Confidentiality and integrity

Question

• Users permissions and privilege should be considered as a part of confidentiality (specifically access control) or integrity?

• And I'm also wondering if we can categorize Accountability, Authenticity and Non-repudiation as a sub-characteristics of integrity

Answer 1

Confidentiality and integrity are aspects of information security. User permissions and privileges are security mechanisms that can be used to achieve them. So the answer to your first question, "should user permissions and privileges be considered as a part of confidentiality or integrity," is No.

You can categorize accountability, authenticity and non-repudiation as sub-characteristics of integrity if you like to but that is largely a linguistic question. It does not have any practical consequences.

Answer 2

Users permissions and privilege should be considered as a part of confidentiality (specifically access control) or integrity?

The permissions/privileges set for users are definitely a confidentiality measure as they define levels of restrictions of access to some information/resources.

And I'm also wondering if we can categorize Accountability, Authenticity and Non-repudiation as a sub-characteristics of integrity

Let's deal with them one by one:

1. Is accountability a sub-category of integrity?

   No. Suppose the company in which Alice is working forbids employees installing outside software on a company-owned information infrastructure. Bob should perform periodic checks to be certain that the policy is being followed. Bob has a specific role in the information security of the company: that is accountability by definition. Suppose Alice succeeds to install a outside software on her computer in the company. The software allows her to leak information to an opponent company. She does not need to modify (integrity) the data she leaks out. Accountability can not be a sub category of integrity. They are different things.

2. Is non-repudiation a sub-category of integrity?

   No. Non-repudiation is more a legal concept than something else. For example, if your private key with which you sign your message (digital signature) has been compromised (by a malware installed in your computer, for instance): could we hold you responsible of all the messages signed by you? That is a non-repudiation question. It is more about legal aspects rather than a technical one such as integrity. Please refer to How to achieve non-repudiation? for more details.

3. Is authenticity a sub-category of integrity?

   No.

   In a data flow sense, authenticity guarantees the provenance of a message, but it does not distinguish between different messages from the same principal. A mere authenticity check does not protect against replay attacks: a message that was authentic in a previous run of the protocol is still authentic now, but integrity demands that the message that is received is the message that was sent as part of the same run. There are situations where integrity is harder to achieve than authenticity. For example, suppose I back up a file to a remote storage service. When I download the file, I can check that I am getting back a properly signed file, and if I include the file's name, I know that I am truly getting back a version of the file that I uploaded: the file is authentic. If I upload multiple versions of the file under the same name, integrity would guarantee that I download back the latest version; with a mere guarantee of authenticity, all I know is that I downloaded some version of that file.

   (Source)

My advice:

In information security, when you think about such notions avoid doing it in linguistics terms: that is a source of confusion. Try always to transpose the concepts into technical terms: that will help you to clarify that.