What is the CIA Triad?
Today we’re going to be talking about an important topic when it comes to general day to day information security and this is the CIA Triad. The CIA Triad is made up of three components which are, Confidentiality, Integrity and Availability. The CIA triad is also part of the five pillars of Information Security, which are Confidentiality, Integrity, Availability, Authenticity and non-repudiation.
The topic if information security is vast and is an ever-learning topic and generally for most people is a very dry and boring topic. But without key fundamental components of information security like the CIA triad, information that you store and process would be useless.
So what is the CIA triad, how does it work and how can you embed this into your business and make it just work. We’ll, as we’ve already stated, the triad is made up of three important areas, Confidentiality, Integrity and Availability, these areas all overall and ensure that your information is what you think it is and where it should be.
So lets discuss each section and get an understanding of each piece of the puzzle.
First up, is Confidentiality. Confidentiality is as the name says, how do you keep your information which is needed to be kept private private. When it comes to ensuring your information is kept confidential, you need to ensure that you have whatever measures in place to ensure the protection of the secrecy of information, which, if you look at this technically, is made up of data, objects and resources.
The key objective for the confidentiality of information is to ensure that the information which you have, is protected from the unauthorised disclosure of information, but still ensuring that authorised access is still allowed.
But what do we mean by unauthorised disclosure of information? Well, this could be where information has been accidentally leaked to the public, information has not been properly locked down by access permissions and people who are not meant to see this information see it, think finance and HR information. This information is sensitive and should be kept confidential.
But the disclosure of information could also be done though the oversight of a security policy or a misconfigured security control through access permission like we said or some other control. This is where change control can help a lot.
So how can we help ensure that information is kept safe and secure and confidential? There are a few ways we can do this through the use of countermeasures. Such as ensuring you use encryption both at the file system and in transit, ensuring access control is in place and kept proper – make sure people are added to groups and not individual user accounts as this gets messy. Make sure you use data classifications and ensure that staff are trained and the list can go on.
If you’d like more information about what could be done here, leave a comment below the video and we can go through this in more detail.
So what is confidentiality made up of? Confidentiality is made up of many components, but the main areas are:
- Sensitivity – This refers to the quality of information that could cause harm or damage if disclosed without authorisation
- Discretion – this is where a decision whereby someone in a position can influence or control disclosure to minimise the harm or damage of information being released.
- Criticality – How critical is the information to the business? The higher the criticality of the information, the more it should be kept confidential.
- Concealment – This is the act of hiding or preventing disclosure of the information.
- Secrecy – This is where you are keeping the information secret or preventing the disclosure of the information.
- Privacy – This is keeping information confidential which generally is based around personal information
- Seclusion – This involves the storing of data which is kept away from other data and is usually kept secure through more access control.
- Isolation – As the name suggests, this is keeping the information or data isolated from other information. This could be in another shared area, building, network etc.
When it comes to confidentiality, you as a business should evaluate the level of confidentiality based upon the requirements of information and use the appropriate tooling.
Next up is Integrity, integrity is where you are protecting the information so that it is reliable and is correct. Having information available to people and not knowing if it is right or up to date would not be good for you or your customers.
So how do we ensure that the integrity of information can be upheld? The main way to do this is through the means of ensuring only people who have authorised access have access to the information and protect against intended and unauthorised access, such as malware, intrusions and people making accidental mistakes.
- Integrity can be broken down into three areas, these being:
- The prevention of unauthorised access making changes and modifications to data
- The prevention of authorised access making unauthorised changes such as mistakes
Maintaining the internal and external consistency of data, so that they remain correct and be a true reflection of the real world. Any relationships between data should also ensure that they are valid, consistent and that they can be verified for consistency.
But how can we ensure that integrity is maintained within the environment and that data is kept valid? Like confidentiality, controls must be put in place to ensure that access to data is controlled and that only authorised access is permitted.
Making sure that protections are in place to safeguard against unauthorised access and modifications, such as malware and viruses, so making sure you have antivirus/anti-malware software installed and up to date.
Making sure that people are trained and aware what they can and can’t do and how they can interoperate with the information to reduce the chances of making mistakes.
We can put safeguards in place by using intrusion detection and prevention systems, encrypting data, ensuring strong access control, validation of file hashes, training and more.
- Integrity can be made up of the following components:
- Accuracy -Is the data correct
- Truthfulness -Is the data a true reflection of the real-world data
- Validity – is the data correct and is it factually valid
- Accountability -being responsible for the actions and the results of the data being valid
- Responsibility -Being in charge and in control of the data
- Completeness -having everything you need to have the full picture of information
- Comprehensiveness – being complete in scope and including all the needed elements
Lastly we have Availability, this is as the name says, we need to ensure that the data is always available to the end person or system and that uninterrupted access is prevented.
So we need to ensure that the proper protection controls are in place, that we have enough resilience in place to ensure uptime and availability of systems. This could be through backup communication links, additional servers, mirrored data, ensuring protections from natural disasters and so forth.
Ensuring availability generally mends into the other two areas we’ve also discussed as we need to ensure that access is valid and that we prevent unauthorised access at all times. But we also need to look at the technology being used as well as the people. If you are still using on premise hardware, you should ensure that backups are always performed and tested, that your hard drives are configured in a RAID configuration with hot spare drives available. That you have monitoring and alerting in place and look at trends to ensure that data and systems are operating as they should be.
- Availability can be built by looking at the following areas:
- Usability – Can the data or systems be easy to use and learn
- Accessibility – Can the data or systems be accessed easily across numerous systems and devices
- Timeliness – can the data and systems be responded to quickly and efficiently and provide a low response time
So as you can see, these three areas all pay an important part within your business and general day to day life. For the most part you are already likely doing a lot of this, you just didn’t know what it was.