The CIA and DAD Triads Explained with LOTR

If you study CISSP for any period of time, the concepts of Security Principles, also known as the CIA and DAD Triads will jump out over and over.  Each domain seems to go back into this concept and explain itself by the Security Principles.  But what are they?  Today, I hope to answer that very question.  In this post, I will go over:

  • What the CIA triad is
  • What the DAD triad is
  • How the CIA triad and DAD triad are mutually exclusive
  • How you can relate CIA triad to your normal everyday life

The CIA Triad

The CIA Triad, officially known as the Principles of Security consists of Confidentiality, Integrity and Availability.

  1. Confidentiality – This means that data are protected from unauthorized disclosure.  Think about it this way, for Frodo to reach Mount Doom in Mordor, he had to keep the ring secret.  He provided confidentiality to the ring until he reached Mount Doom to destroy it.  The fellowship knew he had it, because they were authorized to know it was there, but no one else should know.  (Frodo sucked at keeping that thing secret though.)
  2. Integrity – This means that data are protected from unauthorized manipulation.  A message that has integrity was received exactly as it was intended with no unauthorized changes.  This concept does not discern between data at rest (saved data) or data in transport (when you send data).  Instead, it is reliant on just the idea of prevention of unauthorized change of the data.  When Frodo and the party received the letter from Gandalf in Bree he had to break a seal.  That seal was proof that the message was in fact untampered with and was from Gandalf.  Albeit, a wax seal is not a very good method of verifying integrity now a days.
  3. Availability – This means that data are available when needed by the intended user.  This might be the easiest concept to grasp.  Frodo had the protection of the mithril shirt available to him during his travels, even though at times it was unknown to his comrades.  When he needed it (a pointy spear anyone?) it was available to him.

The DAD Triad

Like every concept in security, the CIA Triad can be a double edged sword.  Where there is a good side, there is an opposite bad side to consider as well.  In the lack of each of the CIA Triad, you are given the DAD triad.

  1. Disclosure – This is the opposite of Confidentiality.  An example of this is when Frodo let the inhabitants of the inn know he had the ring by accidentally putting it on, alerting Strider and Sauron in Mordor that he had the ring.
  2. Alteration – This is the opposite of Integrity.  If, for instance an agent of Sauron had intercepted the letter Gandalf had sent Frodo and modified it to tell Frodo that Gandalf was going to fix everything on his own, and to stay in the Shire at all costs, then resealed it as if it was from Gandalf, we would have a perfect example of alteration.
  3. Denial – This is the opposite of Availability.  Frodo was Denied his letter in the Shire, and the result was almost deadly for him.

How are the CIA and DAD Triads Mutually Exclusive?

Each point of the CIA and DAD triangle are exact opposites of each other.  If one a CIA principle is absent, then a DAD principle is present.  Thus, you cannot have both at the same time.  You could not have both a Denial and Availability at the exact same time, it is either one or the other.

How can you relate the CIA Triad in your everyday life?

These are very broad concepts, and as such it is very easy to relate them to your daily activities.  When you make a decision for which way you want to take to get to work try to apply them:

  1. Confidentiality – I don’t want any bad guys knowing my route to work, so I won’t broadcast my entire route on Facebook.
  2. Integrity – I have to make sure my route isn’t tampered with so I don’t make a wrong turn and am late for work.
  3. Availability – If I lose my 4G access, I want to make sure I can still access my directions, so I will download the directions to my phone.

In summary, these are very basic concepts to grasp.  Each principle covers such a broad generalization, that it is easy to place almost anything in relation to it.  This becomes very important when you are attempting to study how each of the CISSP domains interrelate.  So, when you are learning concepts throughout your studying, think, “Which of the three principles does this support, and how?”  Because, that is the kind of understanding you should be looking for.  That is it for today, I hope y’all learned a lot, and as always best of luck with your studying.