Considering the CIA acronym, C and I refer to “information”, which is a key resource to be protected. There are multiple states information can have:
- At rest
is stored on persistent storage. The data can be accessed by actors of the system or through physical possession. Last item is especially important for mobile devices, which can get stolen. This state can be secured through encryption at the tradeoff of performance for decrytion to access the data when required for valid reasons. - In use
is data which is in use by an information system, e.g. for displaying it to a users. The data can be cached for performance or reliability or stored in virtual machines. For reliability reasons and to prevent server drift, this state can be secured by replacing virtual machines through new ones. Data which is displayed to users can also be encrypted and only decrypted for display; the tradeoff is – once again – less effective usage of proxies and performance. - In transit
Data, which is being moved through over a network, can be accessed within the network through one of the endpoints of the transit or through an intermediate point (e.g. network traffic monitoring, firewalls). For securing this state encryption is a method which can be leveraged, it also increases complexity for certificate and key management and decreases performance aspects
Computatuinal resource also require protection; which are the A in the CIA acronym. As authorized users should be able to access resources, providing the availability also faces security risks:
- Forgotten passwords and keys
Passwords can become forgotten and keys misplaced, especially due to requirements for passwords length and composition. Therefore systems must provide a functionality to recover or revoke a password or key. - Maliciously password or key reset
Passwords or keys might have been malicioulsy reset or compromised. This ways attackers can take over the identity of users. Therefore systems should provide a functionality to verify and alert users when a change has happend and provide corrective means quickly. Especially as managing, monitoring, and replacing compromised certificates are complicated processes which consume a significant amount of time; sometimes even include a downtime. - Unavailability of the system
Due to denial-of-service attacks, authorized users might not be able to access a system. Therefore systems should provide gateway filters based on IP addresses to avoid denial-of-service attacks from being successful. Application Programming Interface (API) keys is another popular method for limiting access rate and users abuse.