What Is the Difference between Integrity and Availability in the CIA Triad?

Updated on 12/26/18

Problem scenario

I.T. security concerns itself with confidentiality, integrity and availability.  These three categories are concepts which help professionals prioritize and crystallize what to secure and how to secure it.

In the context of computer security, the CIA triad (confidentiality, integrity and availability) is commonly used.  How could data be available if it did not have integrity?  What is the difference between integrity and availability?

Availability is the attribute of having data, infrastructure, or services accessible when they are needed or according to a service-level agreement.  Integrity governs the sheer accuracy of the data or the service.  The owner of a website that may support REST API services may intentionally spoof it by creating a superficial copy of the real website.  The copy may act as a substitute for development purposes.  A fake website such as this does not have integrity if it does not have all the REST API features that the real website has. 

Denial-of-service attacks obliterate availability -- but not necessarily the integrity of the data, infrastructure or service.  Unavailable data may have integrity.  Available data that is somewhat inaccurate is said to have low integrity.  In some contexts availability is more important than integrity.

Here is a theoretical example of having available data but without integrity.  Availability (of data) in a financial institution may be achievable with the help of store-and-forward servers.  (For example, Fiserv makes such a server; you can read about it here.)  These servers make funds available to customers when the main server of account balances is down for maintenance.  In theory these store-and-forward server may not connected to each other.  They may be connected to ATMs so customers can still process transactions without communication to the main server.  Thus a customer could illegally make withdrawals from different, independent cash-dispensing machines during the maintenance period.  These independent machines may dispense funds according to the last balance they were given before the maintenance period (via the store-and-forward servers).  Thus the cumulative withdrawal amount could be beyond what would have been dispensed had the ATMs been able to communicate with the centralized server.  In this example, data integrity and accuracy were lacking during the maintenance window, but transactional availability was preserved.

Store-and-forward TCP/IP servers may accumulate packets for future availability.  Integrity may be present during the storage period, but availability is lacking until the servers can forward the packets.

Another second (theoretical) example where you have data availability but not integrity is this there is a lack of accuracy in images or details of a story.  An institution may find the need to broadcast a graphic or a warning (due to weather or some terrorist development).  They may forgo integrity (some accuracy) for a legitimate need to immediately publish a message.  A grainy (fixable) image and/or facts without confirmed (or cross-referenced) details of a story can benefit those reading the message.  The timely  publication is associated with situations wherein availability of the message is more important than the integrity.

Details may be lost in the cross-network transmission of data.  Thus integrity may be somewhat absent, but availability is chiefly present.

A third and historic example was how CNN.com responded to the events of 9/11.  On September 11, 2001 the CNN website's content changed to ensure availability (1) (2).  They eliminated pictures to accommodate the spike in traffic to their website during the critical hours of that historic day (1) (2).  The integrity of the publication was deliberately compromised as the presentation would have included pictures.  But the availability was maintained.

You may want to read more about the three core attributes of security here:



Leave a comment

Your email address will not be published. Required fields are marked *