Grain Overlay
July 19, 2018

Protection goals: CIA and CIAA

Protection goals: CIA and CIAA

Management Summary

The classic protection goals of information security are confidentiality, integrity and availability. These three protection goals are often referred to as the CIA triad, as the initial letters of the English translations of these words are C, I and A.
In the meantime, another protection goal has gained in importance. In the past, the BSI described authenticity as a sub-area of integrity. However, various regulations and standards place authenticity on an equal footing with the CIA triad.

Introduction

The central motive of information security is to guarantee the protection goals of confidentiality, integrity and availability. However, there is a lively debate as to whether ensuring this triad is actually sufficient to guarantee the security of information. Over the years, the list of protection goals has therefore been expanded or even new models proposed.
An example of the former is non-repudiation: actions on information or IT systems should not be impermissibly deniable. If there is an authentication procedure based on password retrieval, but passwords are shared between colleagues, an authenticated user can deny having caused an information security incident committed by their account. This is because it is entirely possible that a colleague has gained access using the password. The purpose of non-repudiation is to avoid such a situation.

The fourth protection goal

In the following, however, we would like to take a closer look at another security objective, namely authenticity. In the context of information security, this refers to the authenticity and trustworthiness of a piece of information or even a person. In the IT baseline protection catalogs, the German Federal Office for Information Security (BSI) mentions this attribute in the same breath as the aforementioned triad, thus creating a quartet of information security.
Before we look at the reasons for the upgrading of authenticity and its effects, let us recall the definition of the other conservation objectives.

The protection goals

The aforementioned protection goals are often visualized by the so-called CIA triad (see Figure 1). The acronym CIA stands for the first letters of the English equivalents of the three protection goals of confidentiality, integrity and availability. If you add authenticity to this model, you get the CIAA quartet (see Figure 1).

Confidentiality

The aim of confidentiality is to protect information from unauthorized access. This is particularly important in connection with personal data (such as customer or employee data), the protection of which is required, for example, by the General Data Protection Regulation (GDPR). However, companies also have an interest in ensuring that sensitive data does not fall into the hands of competitors.
The confidentiality of information can be ensured by assigning appropriate authorizations in conjunction with authentication procedures and encryption.

Integrity

On the one hand, the term integrity refers to the correctness of data, in the sense that data is both complete and unchanged. For example, the manipulation of a customer's bank details constitutes a breach of integrity. In a broader sense, integrity also includes information such as metadata and therefore also relates to the date of the last change to a document, among other things.
On the other hand, integrity also refers to the correct functioning of IT systems.

Availability

Information, IT systems and applications are available if they are accessible to users and they can use them as intended. Malware that encrypts company data, making it unreadable, or the failure of a server are violations of availability.
Restrictions on availability can lead to monetary and reputational losses for companies in a variety of ways.

Authenticity

The authenticity of a person means that their identity and their statements about their identity match. Information is authentic if the stated author of the information is actually its author. An email loses its authenticity if the sender of an email changes.
Authenticity also plays a major role in access to IT systems and applications. A user must be able to authenticate themselves before being granted access. This can be done by entering a password. However, depending on the protection requirements of the IT system or the applications, authentication procedures can also query several so-called factors.

Further information on the protection goals and other topics relating to cyber security can also be found in our Cybersecurity Glossary.

The role of authenticity

Especially in the context of information, there is a clear overlap between the terms integrity and authenticity. Whether the stated author of a document actually wrote it is a question of authenticity. However, if the stated author and the actual author do not match, the correctness of the document (or the document's metadata) is also compromised and integrity is therefore also affected. The fact that authenticity has been upgraded by the BSI is therefore not due to the incompleteness (in this respect) of the existing CIA triad. The aim is to create greater awareness of authenticity.

CIA and CIAA in regulations

The CIA triad and its expansion to include the fourth pillar of authenticity can be found in many legal texts, regulations and standards relating to corporate information security. The following is a list of mentions of the three or four protection goals in the regulations and standards:

  • IT baseline protection catalogs
  • IT Security Act (IT-SiG)
  • Banking supervisory requirements for IT (BAIT)
  • Insurance supervisory requirements for IT (VAIT)
  • General Data Protection Regulation (GDPR)

IT baseline protection catalogs

As described at the beginning, authenticity is already IT baseline protection catalogs of the BSI is mentioned in the same breath as the CIA triad, namely in the designation of damage categories in information security. However, authenticity is subordinated there as a sub-area (or sub-category) of integrity, but its increasing importance is made clear.
However, authenticity is now on the same level as confidentiality, integrity and availability, as the IT-SiG proves. In this amendment to the law, operators of critical infrastructures are not only required to take organizational and technical precautions to secure the three classic protection goals for IT systems, components and processes, but also to safeguard authenticity. Authenticity is also included in the obligation to report significant incidents to the BSI.

BaFin

The German Federal Financial Supervisory Authority (BaFin) also uses the CIAA quartet in its texts, for example in the BAIT and VAIT circulars, which place requirements on the IT of banks and insurance companies. For example, the third topic module of these circulars, which formulates specifications for information risk management, requires IT systems and associated IT processes to maintain integrity, availability, confidentiality and authenticity. And like the BSI, BaFin does not only speak of an information security incident if one of the protection goals of the CIA triad is violated, but also if only authenticity is compromised.

GDPR

Ultimately, the protection goals can also be found in the GDPR. Article 32 describes requirements for the confidentiality, integrity, availability and resilience of data processing systems and services, i.e. the CIA triad is supplemented by resilience. Recital 49 describes the collection of personal data to ensure network and information security as an overriding legitimate interest, as this serves to protect availability, authenticity, integrity and confidentiality (the CIAA quartet is mentioned here again).

Sources

[1] Federal Office for Information Security: "IT-Grundschutz Kataloge". https://www.bsi.bund.de/DE/Themen/ITGrundschutz/ITGrundschutzKataloge/itgrundschutzkataloge_node.html (16.07.2018)
[2] German Bundestag: "Gesetz zur Erhöhung der Sicherheit informationstechnischer Systeme (IT-Sicherheitsgesetz)". https://www.bgbl.de/xaver/bgbl/start.xav?startbk=Bundesanzeiger_BGBl&start=//*%255B@attr_id=%27bgbl115s1324.pdf%27%255D#__bgbl__%2F%2F*%5B%40attr_id%3D%27bgbl115s1324.pdf%27%5D__1531743673579 (16.07.2018)
[3] Federal Financial Supervisory Authority: "Circular 10/2017 (BA) dated 03.11.2017: Banking supervisory requirements for IT (BAIT)". https://www.bafin.de/SharedDocs/Downloads/DE/Rundschreiben/dl_rs_1710_ba_BAIT.html (16.07.2018)
[4] Federal Financial Supervisory Authority: "Circular 10/2018: Insurance supervisory requirements for IT (VAIT)". https://www.bafin.de/SharedDocs/Downloads/DE/Rundschreiben/dl_rs_1810_vait_va.pdf?__blob=publicationFile&v=4 (16.07.2018)
[5] European Parliament and European Council: "Regulation (EU) 2016/679 (General Data Protection Regulation)". https://dsgvo-gesetz.de (16.07.2018)