General security

CIA triad

Security Ninja
February 7, 2018 by
Security Ninja

In this article, we will learn about the famous CIA Triad i.e. Confidentiality, Integrity, and Availability. Though these terms sound simple, they have good outreach and security posture is adequate for an organization if the concepts of CIA are well maintained. It is these three principles that are often exploited through varying degrees of exploits/attacks.

Let's discuss these concepts in detail.

What should you learn next?

What should you learn next?

From SOC Analyst to Secure Coder to Security Manager — our team of experts has 12 free training plans to help you hit your goals. Get your free copy now.

Confidentiality

Confidentiality revolves around the principle of 'least privilege.' This principle states that access to information, assets, etc. should be granted only on a need-to-know basis so that information that is only available to some should not be accessible by everyone. As you might have guessed already, the core for good confidentiality, or need to know, the principle is a strong data classification policy.

Without classifying assets, information, etc. it will difficult to maintain who has access to what. There are various levels in which the classification can be done considering the criticality. I am sure those who are new to this concept must be wondering isn't that authentication whereas some might be aligning it with authorization. So here is what you need to know: identification, authentication and authorization are principles that are achieved through various access and privacy controls that support confidentiality. For example, if the authentication principle has failed then the underlying information can be stolen which should be denied as per confidentiality. For example, data sent over a wire can be sniffed or stored in a USB can be stolen. On the other hand, the encryption process supports confidentiality since it protects (if used correctly) any sensitive information from being stolen or leaked by converting the plain text into cipher text which cannot be read easily. It should be noted that there are various algorithms for encryption, but it is up to individuals/organizations to select only strong ones.

Integrity

Integrity makes sure that the information is not tampered with whenever it travels from source to destination or even stored at rest. Information stored in underlying systems, databases, etc. must be protected through access controls and there should be an accepted procedure to change the stored/transit data. An example of integrity that is used by many tools is 'one-way hashes' wherein a hash of a particular set of data is calculated before transit and is sent along with the original message. At the recipient side, the hash is the message received is computed and is compared with the hash received. If both hashes are different, it means that the message has lost its value.

Availability

The availability concept is to make sure that the services of an organization are available. For example, if you have been following the press, then recently there was news of a distributed-denial-of-service (DDoS) attack targeted towards Dyn, KrebsOnSecurity, BBC, etc. The motive behind these attacks is to bring down the respective services and therefore to defeat availability. However, availability can also be defeated through some other disasters which can be man-made or through nature (like an earthquake, floods, etc.). Generally, companies tried to develop systems that are fault-tolerant which is achieved through redundant systems/drives, etc. In case of disaster, the concept of alternate sites is used which are further classified into hot, warm and cold sites where a hot site is ready to run business with minimal disruption as is replica over the already running environment. A cold site is just a site with physical facilities and needs an office setup to be done.

The importance of the whole CIA Triad is equally important, however, sometimes we need to give importance to one of them or a combination of them over the other as per the context. For example:

  • Let's assume we are examining proprietary information and finding priority among CIA Triad to assign to. In this case, since it is proprietary, the priority and importance should be Confidentiality i.e. limiting access to the underlying information itself.
  • In another example consider the scenario of financial information in a bank that is supposed to be protected. In this case, the importance will be to protect the integrity of the underlying information so that all the transactions hold their true value.
  • Let's now consider the case when some type of information is available for public consumption. Now in this case availability will hold the priority because that is the main motive for this information to the public. Confidentiality will not be an issue in this since it is available to everyone whereas integrity holds lower priority than availability.

New challenges for CIA:

With the advancement of technologies, new challenges are posed for the CIA Triad. Some are:

  • Internet of Things(IoT) – Its adoption is coming into the industry; it poses some challenges. First is the security of these IoT devices since there are numerous ways already discovered to break the device's security and often patches are not released for these devices that quickly. It will also lead to privacy concerns since more usage of these devices by the public will lead to more personal data at risk.
  • Big Data -- Data comes in various forms and flavors, and it is of paramount importance to classify those and implement appropriate access control around them.

So, CIA Triad is three concepts that have vast goals (if no end goals) in Information Security but with new types of attacks like insider threats, new challenges posed by IoT, etc. it now becomes even more difficult to limit and scope these 3 principles properly.

Security Ninja
Security Ninja