The CIA Triad: Confidentiality, Integrity and Availability
In light of the availability issues faced by Facebook today, let’s walk through the basic parameters of cybersecurity together. As you read more about security concepts, policies, etc you will find many references to the CIA triad. This has nothing to do with the US agency. It is a basic concept that should always be kept in mind when discussing cybersecurity. You might feel it is too basic, but it is very important. CIA stands for Confidentiality, Integrity and Availability. Why are these three words so important? Because they define your security goals. Security controls are often evaluated based on how they address this triad.
So let’s dive into the definition of the CIA.
Confidentiality:
The definition we all know for confidentiality is the state of keeping something secret or private. In cybersecurity jargon, it describes the aim of preventing or minimizing unauthorized access to some data we want to protect. How is this achieved? By ensuring only the intended user has access to the resources being accessed. Some common ways to achieve this are: encryption, access controls, segregation of duty, two-factor authentication, etc. On a network, data can be in different states: in storage, in transit or in process. Confidentiality controls must be implemented to protect data in all its states. Of course, there are different security controls required depending on the data’s state.
There are many attacks to gain access to unauthorized data, I listed some in the table below with possible countermeasures:
Integrity:
Protecting the integrity of data means that only authorized alterations of data are allowed. In other words, it ensures that data remains correct and reliable while allowing authorized changes. Only authorized users should be able to modify the data. Not only should the object itself not be altered, the tools managing and manipulating it should not be compromised.
There are two aspects of integrity to focus on:
- Unauthorized users should not be allowed to alter the data
- Authorized users should not be allowed to make unauthorized alterations to the data
Integrity should be maintained in all the data states mentioned above. Security controls must be implemented to preserve integrity such as: access control, data validation, data backup etc.
Integrity relies on nonrepudiation. It means that no one can deny that an event has occurred. So if anyone accesses, modifies or deletes an object, they cannot deny their action. This can only be achieved with proper identification, authentication, authorization, accountability and auditing. To do so, it is crucial to keep access and action logs. As you know or will find out soon, logging is super important in cybersecurity.
Integrity breaches can be caused by:
- File modification
- File deletion
- Altering configurations
- Misconfigured security controls
- Malware such as viruses, logic bombs, trojan horse
To countermeasure integrity attacks it is recommended to implement good access control and authentication procedures as well as intrusion detection systems (IDS), hash total verifications, etc.
Availability:
The last principle is Availability and, as the name suggests, it refers to having uninterrupted access to objects. Hence, availability is closely linked to reliability and system uptime. Security mechanisms ensuring availability protect against Denial of Service attacks with high assurance. Availability also entails that the supporting infrastructure such as network services and communications, are functioning uninterrupted giving authorized users access to authorized resources, objects or data.
In this case, security controls must provide good identification and authentication to ensure authorized access. In addition, a good level of performance must be provided. Interruptions must be handled quickly to ensure redundancy, reliable backups and to prevent data loss and destruction. Backing up data, disaster recovery and monitoring should be in place to mitigate the risk of unavailability.
In the table below, some examples of attacks on availability are presented:
Confidentiality, integrity and availability can be disrupted by non-malicious issues such as hardware failures, human error or natural disasters. Most breaches are caused by non-malicious issues. This should be kept in mind when designing and implementing security controls.
Confidentiality, Integrity, Availability: What is your priority?
We have defined the three words that make up the CIA triad. Now, the next step is to determine your security goal. Each organization has its priorities when it comes to implementing the CIA principles. A company offering a service must ensure that its product is always available for its users. For some, this might be a priority. Other organizations might be more confidentiality inclined such as governmental bodies. A good security strategy requires a good understanding of your organization’s goals. Why? so the mechanisms implemented offer security while allowing business goals to be achieved.
In this other post, I introduce you to two common models called Biba and Bell Lapadulla. Biba is a model focused on integrity and Bell-LaPadula is focused on confidentiality. These models describe information flow between different subjects and objects. I invite you to read this post if you are interested in learning more.
If you have any questions feel free to reach out!
Securely yours,
Kristelle Feghali
Join Coinmonks Telegram Channel and Youtube Channel learn about crypto trading and investing
