Security Principles

 

🛡️ Understanding Security: CIA, DAD, and Security Models

Everyone talks about security—but what does it actually mean?

Before applying security measures, we must know who we're protecting against. Are we trying to stop a toddler from accessing our laptop? Or a hacker trying to steal millions of dollars worth of data?

🔑 Security is not one-size-fits-all. We choose protections based on the level of threat.

And remember: No system is 100% secure. But our goal is to make it harder for attackers to succeed.

Security is built on three core principles, known as the CIA Triad:

Only authorized people should access sensitive data.

  • Example (Shopping): Your credit card info must be visible only to the payment system.

  • Example (Medical): Doctors must keep your medical records private.

The data should stay correct and unchanged unless by authorized people.

  • Example (Shopping): An attacker shouldn’t be able to change your shipping address.

  • Example (Medical): Changing a patient’s record could lead to dangerous treatment.

The system and data must be available when needed.

  • Example (Shopping): You can't order if the website is down.

  • Example (Medical): Doctors must be able to access patient records during checkups.

💡 Balance is key: Too much focus on one can weaken the others.

The DAD Triad shows what attackers try to do:

  • Stealing or leaking private data.

  • Example: Publishing stolen medical records online.

  • Changing data without permission.

  • Example: Modifying patient treatment info.

  • Making systems unavailable.

  • Example: Ransomware crashes hospital systems, halting treatment.

🛡️ Defending against DAD = Preserving CIA.

Security models give us rules and blueprints for building secure systems. Here are three key models:

  • No Read Up: Lower-level users can't read top-secret data.

  • No Write Down: High-level users can't leak data to lower levels.

  • 📌 Summary: Read Down, Write Up

  • No Read Down: High-trust systems can't read low-trust data.

  • No Write Up: Low-trust users can't write to important files.

  • 📌 Summary: Read Up, Write Down

  • CDI (Constrained Data Item): Critical data to protect.

  • UDI (Unconstrained Data Item): Input from outside.

  • TPs (Transformation Procedures): Safe ways to change data.

  • IVPs (Integrity Verification Procedures): Ensure data is still valid.

🧱 Other Models: Brewer-Nash, Graham-Denning, Harrison-Ruzzo-Ullman, etc.

Defence-in-Depth means protecting your system using multiple layers, like this:

  1. Locked drawer

  2. Locked room

  3. Locked apartment

  4. Locked building gate

  5. Security cameras

Each layer slows down or blocks the attacker. Even if one layer fails, others stand in the way.

🎯 Goal: Delay attackers and give yourself more time to stop them.

Ensures the data is real and from a trusted source.

Prevents someone from denying they did something (like placing an order).

  • Example: A company can't afford to send 1000 cars and then find out the order was fake!

  1. Confidentiality

  2. Integrity

  3. Availability

  4. Authenticity

  5. Utility – Is the data still useful?

    • Example: Lost encryption key = Useless data.

  6. Possession – Do you still control the data?

    • Example: Hacker steals your backup drive.

Security is not about just locking one door—it’s about multiple layerssmart rules, and balanced protection.

🧠 Think like an attacker to build stronger defence.

Let me know if you want:

  • Matching images or infographics

  • SEO titles and meta descriptions

  • A short intro or conclusion for your blog

  • Quiz questions or a PDF summary

Comments

Post a Comment

Popular Posts