Last week I mentioned that Availability was the odd member of the CIA triad, because it lacks the mathematical tools (and thus the solid numbers) of Confidentiality and Integrity. But that doesn’t mean that C and I both work the same way!
Confidentiality tools like ciphers are preventative. You choose the best cipher, manage keys carefully, and then hope that it works to keep the adversary from reading your secrets.
Integrity tools like hash functions are detective. If we’re talking about data or system integrity, and think of Tripwire here, they don’t keep you from being hacked. They just make it very clear precisely what was inappropriately changed. When used for authentication of users or hosts, they let you decide that some one is not who they claim to be.
I was reminded of this just this past week. I don’t see the logs for the server hosting this blog, and so I have no idea who, if anyone, is reading it. Then I received an e-mail from a writer for IEEE Spectrum. She had read what I wrote about the SHA-3 decision and wanted to interview me.
Wow, that’s great! People really are reading this!
Now, as you can imagine, I was quite happy about this. But what if I were instead storing sensitive information out in the cloud?
Data loss prevention (or DLP) tools try to restrict the transfer of confidential information across networks or onto insecure data. But there’s not much those tools can do for encrypted data.
If someone manages to decrypt your ciphertext, the only way you can tell that this happened is for them to announce this, either as a literal public announcement to embarrass you (think of the Anonymous movement here), or to behave in a way that indicates that they have read your secrets.
Learning Tree’s Cloud Security Essentials course shows you how it’s hard to keep secrets as you have to do three things simultaneously: select the correct cipher, use that cipher properly, and manage your keys.