VIEW 28
Assets: The Parkerian Hexad
Security can be defined as the degree to which your assets are resistant to threats from adversaries. We have explored two of these - threats and adversaries - in other diagrams (see Views #18, #19 and #20) so it’s now time to turn our attention to the third leg of the stool: assets.
In a traditional security model, assets have three attributes that require protection: Confidentiality, Integrity and Availability. This is known as the C-I-A model after the initial letters of this triad. However, in 1988 a cyber security expert called Donn Parker realised that there were other attributes that were important from a cyber perspective that the traditional model overlooked. So he added three more: Possession, Authenticity and Utility. Taken together these six attributes are now known as the Parkerian Hexad.
The diagram to the right shows the six security attributes in the inner blue ring and the method used to protect of each of these in the green outer ring. The green ring defends against attacks symbolised by the pink arrows. So, for example, ransomware is an attack on the availability attribute; access to data is denied until the ransom is paid. One defensive method against such an attack is good data backup discipline, combining both cloud-based storage and air-gapped hard drives.
Confidentiality Preventing unauthorised access to sensitive information by using encryption and data classification and clearance schemes (e.g. internal only, restricted and top secret).
Possession Retaining control of data and preventing unauthorised copying. Note that encrypted data can be lost without breaching confidentiality.
Integrity Ensuring that your data is unadulterated and has not been tampered with in any way. Hashing techniques generate a numerical value (known as a hash) from a string of text to check for data integrity.
Authenticity This is proof of authorship. Did the message really come from that sender? Digital certificates and signatures are the best tools for establishing this.
Availability Data is useless if you can’t access it when you need it. Establishing good data backup routines and avoiding single points of network failure through multiple firewall clustering are typical strategies here.
Utility Data can be theoretically available but still useless if it is in a format that cannot be read. An example is forgetting the password used to protect a spreadsheet, or data stored on an old-style minidisc if you don’t have a minidisc player.
