What is the CIA Triad?
The information security CIA triad, standing for Confidentiality, Integrity, and Availability, is an information security governance model that organizations strive to attain when drafting their information security programs. The model was originally designed to manage security policies and act as a framework for data security administration. One of its primary focuses is to achieve a stabilized balance between confidentiality, integrity, and the availability of the organization’s data without disrupting its productivity and policy implementation.
The three attributes represent critical and integral objectives for information security. Business continuity will be at risk in case the triad is not properly implemented. Confidentiality, integrity, and availability are equally important for all organizations and therefore implementation/maintenance resources should be allocated evenly.
The concept of confidentiality, in other words: data privacy, consists of maintaining the classified nature of sensitive data and restricting access to authorized actors only. Integrity on the other hand is preserving data in its original state as it is available in its source from tampering. Availability is making sure the access to the data is reliable and timely.
Confidentiality is the protection of information from unauthorized access by both individuals and processes. To ensure data confidentiality is to prevent it from falling in the hands of unwarranted actors. The main principle of confidentiality specifies that access to information and/or digital assets should strictly be on a need-to-know basis making it available to certain individuals in certain situations and not available to everyone at all times.
Critical information needs to be made private and a clear description of who has access to it must be provided in the information security policy. There are many aspects by which data could be classified the most important of which being its level of criticality. Clear, and definite rules should therefore be implemented in the information security policy regarding who access to what and under which privilege.
Sensitive consumer data such as social security numbers, financial documents, and healthcare information, can fall into the wrong hands if proper security controls are not well executed by B2C (business to consumer) companies. It is also the case in corporate espionage as businesses can do whatever it takes to beat competition. Such information is valuable and should be protected because there is a lot at stake and cyber breaches can be destructive.
Cyber breaches make for everyday headlines these days because it can super lucrative and there is a low-bar for entry to the world of cyber crime. With the rise of ransomware as a service and hacking as a service tools, all that is needed to compromise targeted individuals is a personalized attack vector. There are also some innovative and sophisticated hackers who often walk the extra mile to pull off major heists that could endanger the data of millions of individuals. The ultimate goal of confidentiality is to protect assets from unauthorized access and to keep sensitive data private. There are many attacks on this pillar of the CIA triad and among these these are:
- Web application and database attacks
- Rogue employees exposing insider information intentionally or unintentionally to unauthorized parties
- Breaching an organization’s servers and data centers and downloading customer data and employee information
- Social engineering and deceiving employees into exposing critical information
- Decoding encrypted data
- Client-side wireless attacks
Integrity on the other hand looks at security from another perspective. While protecting the privacy of data is important, it is also necessary to preserve it from intentional and unintentional unwanted modification. Information that has been tampered with by unauthorized parties is ineffective and can be costly both to organizations and their clients.
Integrity ensures that information is authentic and identical to its original state. Whoever is on the receiving end has got to receive data in the exact form the sender intended to send it. Anything that undesirably affects data as it is being transferred can be a threat to integrity. It is required that information can only be changed and edited by authorized individuals and that it remains untampered with when not needed. Throughout its lifecycle, data should always be accurate and consistent. It should not be altered in transit or tampered with in its servers. We can protect data integrity by implementing a few security controls such as encryption and hashing. Unwanted changes can also happen due to non-human-caused events such as server crashes and software malfunctions, it is therefore important to implement backup and disaster recovery controls.
Most modern day documented cyber attacks have been focused on breaching confidentiality and availability because of the potential financial payoffs. Stolen personal data such as credit card numbers, social security numbers, and banking information can make for a profitable stock on dedicated websites in the dark web. Holding data and computers hostage for a ransom can also be profitable when demanding high amounts of cryptocurrency for decryption. Monetary gain is the main motive for a large portion of cyber crime and that is the main reason why attacks on integrity are not as common as the attacks on confidentiality and availability. That does not mean that they are less consequential and as a matter of fact it means the exact opposite. Attacks on data integrity can bear more destructive results because oftentimes they are not detected. They require more sophisticated attack vectors and they are often driven by profound motives, which means they can cause more damage.
Here is a list of the most common attacks on data integrity:
- Man in the middle attacks to intercept and possibly alter communication between two parties
- Dedicated embedded malware within computers, servers, and databases that can corrupt data and send false messages to users
- Man-made errors and lapses that could result in technical flaws
- Social engineering attacks on employees
- Malicious attackers falsifying record and credentials after obtaining access
While many will consider it as the least important part of the CIA triad, Availability is very important to the organization and its business continuity. Information is not secure if you do not have access to it. If data is not available, it cannot be protected or controlled. Availability is as important as confidentiality and integrity for an organization’s information security program.
