In this article, we will learn about the famous CIA Triad i.e. Confidentiality, Integrity, and Availability. Though these terms sound simple, they have good outreach and security posture is adequate for an organization if the concepts of CIA are well maintained. It is these three principles that often exploited through varying degrees of exploits/attacks.
Let’s discuss these concepts in detail.
Confidentiality revolves around the principle of ‘least privilege.’ This principle states that access to information, assets, etc. should be granted only on a need to know basis so that information which is only available to some should not be accessible by everyone. As you might have guessed already, the core for good confidentiality, or need to know, the principle is a strong data classification policy. Since without classifying Assets, Information, etc. it will difficult to maintain who has access to what. There are various levels in which the classification can be done considering the criticality of that Asset, Information, etc. I am sure who are new to this concept must be wondering isn’t that authentication whereas some might be aligning it with authorization. So here is what you need to know: Identification, Authentication, and Authorization are principles which are achieved through various access and privacy controls that support Confidentiality. For example, If Authentication principle has failed then the underlying information can be stolen which should be denied as per confidentiality. For example, data sent over a wire can be sniffed or stored in USB can be stolen. On the other hand, encryption process supports confidentiality since it protects (if used correctly) any sensitive information from being stolen or leakage by converting the plain text into cipher text which cannot be read easily. It should be noted that there are various algorithms for encryption, but it is up to individual/organization to select only strong ones.
Integrity makes sure that the information is not tampered whenever it travels from source to destination or even stored at rest. Information stored in underlying systems, databases, etc. must be protected through access controls and there should be an accepted procedure to change the stored/transit data. An example of Integrity which is used by many tools is ‘one way hashes’ wherein a hash of a particular set of data is calculated before transit and is sent along with the original message. At the recipient side, the hash is message received is computed and is compared with the hash received. If both hashes are different, it means that the message has lost its value.
Availability concept is to make sure that the services of an organization are available. For example, if you have been following press, then recently there was a news of a Distributed Denial of Service(DDoS) attack targeted towards Dyn, KrebsOnSecurity, BBC, etc. The motive behind these attacks is to bring down the respective services and therefore to defeat Availability. However, availability can also be defeated through some other disasters which can be man-made or through nature (like an earthquake, floods, etc.). Generally, companies tried to develop systems which are fault tolerant which is achieved through redundant systems/drives, etc. In case of disaster, the concept of alternate sites is used which are further classified into hot, warm and cold sites where a hot site is ready to run business with minimal disruption as is replica over the already running environment. A cold site is a just a site with physical facilities and need office setup to be done.
The importance of the whole CIA Triad is equally important, however, sometimes we need to give importance to one of them or a combination of them over the other as per the context. For example:
- Let’s assume we are examining proprietary information and finding priority among CIA Triad to assign to. In this case, since it is proprietary, the priority and importance should be Confidentiality i.e. limiting access to the underlying information itself.
- In another example consider the scenario of financial information in a bank which is supposed to be protected. In this case, importance will be to protect the integrity of the underlying information so that all the transactions hold their true value.
- Let’s now consider the case when some type of information is available for public consumption. Now in this case Availability will hold the priority because that is the main motive for this information to the public. Confidentiality will not be an issue in this since it is available to everyone whereas Integrity holds lower priority than Availability.
New challenges for CIA:
With the advancement of technologies, new challenges are posed for the CIA Triad. Some are:
- Internet of Things(IoT) – Its adoption is coming into the industry; it poses some challenges. First is the security if these IoT devices since there are numerous ways already discovered to break a device security and often patches are not released for these devices that quickly. It will also lead to privacy concern since more usage of these devices by the public will lead to more personal data at risk.
- Big Data — Data comes in various forms and flavors, and it is of paramount importance to classify those and implement appropriate access control around them.
So, CIA Triad is three concepts which have vast goals (if no end goals) in Information Security but with new types of attacks like insider threats, new challenges posed by IoT, etc. it now becomes even more difficult to limit and scope these 3 principles properly.