Sunday, October 5, 2014

readme.txt: Getting Started

No objections, security is a vast subject; however, fortunately, the whole thing is based on a few simple concepts. Understanding this simple facts (and the core concepts, of course!) is vital for properly understanding and appreciating security.

The Building Blocks

The whole mansion is built on the founding concepts of

  • confidentiality,
  • integrity, and
  • availability,

often collectively referred to as CIA.

Confidentiality refers to the simple fact that things should be seen only by those who are supposed to see them. If you are sending a letter to your girlfriend or boyfriend, you won't probably expect his or her parents, or the mailman, or virtually anyone else, to read it.

Confidentiality is different from secrecy, where the mere existence of some fact or datum is not known to anyone other than the intended party. In fact, that's the whole thing about a secret; if you tell me "Hey, I have a secret!", it would no longer be a secret; it would only be a confidential thing (since the actual fact is still known only by you), somewhat different from the popular terminology we use.

Integrity means that something can be modified only by someone who is supposed to do so; in other words, people cannot tamper with stuff that are irrelevant to them. For example, you won't probably want to see someone else altering things written in your personal diary (let alone reading it).

This may lead you to think that integrity is a follow-up of confidentiality. However, this is not always true. For example, think about a top-security letter being sent from one country to another; even if a saboteur is unable to open the letter and see its content, he would still be able to wreck havoc by switching it with a different letter while in transit; hence integrity would be compromised, although the confidentiality of the original message was unaffected.

Availability is all about allowing the intended people to access whatever they are supposed to access, without restrictions; in other words, preventing the unjustifiable withholding of resources. At office, if someone has invaded your desk and won't let you sit there, it can be termed as a breach of availability.

As with confidentiality, availability may be breached without affecting the other two; for example, someone may severe your home's phone line, thereby making phone communication unavailable for you, rather than tap it (breaching confidentiality) or install some scrambling device on it (breaching integrity).

When it comes to security jargon, these facts are defined as:

  • confidentiality: preventing unauthorized access to resources,
  • integrity: preventing unauthorized modification of resources, and
  • availability: preventing the withholding of resources from authorized access.

A plethora of other concepts like reliability, access control, authentication, authorization and non-repudiation spring out from these basics; however, these three, CIA, are the fundamental concepts behind any security concept, mechanism, system, or even breach.