture—and for those who think this is all sales and marketing rumor – the number of actual data breaches is very much in sync with this attack space increase. The latest numbers for 2008 show that more than 285 million (!) records have been breached. Why is this? Why can’t this problem be solved easily—and why do more and more companies struggle with this?

The magic triangle of security

We all know (or should know) the magic triangle of the financial world—that one which shows you that there is a difference between liquidity, security (of assets) and profitability of an investment, and that you cannot get them all, but have instead to decide what your goals are. So here is my advice, based on over 20 years experience in the IT and security world:

There is a similar, inherent structure for information security as shown in the triangle below (Figure 3). In the “pre-data breach era” of IT, the normal discussion between IT and the business side was going along the (one-dimensional) line between desired functionality and the required investment to achieve this. Security was almost never part of the decision, and vendors and software companies are guilty of not addressing this correctly. Although a lot of effort is now put in this area, simply look at the amount of security patches alone for the large vendors in the field. It will take years before we see a real paradigm shift, and only if we all ask the necessary questions before we purchase something: Is this thing providing the right quality (security)? Is my company or personal data secure when I use this stuff?

But often, security efforts require resources, people, time, and leadership. Who wants to spend money on something you can’t see and which has not happened yet? All that wonderful security infrastructure (outsourced, hosted, managed, or operated in house, regardless), comes with a big price tag, and the question is: How much security is enough?

To answer this very question, you must talk with the business owners, those who make the money decision. Make them aware of this second dimension, and get a commitment as to what kind of risk they are willing to accept. Remember, you don’t want to be the most secure place on earth—you want to be secure enough to make others a more attractive target (hackers are smart and lazy, too—they strive for the easy prey in most cases), and you want to be in business. Otherwise your security model stinks.

Michael Oberlaender has held senior IT positions for more than two decades, working in the US and in Germany.