The CIA Triad: The Key to Improving Your Information Security

Rosanne Shepherd, Marketing Executive at Commissum, considers the three main pillars of security.

28th Nov 2018

Cyber SecurityThe relentless surge of cyberattacks and the introduction of harsher penalties by the Information Commissioner’s Office (ICO) are putting organisations under immense amounts of pressure to implement effective data security strategies. However, with all the noise surrounding the latest breaches, the growth of attack vectors and stricter fines, it’s easy to lose sight of what is actually at the core of information security. 

In this article, we take it back to the basics and look over the three main pillars of information security: Confidentiality, Integrity and Availability, also known as the CIA triad. Possessing a sound understanding of the CIA triad is critical for protecting your organisation against data theft, leaks and losses as it is often these three elements that are compromised through exploits.
 

Confidentiality

The purpose of ‘Confidentiality’ is to ensure the protection of data by preventing the unauthorised disclosure of information. Only individuals with the legitimate authorisation to access the required information should be permitted it, also known as permissions on the ‘need to know’ basis. At large, the goal of confidentiality is to stop sensitive data from getting into the wrong hands.

There are a number of measures that can be taken to assist with confidentiality including multifactor authentication, strong passwords, encryption, segregation of data, and assigning users with appropriate user privilege levels. However, before implementing such measures, it’s important to group your information assets into different classifications according to how much damage could be done if accessed by an unauthorised entity. The higher the negative impact, the stronger the security controls need to be.

Common threats against confidentiality are:
 

  • Eavesdropping attacks

  • Encryption cracking

  • Malicious insiders

  • Man-in-the-middle attacks

 

Integrity

This principle seeks to ensure the accuracy, trustworthiness and validity of information throughout its lifecycle. Information only holds its value if it’s truthful, therefore effective measures need to be taken to prohibit the alteration of data whether at rest or in transit by unauthorised individuals or processes.

To prevent unwanted modifications and to ensure that information can be restored if altered, the implementation of regular backups is essential as well as effective access privileges, version controls and input validation.
Challenges that could affect the integrity of your information are:
 

  • Human error

  • Compromising a server where end to end encryption isn’t present

  • Physical compromise to device
     

Availability 

Availability refers to information being accessible to authorised personnel as and when it is needed. Safeguarding business continuity relies heavily on rigorously maintaining the performance of hardware, software, equipment and communication channels that are used to store and process information.
Popular methods used to protect organisations from loss of availability include keeping all critical systems updated, DDOS protection, redundancy, firewall and proxy servers, ensuring adequate bandwidths and the use of access controls.

Should the worst happen, and your organisation is hit with a security breach/attack, it is crucial that you have an adaptable incident response plan in place so that the loss of availability can be limited.
Information unavailability can often occur due to:
 

  • Distributed Denial of Service attacks (DDOS)

  • Loss of processing ability due to natural disasters and fires

  • Malicious code

  • Insufficient bandwidth
     

Implementing the CIA Triad

The overall goal of CIA is to guide your organisation’s information security efforts to ensure sufficient protection of your most critical assets. Each of the elements in the triad are instrumental to strengthening your security posture. If just one of the elements in the triad fails, it could provide a window of opportunity for malicious actors to weed their way into your network.

However, how you prioritise the mix between Confidentiality, Integrity and Availability is completely down to your organisation’s requirements. There are instances where one of the pillars is more important than the others, for example, the availability of your processes may be more important than the confidentiality of your information, therefore sterner measure should be taken to ensure availability at all times.

------------------------------------------------------------------------------------------------------------------------------
Commissum provide a joined up approach to solving information security, governance, risk management and compliance challenges across technology, people and processes