Understanding the importance of the CIA triad
If you just had to learn something, just know the letters CIA are important in information security.
In all things information security, one of the most basic yet foundational concepts is the CIA triad. Now, I could go off into a pun and little short story about “No… not that CIA, but this CIA!” and finish it off with a sensible chuckle. But, I won’t… (nah, just this once). The CIA triad is one of those concepts that most, if not everybody that has anything to deal with cybersecurity should know about. Although, it’s not something that is only applicable in cybersecurity, it’s just going to be the scope of this little writeup today. So first, I think it’s important to have a little context on why security is just so important. In this digital age that we are in, one of the most disastrous things that could happen is the loss of privacy and trust. As we shift along with these technological advancements, we also must bring all the security up to speed as well. In the past, most physical storage was secured by locks, safes, people, and any combination of that. But at the very least, the very first form of innate security was location and whether or not it would even be accessible. Back then, if you wanted to infiltrate and steal something, you actually had to go to the site and get through all of the layers, so it’s not as feasible for someone to just travel halfway around the world and walk up to the safe and steal something. But now, in this digital age, it’s much simpler for someone halfway across the world to try and hack into a storage vault and steal its contents.
In the words of Spiderman and Aunt May, with great power, comes great responsibility.
With the great power that the digital age brings, there is an even greater responsibility to protect and secure everything that comes with it. Now, to get back on track, here is just a neat little picture on the CIA triad. It’s very simple looking, but it is more than enough to get the point across in regards to emphasizing certain points. Information has value and power, especially in today’s world of espionage, wikileaks, and the dark onion web. Banking is now online, personal information is stored in the delicious cookies, and credit card information is supposedly protected by PCI regulations. Everything and everyone has a secret it wishes to keep a secret, and that is why information security is such a crucial and important aspect today.
There are entire classes and certifications that revolve around the basis of the CIA triad and the information security that it encompasses. But for the sake of my own fingers and your eyes, the CIA triad is broken down into Confidentiality, Integrity, and Availability. These, “goals” are things that should be met anytime someone is dealing with assets and data that pertains to anything. I’ve taken a couple of courses of information security management and policy, and every single time, there is a class just on understanding the CIA triad and basic yet foundational information security concepts. I realize that is quite a broad sentence there, but it’s just important that when you’re working with anything, you’re thinking “Is it confidential? Are only the authorized persons able to access it?”, “How can I maintain its integrity? How do I make sure that no one else except those authorized can make any changes, and if there are any changes, is there a way to fix it?” and lastly, “Is it available when needed? Is it available for everybody when they need it? Do I have measures in place that makes it robust even if I am not here to manage it?”.
Confidentiality – Akin to privacy, this ensures that measures have been put in place to prevent any sensitive or private information from being accessed by those not authorized. As a result, controls must be put into place that restrict access and only allows access to those authorized to view the data and information. There are a ton of different ways to do this, but I’ll probably talk about that later in the future. With confidentiality, it’s important that people are trained to identify and react to security risks that could threaten this information. Although there is a variety of methods to do so, one of the most effective and cost effective solution is proper security training, awareness, and education of security risks that might threaten confidentiality. Another way of ensuring confidentiality is using encryption (not necessarily cryptography) to ensure that if people do happen to access the information, they wouldn’t be able to understand it.
Integrity – A more simple concept, but it’s ensuring that the integrity of the information and data is untouched. This goal ensures that the information maintains its consistency, accuracy, and trustworthiness throughout its cycle, even when it gets shoved into cold storage. Regardless of what happens to the data, controls are put into place to ensure that nothing is changed or altered by any unauthorized persons. These can be controlled by things like “privileges”, “roles”, “permission sets”, “access controls”, and a handful of other things. As a result, this will lead to monitoring and auditing controls that can help with reactive and proactive solutions against any intrusions such as backups, checksums, and even more encryption! This also ensures that if any changes are made, there are controls that can revert those changes without greatly affecting the operation.
Availability – Kind of in line with integrity, if any changes are made, can they be reverted while maintaining availability of the resource and operation? More of a physical concern, but availability ensures that all hardware is maintained and repaired immediately as needed. Things are kept up to date, patched, and security exploits are either removed or controlled. Can resources, data, assets, and information be accessed by those authorized, when they need it and at acceptable levels? However, one of the most difficult questions and dilemma in information security is, “how do you balance availability and security?” Sounds like a simple question right? Unfortunately, it’s not as simple as you would think. If you make things available to people, doesn’t that open up the window and possible opportunities of exploits and vulnerabilities to be found? If you make things available, that means they simply are not as secure. However, if you secure things, is it still available as needed? It is still accessible without causing people to try and find easier ways of accessing things? I know that something I came across, is a login mechanism so terribly annoying with multiple factors of authentication, that people started to try and find ways to disable those security features that were implemented with good intentions.
Overall. The CIA triad is a very fundamental, basic, yet foundational concept in security. As I mentioned earlier, it’s not just in digital systems, but in everything today. But as we shift from the physical and tangible world to the digital world, it’s important that emphasis is paid where it is due in designing a secured system. Although these three goals may not be enough anymore, they are crucial first steps.