For anyone in the cybersecurity field, or for anyone that is just learning the basics of cybersecurity, the most important concepts to understand are the confidentiality, integrity, and availability of data. Together, confidentiality, integrity, and availability make up the “CIA Triad”, and they are cited everywhere inside the cybersecurity world.
As described by current infosec professionals, the CIA triad is “the foundation of everything we do.” It is the guiding principle that is applied to every single decision and is always kept in mind when exploring how to better protect a user’s data. Therefore, it is essential to know the three parts of the triad by heart:
“Confidentiality is ensuring that the people who are supposed to have access to information are the only people who have access to that information.” - Mansur Hasib “Cybersecurity Leadership”
The confidentiality, or privacy, of data can be compromised if too many people have access to the same information. If a large group of people have access to data that is restricted, then it is more likely for the data to leak or become compromised through association. Therefore, by basic rules of probability, the smaller the number of people with access to confidential data, the less likely that information will circulate or run amok. The best ways of limiting access include restricting Unix file permissions for employees, using encryption, and employing two-factor authentication.
To maximize confidentiality, it is also vital that information is only provided to those with the “need to know”. It is often that access to confidential data is given to individuals that should not have access based on their job position or ranking. For example: Access to a confidential app development project should not be given to a systems analyst (unless the project calls for one).
Varying degrees of access should be granted in order to get work done, but it is imperative to remember: If someone doesn’t really need to know, then they should not know. Ensure that this principle is upheld by continuously updating your access lists, as well as ensuring that the duration of access for an individual is always the appropriate amount (not too long, but not too short to prevent work from being completed).
“Integrity ensures that information can be trusted- and that no one has manipulated it; information can be traced back to the source, and information can be relied upon to make decisions.” - Mansur Hasib “Cybersecurity Leadership”
The integrity of data is ensuring that all information is accurate and that it has not been tampered with. In many instances, the integrity of data is violated quite easily.
Employees from inside the organization may choose to make bad or immoral decisions with the information they have access to. Attackers constantly try to change the data (insert malicious code, give themselves ultimate control, or good old fashioned “get in and break stuff”) in order to inflict damage on users and the company.
Whenever data is being transferred, it is especially vulnerable. When information is being moved from one place to another, it is possible for it to become corrupted in an attack, to not be converted to the correct form, or to become lost in the process.
In order for information to be trusted, it must always be questioned as to whether it is reliable in its current state. The integrity of data matters greatly for the reputation of an organization and its business. If users cannot trust the organization to keep their data always intact, then the organization may fail entirely.
The availability of information is ensuring that the appropriate users can reach their information anytime, anywhere.
In order to allow access for users from California to Florida to their information, there must be continual maintenance on a system or product. Whether it be the replacement of hardware, software updates, bug removal, renewal of bandwidth, (etc.) a system must always be up and running to accommodate users for when they need to access their information.
In case of a natural disaster or scenario where information may be lost, failover systems, disaster recovery planning, and regular system backups should always be completed and in place.
It should be known that sometimes not all three branches of the CIA triad (Confidentiality, Integrity, and Availability) are used at once. Each scenario must be weighed carefully by infosec professionals to decide how much confidentiality, integrity, or availability should be granted. For example: There are some cases when information must be shared with more people (gathering a larger team of data protection professionals) in order to protect the privacy of one individual. Based on the level of secrecy that a system contains, it may also be best not to have it be highly available to users who could see things that they are not supposed to.
Overall, the main principle of the CIA triad is to always apply the right amount of each branch to every situation. It is your correspondent’s opinion that the integrity of data should always be held to the highest standard (for who would not require information to always be accurate?), but there will often be varying degrees of confidentiality and availability according to an event.
“Cybersecurity Leadership” by Mansur Hasib
whatis.techtarget.com “confidentiality, integrity, availability (CIA Triad)”