Monday, February 2, 2015

The CIA Triad and JBoss


pub

What is the CIA Triad?

The CIA Triad is related to three primary issues for Information Security - Confidentiality, Integrity and Availability.  We will briefly discuss those and how they apply to JBoss Middleware.  The CIA Triad is part of Domain 1, Information Security Governance and Risk Management, of the Certified Information Systems Security Professional (CISSP) Common Body of Knowledge (CBK).   There are some supplements to this model which are Authenticity, Accountability and Non-repudiation that we will discuss in later postings.

Confidentiality

Confidentiality provides the ability to keep information private and secure.  This ensures the required level of secrecy is enforced at each point and that unauthorized disclosure is prevented.  Confidentiality can be considered as secrecy, privacy and sensitivity.  Confidentiality is the opposite of disclosure.  Confidentiality can be provided by:
  • Data encryption services during transmission and storage
  • Authentication and Authorization Services
  • Network Security Protocols
Examples to ensure Confidentiality is used within our JBoss environment:
  • 2-way SSL with Application Servers and Containers
  • FIPS 140-2 Compliant Passwords
  • Java Authentication and Authorization Service (JAAS)
  • Single Sign On with SAML
  • Authorization with XACML
Additional Information for the JBoss Enterprise Application Platform and JBoss Fuse can be found in these references:

Integrity

Integrity ensures that data that is sent is the data received and the data has not been altered, intentionally or unintentionally.  So the reliability of information and systems is safeguarded while unauthorized modification of data is prevented.   An additional way to look at Integrity is that a message or data is complete and authentic.   The opposite of Integrity is alteration.  Integrity can be provided by:
  • Firewall Services
  • Intrusion Detection Services
  • Cryptographic Services
Examples to ensure Integrity is used within our JBoss environment:
  • Message Encryption and signing provide integrity as well as confidentiality
Additional Information for the JBoss Enterprise Application Platform and JBoss Fuse can be found in these references:

Availability

Availability refers to the reliability and stability of the network and systems.  The environment should provide the sufficient capacity in order to perform in a predictable way with a tolerable level of performance.   The opposite of Availability is destruction.  Availability ensures:
  • Connectivity is accessible when needed which allows authorized uses access
  • Guarantee of service
  • Performance
  • Up time
Although some of these are not thought of as pure security, they are affected by attacks.  So Availability ensures the reliability and timely access to data and resources by authorized actors.    Examples to ensure Availability is used within our JBoss environment:
  • Fabric to enable high availability
  • Replicated services
  • Load Balancing and High Availability Clusters
  • Fault Tolerant Messaging
Additional Information for the JBoss Enterprise Application Platform and JBoss Fuse can be found in these references: