🛡️ Understanding Security Principles: A Simple Guide

By Sylvester | August 2025

---

🔍 Introduction

In today's digital world, security is more important than ever. Whether you're protecting your data, your organization, or your personal devices, understanding the core security principles is key.

This blog breaks down essential security concepts in a simple, beginner-friendly way. Let’s dive in!

---

🔐 CIA and DAD – The Foundation of Security

CIA – The Pillars of Security

1. Confidentiality – Keep data secret. Only authorized people should see it.

2. Integrity – Make sure data is not changed without permission.

3. Availability – Ensure data and services are available when needed.

DAD – Common Attacks on Security

1. Disclosure – Data is leaked or exposed.

2. Alteration – Data is changed by attackers.

3. Denial – Access is blocked or disrupted.

---

🛠️ Important Security Terms Explained

• Vulnerability – A weakness in a system (e.g., weak passwords, open ports).

• Threat – A potential danger that can exploit a weakness (e.g., a hacker).

• Risk – The chance a threat will exploit a vulnerability and the impact it could have.

Example:
A car showroom with big glass windows has a vulnerability (glass). A thief breaking it is the threat. The risk is the chance the glass will break and the loss it may cause.

---

🏛️ Key Security Models

We explored three popular security models:

• Bell-LaPadula – Focuses on data confidentiality.

• Biba Model – Focuses on data integrity.

• Clark-Wilson Model – Focuses on access control and well-formed transactions.

---

🧱 ISO/IEC 19249 – Secure Design Principles

Architectural Principles:

1. Domain Separation – Keep different system parts separate.

2. Layering – Use layers (like OSI model) to apply security at each level.

3. Encapsulation – Hide details and only show safe access methods.

4. Redundancy – Have backups and failover systems.

5. Virtualization – Use virtual machines to isolate and secure environments.

Design Principles:

1. Least Privilege – Give only the access needed — nothing more.

2. Attack Surface Minimization – Disable what’s not needed to reduce risk.

3. Centralized Parameter Validation – Validate inputs in one safe place.

4. Centralized Security Services – Keep security functions like authentication in one controlled system.

5. Error and Exception Handling – Systems should fail safely and not leak sensitive info.

---

🧠 Defence in Depth

Defence in Depth means using multiple layers of security.

Example:
Lock your drawer ➜ lock your room ➜ lock the house ➜ security cameras.
Even if one layer fails, others are there to protect you.

---

🤝 Trust but Verify vs. Zero Trust

🔍 Trust but Verify:

• Trust people/systems but still monitor them.

• Use logging, proxies, and intrusion detection to track actions.

• You assume things are fine — but double-check.

❌ Zero Trust:

• Never trust by default — always verify.

• Every access request must be checked, no matter where it’s coming from.

• Uses microsegmentation to isolate parts of a system.

---

☁️ Shared Responsibility in the Cloud

As more companies move to the cloud, security is shared between:

• Cloud Providers (e.g., AWS, Azure)

• Cloud Customers/Users

Depending on what service you use:

Shared Responsibility Model ensures both parties understand and manage their part of security.

---

🏁 Conclusion

You’ve now got a clear understanding of:

• CIA & DAD

• Vulnerability, Threat, and Risk

• Key security models

• ISO/IEC 19249 principles

• Defence in Depth, Trust but Verify, and Zero Trust

• The Shared Responsibility Model in cloud security

You’re ready to explore more! 👉 Next up: Intro to Cryptography

---

Thanks for reading! Stay secure, stay curious. 🔐💻
– Sylvester