One of the basic foundations of information security is the notion of the CIA triad. It is a term that should be etched into your memory, regardless of whether you are a new practitioner or a grizzled curmudgeon, offensive or defensive-focused, or which discipline of information security that you are focused on. CIA stands for confidentiality, integrity, and availability. Let’s take a look at each of these concepts a little deeper.
Confidentiality
The National Institute of Standards and Technology defines confidentiality as “Preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information.” When thinking about information security, this is typically the pillar that comes to mind. Basically, confidentiality seeks to keep sensitive data out of the bad guy’s hands (or prying eyes).
Threats to the confidentiality pillar include the following:
- Eavesdropping attacks
- Encryption Cracking
- Man-in-the-middle attacks
- Insider Threats
A number of security controls can be placed in the environment to assist in bolstering the confidentiality pillar of an information security program. Multi-factor authentication, strong passwords, segregation of properly-classified data, encryption, and least privilege access are all security controls that focus on ensuring confidentiality.
Integrity
The data that an organization uses only has value if it is accurate. According to NIST, integrity is defined as “Guarding against improper information modification or destruction, and includes ensuring information non-repudiation and authenticity.” Violations of integrity can include both accidental and intentional modification or destruction of files.
Threats to integrity include:
- Human errors
- SQL Injection (INSERT and UPDATE statements)
- Compromising a server
- Data corruption
Security controls can be implemented to ensure data integrity. Generating hashes/checksum and regular backups are just two such controls. Many confidentiality controls also serve as integrity controls, such as separation of duties and split key control.
Availability
Availability is the one leg of the three-legged stool that often is a shared responsibility with other departments. Site Reliability Engineers are often tasked with maintaining operational availability in conjunction with cybersecurity functions. As defined in FISMA, the term ‘availability’ means ensuring timely and reliable access to and use of information.
The most common example of a threat to availability is the Denial of Service (DoS) attack. Others include:
- Loss due to natural disasters or fire
- Insufficient bandwidth
- Malicious code
Popular methods of protecting the availability of a system is to patch vulnerabilities, DDoS Protection/sinkholing, building redundancy into systems, and the use of access controls.
Implementing the CIA Triad
The overall goal of the CIA triad is to help an organization’s information security efforts to ensure sufficient controls are in place to protect critical assets. Each element of the CIA triad plays a unique role in the safeguarding of the information and systems within an organization. If just one of the elements fails, an organization can open themselves up allowing attackers to breach the network and execute further attacks against the organization. However, determining the right balance of confidentiality, integrity, and availability is not prescriptive and is based on the organization’s strategy for securing the assets. When presented with a choice between confidentiality, integrity, or availability, one or more elements may take priority. For example, an e-commerce platform may have higher needs for availability than they do for confidentiality. That is not to say that confidentiality is not important–it is absolutely important for an e-commerce site to protect credit card and other payment card information. Just be mindful of all three elements when designing a system.