Definition and Dimension of CNSS Model

What is CNSS Security Model?

A common security model for many of today's computers and networks is the three-dimensional CNSS, or Committee on National Security Systems, model. Confidentiality, integrity, and availability are the three main security goals of CNSS. The requirements needed to effectively deliver and implement a certain security policy are outlined in a security model.

If a security policy specifies that certain users must be verified, trusted, and acknowledged before accessing network resources, the security model can specify how an access control matrix should be built to satisfy the security policy's requirements.

What is CNSS Model used for?

Millions of unsecured computer networks are connected to one another all the time in the modern world. Governments and businesses are more aware of the need to protect the computer-controlled control systems of utilities and other vital infrastructure as a result of the growing threat of cyberattacks.

For governments and businesses, data breaches pose a high risk due to the easily quantifiable costs of notification and revenue loss as well as the less obvious repercussions on an organization's reputation and consumer loyalty.

Companies are implementing best-of-breed security infrastructure models to safeguard themselves, their organizations, and their clients in light of the rising incidence of worms, viruses, intellectual property theft, hackers, nation-states participating in information warfare, and hostile insiders.

In addition to concerns with propriety and compliance, the frequency of attacks and the harm they do have reached astounding heights. These attacks are becoming more sophisticated and severe as well as occurring more frequently.

The time it takes for the most advanced worms and viruses to be exploited has decreased from years to months to days, and in some cases, only a few hours. In a short amount of time, defending against these attacks is becoming more challenging.

Organizations must guard against malevolent insiders that want to steal private internal, customer, and corporate data and sell it to outsiders for their own financial advantage as well as external attacks from the outside.

The Committee on National Security Systems (CNSS)

Information security, according to the CNSS, is the process of securing data and all of its essential components, including the hardware and software that use, transmit and store the data. The C.I.A triangle, a concept created by the computer security industry, served as the foundation for the CNSS Model of information security. Information security encompasses the management of information security, as well as computer and network security.

Since the advent of the mainframe, the C.I.A. triangle, i.e. Confidentiality, Integrity, and Availability, has served as the de fact of industry standard for computer security. The three aspects of information that make it valuable to the company form its foundation.

Critical Informational Characteristics - 

When it first started, it was centered on three main aspects of information, but it has since grown to include a longer number of important traits.

Confidentiality: Privacy is another word for confidentiality. Only those employees who are permitted to read this data should be able to do so, in accordance with company standards. Depending on the amount of security or sensitivity of the information, the data may be divided into several compartments. 

Data encryption, username ID and password, two-factor authentication, and limiting exposure of sensitive information are the finest techniques employed here to ensure confidentiality.

Integrity: The term "integrity" refers to the accuracy, consistency, and dependability of data across the course of its full life cycle. Here, we ensure that data must remain unchanged during transit and cannot be manipulated by unauthorized parties.

How can data integrity be made sure?

Unauthorized access can be avoided using user access restrictions and file permissions.

• Version control can be used to stop authorized users from making unauthorized changes.
• Any corrupted data must be recoverable from the backup.
• Data integrity can be checked during transport using checksum hashing.

After files or character strings have been moved across your local network or the internet from one device to another, a checksum is used to confirm their integrity. 

For instance, a hashed value cannot be used to retrieve a forgotten password. A reset is required. By comparing the hash values from the source with the one you created using any hash calculator, you might check the integrity of a file that you downloaded. You may verify that the file hasn't been altered or corrupted during the transfer by comparing the hash values.

Availability: The property of information that allows users to obtain information in the required format without restriction or intervention. In this concept, a user could be a human being or another computer system.

Privacy: An organization must only use the information it collects, uses, and stores for the purposes that were disclosed to the data owner when the information was first requested. While freedom from prying eyes is a key component of this definition of privacy, it also implies that information will only be used in ways that the person supplying it is aware of.

Identity: When an information system recognizes specific users, it demonstrates identification. Establishing the degree of access or authorization that an individual is given requires identification and authentication.

Authentication: This takes place when a control shows that a user actually has the identity they claim to have. It is important to confirm the authenticity of the data, transactions, communications, and documents (both electronic and physical) in computing, e-Business, and information security to prevent fraud or fabrication.

Authorization: After a user's identity has been verified, a procedure known as authorization ensures that the user (whether a human being or a computer) has been specifically and expressly given permission by the appropriate authority to access, modify, or delete the contents of information assets. A person or a computer could be the user.

Accountability: When a control ensures that every action made can be linked to a specific person or automated procedure, accountability is present. Accountability is provided, for instance, by audit logs that monitor user activities on an information system.

Accuracy: Data ought to be accurate. When information is error-free and provides the value that end users are looking for, it is said to be accurate. The information is no longer accurate if it now has a value that differs from what the user would have expected as a result of an intentional or unintentional change to its content.

Utility: Information's usefulness is its capacity to be valuable for a particular goal. The availability of information does not make it helpful if it is not presented in a way that the end user can understand. For example, compared to politicians, a private citizen may find it challenging to analyze US Census statistics. It may offer details about the politician's next campaign.

Possession: Information security is a property or state of having ownership or control over a certain entity or material.

Conclusion - 

Information security models bridge the gap between the operating system's execution and security policy declaration which, in turn, specify which users should have access to data. This, further allows a manager to organize access control. The models offered translate theoretical goals onto mathematical relationships that support whichever execution is ultimately chosen.

The "abstract" or "theoretical" model, which is portrayed as a hypothetical structure that depicts a physical, biological, or social procedure, with a set of variables and a set of rational and quantitative relations between them, appears to be the most useful depiction of a model.