The Holy Trinity of Data Security: What You Need to Know About The CIA Triad

The CIA Triad is the most popular reference model for Information Security and Information Assurance that stands for Confidentiality, Integrity, and Availability. Sometimes affectionately referred to as the Holy Trinity of Data Security, the CIA Triad is also called the AIC triad (Availability, Integrity, Confidentiality) by some InfoSec experts to avoid confusion with the Central Intelligence Agency.

In this model, confidentiality stands for a set of directives that prevents the exposure of data to unauthorized parties by governing and limiting access to it. Integrity describes the rules that preserve the trustworthiness and healthiness of data and prevent unauthorized users from tampering with it. And availability promotes a state where authorized people are guaranteed to have reliable access to the information.

Confidentiality In the general context, confidentiality is all about preventing the disclosure of data to unauthorized parties. But in rigorous terms, it also tries to keep the identity of authorized parties involved in sharing and holding data private and anonymous. Keeping the involved parties' identity confidential adds to the overall CIA triad.

Since malicious actors can’t reliably recon and identify the target, they have to randomly target participants of the network. This in effect increases the costs to compromise the system and adds to its overall security. Standard measures are taken to establish confidentiality include but are not limited to encryption, passwords, two-factor authentication, biometric verification, security tokens, and more. Some of the challenges that could compromise confidentiality are:

Encryption cracking;

Man-in-the-middle attacks on plaintext data;

Insider leaks where the data is not end-to-end encrypted;

Doxxing private information of data holders;

Yobicash manages and ensures confidentiality by using an end-to-end encrypted system based on the Elliptic;

Curve Integrated Encryption Scheme (ECIES).

This system of encryption is only vulnerable to quantum attacks, which are still ten to twenty years away from now. Yobicash credentials are anonymous and untraceable, so the involved parties know just what is needed for a one-time data transfer. Public key reuse is also forbidden and enforced using anonymous credentials. Furthermore, the use of public key cryptography eliminates the need to rely on insecure channels of communication to build shared keys.

Integrity preserves the authenticity of data over its whole life cycle by making sure unauthorized parties are not able to tamper with it. It also ensures that data is not corrupted due to unintentional software or hardware malfunction. Standard measures to guarantee integrity include access controls, cryptographic checksums, uninterrupted power supplies, and backups.

Some of the challenges that could endanger integrity are:

Tampering plaintext data on the fly in a man-in-the-middle attack;

Compromising a cloud server where end-to-end-encryption is not used;

Dropping or rerouting packets on the fly in a man-in-the-middle attack;

Yobicash uses checksums to verify whether transactions have been illegitimately modified after their creation.

Authenticated encryption of data enables the same for ciphertexts. Furthermore, nodes and clients can always retrieve integer versions of the altered transactions from other nodes and clients, which eventually happens anyways in the execution of the consensus algorithm. For an attacker to undermine the integrity of Yobicash data, it has to disrupt the consensus mechanism by altering or dropping packets of two-thirds of the network. As the network grows and matures, this would amount to a man-in-the-middle attack of infeasible proportions.

Availability of information promotes the state where authorized parties are able to access the information whenever needed. Information unavailability can occur due to malicious actors like DDoS attacks or hardware/software malfunctions or insufficiency of bandwidth or other hardware or software resources. Some standard measures to guarantee availability include failover, redundancy, RAID and high availability clusters, adequate communication bandwidths, firewalls and proxy servers, and comprehensive disaster recovery plans.

Some of the challenges that could endanger availability are: DDoS (Distributed Denial of Service attacks) on servers preventing authorized parties from accessing the service Ransomware attacks encrypting data on servers preventing authorized parties from viewing the data Disrupting server room’s power supply Yobicash’s decentralized and anonymous network of nodes with full replication creates a high barrier for conventional availability attacks like DDoS, ransomware and power outages. As shown in the whitepaper, the upfront resources necessary for such a successful attack are economically unfeasible.

With the internet becoming ubiquitous in our everyday lives, data security plays an increasingly vital role. Since every open network is subject to externalities, the security of services is interdependent. Unfortunately, market dynamics disincentivize network participants to invest in their security, as the marginal benefits of investing in a participant’s network resource are way lower than its marginal benefits. Consumers generally tend to buy services at the lower end price range without realizing that in the long run, they will pay more due to security breaches.

Yobicash aims to put an end to this dilemma, by changing the landscape of information storage and sharing economy. By design, Yobicash’s intentionally simple architecture reduces its attack surface. Furthermore, Yobicash's fee and mining system, incentivize network participants to invest in their security upfront, while increasing the costs of failing to do so. While the whole CIA triad must be rigorously implemented to provide for a network’s information security and information assurance needs, when the time comes to implement the model, real-world limitations force every service to give more weight to one or another of the three pillars. To secure proprietary assets like software, confidentiality is key, while integrity has more importance when securing banking data. On the other hand, publicly accessible data like websites need to provide for availability above all else. Yobicash’s data storage and sharing model relieves nodes and clients from the dilemma of giving more importance to one or another of the three pillars. By design, Yobicash puts most of the burden of information security on itself while incentivizing nodes and clients to harden up their individual security.