For those of us in information security (InfoSec for short) "CIA" doesn't just mean the Central Intelligence Agency. But rather, CIA is an acronym referring to the foundational pillars of Information Security. And understanding the CIA triad is key to understanding how an organization can protect the data it uses, stores, and or processes.
The components of the CIA triad are Confidentiality, Integrity and Availability. These components inform the security strategy and controls that an organization puts in place.
In this blog, we’ll take a deeper look at these concepts and what they entail.
Confidentiality is the process of ensuring that only authorized and authenticated users or services can access data.
Access in this case doesn't refer simply to using data, instead it covers the full range of operations from viewing to changing the data. In real terms confidentiality is akin to how you safeguard the PIN for a debit card. This PIN is the data that you want to keep confidential. It should never be shared with non-authorized users. The only person who should have access to that PIN is you.
In the real world, an example of confidentiality being breached would be if your sibling knows your debit card PIN and therefore could potentially use it (even if they won’t) for their own nefarious purposes. In the cybersecurity world, confidentiality is breached when an unauthorized person/system gains access to data in a system.
So in order to protect yourself and your team from potential confidentiality breach at your organization, the following tactics should be employed:
- Protect systems with passwords that have high entropy
- Use two-factor authentication for accessing systems
- Encrypt data at rest and in transit
- Use Access Control Lists to ensure that only the correct users or services are granted access to a given resource.
Integrity is considered the accuracy of data.
In the debit card scenario above, you need to be aware that the PIN for your card has not been changed. And that if your PIN has been changed, you are aware of the change, and know that only you made the change. In the InfoSec world, this is considered to be the act of ensuring that data is consistent and isn’t modified outside of the authorized and authenticated processes, such as when you pass data from one system to another, yet nothing is changed in transit.
Back to the debit card scenario, let's assume that your sibling knows your PIN. Confidentiality was breached - and most likely that’s where it will stop. Now let's say that your sibling wants to mess things up for you. They call up your bank and claim they need “their” PIN changed. So the next time you try to use your card, it won't work, because the PIN has been changed. The fact that the PIN is not what you set it to is a breach of integrity.
Techniques for ensuring the integrity of your data are closely aligned to the techniques of protecting confidentiality. However, systems should also audit any changes to the data, so that in the event of a modification, the service or user that performed that modification is logged. Validation systems can also be implemented to ensure that data is being modified only by authenticated users or services, and that it corresponds to the type or format of data expected.
In our PIN scenario, a simple validation system would be that the change to the PIN is communicated to your email or phone when the PIN is changed. This would clearly alert you to your sibling's shenanigans.
The final portion of the CIA triad is Availability. Availability is the ability of authorized users to access the systems or data when they need to do so. This part of the triad has seen a growth in importance with the move to remote work due to Covid-19.
In our PIN scenario, availability isn’t really an issue - we can all remember a string of 4 digits. But after the rogue relative changes the PIN, not only is the integrity damaged, but also the availability - you need to call your sibling to find out the PIN. If your sibling is particularly malicious, they might change the PIN every time you use it. This means that you do not have access to the PIN.
As for the InfoSec world, imagine a scenario where, in an office, a financial comptroller needs to access a company's payroll data. The financial data is encrypted, and access is protected by a high strength password. The data is also backed up by a secondary validation system, the comptroller has to use two-factor authentication (2FA) to access the data, and the data is on a machine that can only be accessed from a single machine that is in the office server room - a machine known as a jumphost.
This scenario works great for Confidentiality, Integrity and Availability during normal office hours or when working in the office. Suddenly there is a global pandemic and the office is closed down. Now the data is unavailable. Employees cannot be paid, and the company goes under.
The classic Denial of Service attack (more commonly DDoS - for Distributed Denial of Service) is a classic way for a bad actor to reduce availability. DDoS attacks are damaging to reputation, profits and to the clients that depend upon the service.
Techniques to provide High Availability are many and varied. The traditional method for databases is to have the primary database replicate data to a hot failover machine. This then allows availability to be restored quickly and easily if the primary database fails to respond for any reason.
Usually it’s the Infrastructure or Operations department's responsibility to keep these systems available. Monitoring systems for availability, bandwidth usage and providing failover and business continuity capacity is integral to their role.
You may have noticed that in most software/SaaS scenarios, whenever there is a triad, there is a balancing act between each three points. The CIA triad is no different. Providing availability to as many users as possible reduces the confidentiality of the data, and puts the integrity of the data at risk. Locking the data down so that only one person or service may access it protects confidentiality and integrity but reduces availability. Ensuring no data changes are possible ensures the integrity of the data, but it would mean providing zero access to anyone or making every change to every piece of data completely transparent, thereby removing confidentiality.
When planning your InfoSec strategy, the CIA triad is key to understanding how to balance out your techniques and tools. The CIA triad doesn't cover everything, but as a central set of concepts it is invaluable.