Is it time for CIA to DIE?

DIE is the new kid on the block with its principles of Distribution, Immutability, and
Ephemeralism, but is it here to kick the CIA triad off the cliff?

The CIA Triad

Having worked in IT and vulnerability management for several years now, I find the CIA triad to be no new concept. Its tenants of Confidentiality, Integrity, and Availability are almost everywhere in my world. The basic understanding is that an organization should keep its data confidential, or ensure only those who should have access do have access, ensure the integrity of its data, and ensure that it is available to be accessed whenever it is expected to be. However, in the provided article by Wesley Chai titled “What is the CIA Triad? Definition, Explanation, Examples,” he states that experts believe the CIA triad “needs an upgrade.” with a link to another article. That caught my attention, so naturally, I followed the link. The linked article introduced me to the DIE triad and sent me down a rabbit hole. 

The DIE Triad

The DIE Triad, which “emphasizes system characteristics that foster security"1, is built upon being Distributed, Immutable, and Ephemeral. This model represents an alternative framework to the traditional CIA Triad in cybersecurity, aiming to address modern challenges in data protection and system resilience. The emphasis on being Distributed suggests a departure from centralized architectures, aiming to reduce reliance on single points of failure. Immutability advocates for data that is resistant to alteration, thereby bolstering integrity, though its practical implementation and scalability may pose challenges. Ephemeral components are designed to have a short lifespan, minimizing the exposure window for potential threats. While the DIE Triad offers some promising principles, its effectiveness and applicability in diverse contexts remain subject to debate and further exploration within the cybersecurity community. Security expert Sounil Yu, a major proponent of the DIE triad, says “that each attribute of the DIE triad has a security benefit that negates the need for the traditional CIA security triad.”2 Essentially, he asserts that the answer to DDoS is distributed architecture, negating the need for availability. If data is immutable, then integrity is already solved, and if data, and even data systems, only exist for the moments they are needed, the risk to confidentiality is removed. I certainly agree that the DIE model has value. I think the greatest value is that it focuses on a security-by-design mentality. While the DIE Triad provides valuable insights and approaches, it's essential to recognize that the CIA Triad remains a foundational framework, and both can coexist or be used in tandem to address diverse security challenges. Even Sounil Yu states that there are some cases where the traditional CIA approach remains the best method of protecting data. Namely, these are what he calls “pet” systems. Or systems that are highly valuable and must be ensured to continue in good health, as opposed to “cattle” systems where you would instead cull the diseased from the herd.3

Antifragility

Another very interesting concept I found on this journey is called antifragility. Antifragility at first seems like it is just another word for resiliency, and they are related, but while a resilient system is unchanged by stress, an antifragile system actually becomes better for failure. By putting a focus on testing and experimentation along with iterative improvement, a system can be placed into stress in a controlled way, observed, and then improved based on the results. This is a proactive process as opposed to waiting for a stressor to occur in the form of failure or a cyber-attack. In essence, antifragility encourages an active embrace of uncertainty, variability, and adversity, recognizing these as opportunities for growth rather than setbacks4. It aligns with the idea that, in certain contexts, experiencing stressors and failures can lead to positive outcomes, fostering innovation, adaptability, and a stronger overall system.

Conclusion

In conclusion, the DIE triad reframes the core principles of the CIA triad in a way that promotes security-by-design and a cloud-first architecture. It puts forth old ideas in a new way that helps us to see how to protect our data and cyber systems better. Is it here to replace the CIA triad? I don’t believe so. CIA has stood the test of time, and while I agree that new thinking is required to solve new problems, that doesn’t mean we throw out old wisdom. Instead, we should switch from a ”versus” mentality to an “in tandem” mentality.

Rhys Ferris

References

(1) Heller, M. (2020, March 24). Experts say CIA security triad needs a die model upgrade: TechTarget. Security. https://www.techtarget.com/searchsecurity/feature/Experts-say-CIA-security-triad-needs-a-DIE-model-upgrade
(2) ibid
(3) Yu, S. (2021, July 20). Death to CIA! Long live DIE! How the DIE Triad Helps Us Achieve Resiliency [Video]. YouTube. Retrieved February 1, 2024, from https://www.youtube.com/watch?v=_omGtDfaAjI&t=796s
(4) Murray, B. (2017, June 7). Rethink risk through the lens of antifragility: Computer Weekly. ComputerWeekly.com. https://www.computerweekly.com/opinion/Rethink-risk-through-the-lens-of-antifragility