Availability is the assurance that data is available when needed. It is when authorized actors are permitted to view and edit information and possibly add to it if their duties require them to do so. Not having availability is a serious information security threat because organizations who do not have access to their own data are not secure. As an example, healthcare organizations such as hospitals should always be able to use their patient information to continue serving them and if not, it will often be impossible to make progress.
Organizations should invest as much resources to maintain data availability as they do for the other two parts of the triad. This is because threats to availability can often lead to severe results on the organization and its business continuity. Revoking an organization’s access to its own data is a very famous attack nowadays and it specifically popular with retaliatory offensives and hacktivism type of violations. Distributed Denial of Service (DDos) attacks remain the most used attack strategies as downtimes can be awfully costly. There are also other threats to availability that are unintentional in nature such as natural disasters, power outages, hardware malfunctions, and software glitches. Here is a list of the most widely common threats on data availability:
- Distributed Denial of Service Attacks
- Ransomware, which is a malware that encrypts files and/or prevents access to them until a form of payment is submitted
- Power outages
- Internet interruptions and/or local network suspensions
- Server malfunctions
- Software bugs
- Viruses and malware
- Damages to infrastructures caused by natural disasters such as floods, earthquakes, and hurricanes
Preserving the CIA Triad
To mitigate the attacks on the CIA triad, organizations resort to a few customized and often advanced security strategies. The best course of action will be to categorize threats according to what part of the triad they jeopardize and to deal with them individually.
When it comes to confidentiality, cryptography can be crucial as that is its main function. However, threats are not merely digital. Dumpster diving and tailgating are also imminent threats to organizations’ paper documents and that’s why it is recommended to destroy private data stored on physical mediums. Other strategies such as implementing hierarchical access permissions, access controls, data/directory permission are very essential procedures to uphold confidentiality.
Data integrity can be maintained through cryptographic hashing. Hashing can be defined as generating value from strings of text through mathematical functions and algorithms. It is one of the most prevailing methods of securing the process of data transmission and communication as it can guarantee that the data being transmitted has not been tampered with. The most common hashing algorithm is MD5 (message digest algorithm) and it is widely implemented across all sectors and industries. An MD5 mathematical formula generates the hash, usually in 128 bit value, which serves as a proof for the integrity of data and that can be checked by users. Other factors can also cripple the integrity of data such as insider and outsider attacks. This can be mitigated by installing proper security controls such as firewall, access controls, and authentication processes.
Availability of data can be maintained by preventing shutdowns and data removal due to outside or inside factors. The main strategies to implement that would be firewalls, intrusion prevention systems, backing up data to offline external storage drives, backing up power supplies, and switching to high availability technology hosting.
Modern Challenges to the CIA Triad
Major technological developments often present challenges for every pre-existing model of information security governance. This is also the case for the CIA paradigm as security professionals can sometimes find it difficult to implement information security guidelines to organizations with certain technological components. Organizations that put into action artificial intelligence, big data analytics, and internet of things will have a few extra considerations for realizing confidentiality, integrity and availability of their data.
Internet of things can often bring to the table a collection of electronic devices that can be linked to the internet. While computer security can be enforced through predefined protocols, it is not the case for many of other internet-enabled devices and gadgets. The field of IoT is still in its infancy and so is IoT security which can bring along new risk factors and threats. Risks can be found in firmware, hardware, cloud API’s, and communication protocols. Furthermore, and other than security issues, maintaining the privacy of information in an IoT setting has its own list of difficulties. When a considerable number of IoT devices is connected to the network, a unique numeric or alphanumeric string is to be associated with each device to ease communication and data transfer. Privacy concerns can rise in similar environments when network fragments from different endpoint are collected by malicious actors to uncover critical data.
Big data can also make implementing the CIA triad more difficult due to the amount of data organizations are nowadays trying to collect from their customers. The data comes from many sources and in different formats which will result in duplication at times. Data supervision is therefore rendered challenging and the CIA triad execution will be demanding.
By limiting access to the information, assuring its accuracy, and guaranteeing access to it whenever required by authorized actors, organizations will have achieved the CIA triad and that can prove useful to their business continuity. Cyber attacks can in some cases threaten all three parts of the triad. Its practical importance lies in the fact that it can help security experts conduct their security measures on a thorough framework that tackles all known risk factors and threat vectors. All modern day security controls and mechanisms are designed and deployed to implement confidentiality, integrity, and availability. The criticality of cyber threats is determined by their probability to put one or more of the CIA principles at risk. There is no thorough strategy to design a comprehensive and accurate security plan better than to make the CIA triad the footing and the operational framework.