I saw a very strange article today where someone tried to argue that SaaS (Software as a Service) changes the CIA (Confidentiality, Integrity, Availability) paradigm (Triad). I was confused and read on only to find that there was no argument within the text to back up that statement. In fact, Availability was used as an argument against itself. I started to write a comment, but then it got too long and I realized that I was probably just going to offend the guy because of something he wrote out too quickly without reading it over. I’m sure I’ve already written something like that myself, or if I haven’t yet I will.

First, here is an explanation of the CIA Triad in a nutshell. These are the core principles of information security:

Confidentiality refers to preventing disclosure of information to unauthorized systems or people. Integrity refers to the data remaining in the system the same way it was put in – that it can’t be modified without authorization. Availability means that the data is available when needed and that security controls and systems that house the data are functioning correctly.

I’ve heard many people argue against the need for the Availability piece as it doesn’t sound as interesting as the rest of it. Of course the data needs to be available, but what does that have to do with security? Joe Technician keeps the systems available. The problem is, if the system is not available, then it is not valuable, and if it is not valuable, then it is not worth using. Availability also refers to security controls being in place at all times. If the security controls for a system suddenly become unavailable, say a log file fills up and no mechanism for rotation or offloading that file is in place. Subsequent actions taken on the system may compromise Integrity, and in fact simply because the logging facility was not available we may have an Integrity or Confidentiality issue.

I understand what the article was trying to say about increasing exposure to Integrity and Confidentiality by going to a service based environment because you will be offloading sensitive information to a 3rd party, however SaaS also increases Availability issues as well. Instead of running Word on your desktop, which works whether or not you are connected to your LAN, the Internet, or anything else, now you are relying on Google (for example) to provide your word processor over the Internet. Your 3rd party still has to get you the service. In providing SaaS, both the provider and the buyer need to consider Availability just as much as Confidentiality and Integrity.

I’ll give you a simple example. I can run your company’s ERP system for you. I’ll design the system so well that after you put data into it no one will be able to get it out. I’ll make it so safe that no one can make unauthorized changes. Actually, we will take your ERP system, unplug it, and stick it in a double locked vault where I know one combination and you know the other. That satisfies Confidentiality and Integrity completely, but ignores Availability.

Some businesses or systems within a business naturally emphasize parts of CIA over others. For example, there is a company that sells a USB key that has an internal self-destruction mechanism if an authentication is failed too many times. There are cases where availability of that data should suffer. If I am bringing a copy of proprietary company confidential information from one place to another, this might be the best means to transport it. If someone steals the USB key or I lose it in transport, I want to be assured that the data will not be available to whoever found it or be able to be modified by someone sneaking into my hotel room in the middle of the night. In this case I am willing to sacrifice some availability, for example if I forget my own passkey, for the sake of Confidentiality. This in no way negates the CIA triad or changes its paradigm. The USB key still must be available to me in order to be useful. I need to be able to put data on it, and it needs to be possible for me to bring it from one place to another. Once there, I need to be able to authenticate to it and decrypt the data that is there. In other words, the data must be available else I’d never buy such a device. The manufacturer still has other availability challenges such as how to decrypt and unlock the device on an alternative operating system (making it more available), or how to alert the user if someone was trying to guess the password since the last time it was successfully accessed (protection system availability).

In fact, each piece of the triad is intrinsically linked to each other piece in a delicate balancing act. As I said, it is easy to have a completely Confidential system if there is no Availability (try a pipe to /dev/null). When an end user asks for a network share behind the firewall to be available to a customer in another company, then we suddenly have much more need for security in the forms of Confidentiality and Integrity, but it was Availability that triggered the request. If we forget that Availability triggered the request, then we might as well not worry about the additional Confidentiality and Integrity needed to satisfy that unneeded Availability.

CIA is intrinsically linked and each piece must be considered in developing any system, including SaaS. There is no paradigm change. I know the author of the article knew this, because he argued points against his own thesis. It got me thinking about stuff though, and that’s always a good thing. I didn’t write this to offend or pick on anyone. If there is something I’ve overlooked or misread about the original article I’ll be glad to have it pointed out to me, because I just don’t understand it the way it was written.