Skip to main content

Making DIE Model Security vs. the CIA Security Triad Complementary, Not Competitive

Copado DevSecOps - Blog Series

Originally published by New Context.

The best way to approach DIE model security vs. the CIA security triad is to eliminate the “versus.” The DIE model is designed to build on the traditional CIA triad, making them complementary, not competitive. The CIA security triad manages data through confidentiality, integrity and access. Meanwhile, the DIE model centers on the infrastructure that holds it. Combining the tenets of both allows organizations to manage their total security approach, from infrastructure through metadata.

Of course, both are broad philosophies rather than detailed directives. They allow companies to categorize their “pets versus cattle” and provide processes and systems that best support them. By combining the DIE model with CIA triad security principles, companies protect assets at a fundamental level.

Comparing DIE Model Security vs. the CIA Security Triad

Before delving into DIE model security vs. the CIA security triad, it’s helpful to reiterate the pets versus cattle analogy. In information technology, pets are irreplaceable assets. They’re protected, monitored, and given unique names to identify them. If damaged, they’re carefully repaired. Cattle are expendable assets. They’re identical, given serial numbers instead of names, and are disposed of in the event of damage. The DIE model and the CIA triad manage these two specific asset types using specific philosophies.

The DIE model is perhaps best explained by security expert Sounil Yu, in his presentation “Distributed Immutable Ephemeral – New Paradigms for the Next Era of Security.” In it, he links each DIE component to its CIA counterpart as a way to manage the infrastructure that controls the data.

DIE Model Security

The DIE model is newer than the CIA triad. It is an answer to issues the triad couldn’t resolve. It stands for:

  • Distributed: Are systems distributed to allow for scalability while preventing dependence on a single zone?
  • Immutable: Can the infrastructure be disposed of and replaced in the event of an issue, aka infrastructure as code?
  • Ephemeral: What’s the period for system reprovisioning, and are assets disposable in the event of a breach?

The CIA Triad

The origin of the CIA triad is a bit murky, but some date it back to the birth of computer technology. Broken down, it means:

  • Confidentiality: Are appropriate measures taken to ensure the protection of sensitive information and control enterprise data?
  • Integrity: Is there a method in place to ensure data is not changed or lost?
  • Availability: Can individuals who need to use the information reach it easily at any time?

The CIA Triad - CopadoThe CIA triad focuses on the information within the system. As a result, it targets the assets an organization holds that would be considered pets.

DIE is very focused on infrastructure. As a result, it targets the cattle parts of a system, where broken assets are terminated and replaced.

The CIA model is a traditional one that—while excellent—isn’t scalable in the way that most organizations need today. The DIE model is what makes the CIA’s three rigid components flexible. Data confidentiality is managed by keeping it separate from an ephemeral, replaceable architecture. Integrity is controlled—regardless of the size of the data set—by immutable logs. Finally, access is maintained by building redundancy through a distributed system.

This combination is necessary today as so much of our enterprise traffic occurs through an internet connection. User counts grow by the hour and needs change in minutes. The DIE model allows us to preserve the elements of the CIA triad while managing the scale needed in modern workloads. Together, they are complementary frameworks that can boost resiliency in the face of change.

Adopting a Strategy that Combines Both Models

Adopting a strategy that combines DIE model security with the CIA security triad is the best solution. This plan leverages processes that allow the infrastructure to be DIE compliant while protecting data using the CIA philosophy.

Infrastructure and DIE

To create a DIE compliant infrastructure, organizations should adopt modern processes to address each component:

  • Security orchestration: Orchestration is necessary to monitor a distributed system, various apps, and other programs essential to continuing operations.
  • Automation: Automation enforces system rules and logs changes to ensure accurate tracking and updates.
  • Infrastructure as code: Infrastructure as code allows administrators to recreate damaged systems with a repeatable code that’s easy to monitor and manage. Old infrastructures are discarded. New ones leverage updated code to ensure protection from threats.

Combining these three strategies allows an organization to establish a flexible yet efficient infrastructure for storing data and processing information.

Data and CIA

As the CIA model is a traditional one, many of the processes used to address it are updates of old tried-and-true methods:

  • Multi-factor authentication: Requiring users to take multiple measures to verify their identity limits system access and ensures better data security management.
  • Cloud redundancy/backups: Automated syncing and backups guarantee availability in the event of system outages, cyber-attacks, or some other damage where necessary data is compromised.
  • Encryption: Encryption preserves data integrity by ensuring its protection in transit and preventing access for data in storage. MFA could also be a method of protecting data integrity, as anything that prevents access also preserves it.

These strategies help organizations protect assets that are irreplaceable.

These strategies aren’t a series of tools. They’re ways of updating traditional system creation methods to build security into a program’s very foundation. As organizations must contend with massive data stores and ever-changing infrastructures, these strategies offer a dynamic approach built on traditional, verified information protection methods.

Shifting from “Versus” to “In Tandem”

Approaching DIE model security and CIA triad security as adversaries is a mistake that can leave holes in a program. No organization has assets that are either all disposable or require careful preservation. They’re mixed. As a result, any approach to security must be equally eclectic and holistic. Combining the DIE model with the CIA triad is a practical approach that allows an organization to address its assets and the infrastructure that holds them.