A Look Inside a Benchmark Model In InfoSec: CIA Triad

This blog was originally published by SafeBase here.

We are constantly hearing tips and tricks on how to protect our data - get a VPN, back everything up on a cloud, change your passwords, etc.. And in the business world, there are tons of policies in place and certifications that can be acquired to prove that your organization is compliant with the handling of sensitive data. But what is it about the data are we actually protecting? This is where the “CIA Triad” comes into play to best describe the key components of the data we are safeguarding. This widely used model breaks down the security of our data into three elements: Confidentiality, Integrity, and Availability.

Confidentiality involves the ability to keep data private. This can include things such as an organization’s trade secrets or a customer’s personal identifiable information (PII). There are two popular security controls that can be implemented to limit access only to users who absolutely need access, Role-Based Access Control (RBAC) and the Principle of Least Privilege (POLP). RBAC restricts access to users based on their role within the organization. POLP is limiting access to only those resources necessary to performing a task. Another way that we protect the confidentiality of our data is the use of multi-factor authentication (MFA). This acts as an additional level of security by providing confidentiality of our data from unauthorized users. A common type of MFA is when a website sends a one-time PIN to your phone via text, that you are required to enter on the website to gain access to the account.

Integrity refers to the quality of the data; Is it true, authentic, correct? Modifying the integrity of data is a game changer. Imagine someone compromises your system and changes employee pay rates. Or imagine logging in to your banking app only to realize that you’re missing a couple zeroes from your account balance. Big deal, right? A data breach isn’t the only way the integrity of data can be compromised. Data can also be altered when there is a data transfer or an update. An essential piece to an organization’s disaster recovery plan is to conduct backup and recovery testing. This allows you to verify that the restored data is in fact unaltered.

Availability is ensuring that data is available to our applications and end-users (customers). Data availability is crucial to your business and the reputation you have with your customers. Availability has the potential to be compromised if there is a failure in the hardware or software, such as from a power outage or natural disaster. The most common attack that affects availability is a Denial of Service (DoS) attack. A threat actor will overload a network server with traffic causing your website to become unavailable to its users.

At one point or another, as a Cybersecurity professional, you’ll be asked in an interview, which of the three do you think is the most important? Don’t get stumped, it’s a trick question. This is contingent upon the nature of the business for that specific organization. You may prioritize one element over another. The healthcare industry and eCommerce industry may value confidentiality. The finance industry may hold integrity to a higher regard. While the internet marketplace will focus on ensuring availability to their customers.

Although absolute security is not possible, it is the common goal we all work towards. The “‘CIA Triad”’ has proven to be tried and true when it comes to safeguarding our data and protecting our organizations.