Following my assertion that a data center is at its core, a risk management device, we have to bring in the CIA. We’re not talking about the Central Intelligence Agency. Nor are we talking about the Culinary Institute of America. The CIA that we’re talking about is the information security CIA Triad. CIA is an acronym for Confidentiality, Integrity, and Availability. Any topic within the information security universe is linked to at least one of these.
Let’s break those down.
This one should be rather obvious. This is the basic principle that information is accessed only by those authorized to access it. It’s a level of secrecy. If it’s not meant for your eyes, you can’t view it. If it’s not meant for you to know, you can’t read it. If it’s not meant for you to have, you can’t get to it.
Confidentiality is perhaps the most obvious aspect of security. Confidentiality is roughly synonymous with Privacy. Confidentiality is also the leg of the security triad attacked the most. Cryptography and encryption are methods used to protect data in motion and data at rest (and sometimes even data in use).
Integrity is about ensuring that information is accurate and unaltered. Integrity involves maintaining the accuracy, consistency and trustworthiness of information. It hasn’t been tampered with in any way. It hasn’t changed in any way that we didn’t intend at any point.
You might assume that Confidentiality ensures Integrity. This is not necessarily the case. For example an attempt to corrupt or change data without necessarily accessing it destroys the integrity of the data.
Availability is an important fundamental pillar of information security that is sometimes overlooked. It is the state of being readily accessible to the authorized users, at the time it is requested.
Availability can be compromised temporarily. A Denial of Service (DOS) attack is an example. Availability can be compromised permanently, as in destruction of information for which there are no backup copies.
The CIA Triad and the Data Center
Does this mean then that all this “tier” nonsense I hear about data center infrastructure topology is actually a security topic? Yes, it certainly is. Does this mean that something like fire prevention is a security topic? Yes, it certainly is. Does this mean that Business Continuity and Disaster Recovery planning are security topics? Yes, they certainly are.
We implement the CIA triad through “controls”- Administrative Controls, Technical Controls, Physical Controls. The CIA Triad can be the basis for creating security policies. It can establish the starting point for these things. One should avoid seeing it as the ending point, however.
The CIA Triad is a set of principles that guide thinking in all phases of data center design and operations. This is true whether beginning with a clean-slate greenfield data center project, an owned enterprise data center, colocation data center services, or what have you. These principles can form the basis of everything you craft from selection of the real estate, to infrastructure design, to operations framework, to house rules, to Human Resources policies. The data center is, after all, a risk management device.
[I write this post from Cutters Cigar Emporium, in Alpharetta, GA. Cutters is a friendly place with an extensive humidor and most importantly, great people. I enjoy relaxing at Cutters when I’m in the Atlanta area, and today is a cool sunny Spring afternoon.]