In this article, we take it back to the basics and look over the three main pillars of information security: Confidentiality, Integrity and Availability, also known as the CIA triad. Possessing a sound understanding of the CIA triad is critical for protecting your organisation against data theft, leaks and losses as it is often these three elements that are compromised through exploits.
The purpose of ‘Confidentiality’ is to ensure the protection of data by preventing the unauthorised disclosure of information. Only individuals with the legitimate authorisation to access the required information should be permitted it, also known as permissions on the “need to know” basis. At large, the goal of confidentiality is to stop sensitive data from getting into the wrong hands.
There are a number of measures that can be taken to assist with confidentiality including multi-factor authentication, strong passwords, encryption, segregation of data, and assigning users with appropriate user privilege levels. However, before implementing such measures, it’s important to group your information assets into different classifications according to how much damage could be done if accessed by an unauthorised entity. The higher the negative impact, the stronger the security controls needs to be.
Common threats against confidentiality are:
- Eavesdropping attacks
- Encryption cracking
- Malicious insiders
- Man-in-the-middle attacks
This principle seeks to ensure the accuracy, trustworthiness and validity of information throughout its life-cycle. Information only holds its value if it’s truthful, therefore effective measures need to be taken to prohibit the alteration of data whether at rest or in transit by unauthorised individuals or processes.
To prevent unwanted modifications and to ensure that information can be restored if altered, the implementation of regular backups is essential as well as effective access privileges, version controls and input validation.
Challenges that could affect the integrity of your information are:
- Human error
- Compromising a server where end to end encryption isn’t present
- Physical compromise to device
Availability refers to information being accessible to authorised personnel as and when it is needed. Safeguarding business continuity relies heavily on rigorously maintaining the performance of hardware, software, equipment and communication channels that are used to store and process information.
Popular methods used to protect organisations from loss of availability include keeping all critical systems updated, DDOS protection, redundancy, firewall and proxy servers, ensuring adequate bandwidths and the use of access controls.
Should the worst happen, and your organisation is hit with a security breach/attack, it is crucial that you have an adaptable Incident Response plan in place so that the loss of availability can be limited.
Information unavailability can often occur due to:
- Distributed Denial of Service attacks (DDOS)
- Loss of processing ability due to natural disasters and fires
- Malicious code
- Insufficient bandwidth
Implementing the CIA Triad
The overall goal of CIA is to guide your organisation’s information security efforts to ensure sufficient protection of your most critical assets. Each of the elements in the triad are instrumental to strengthening your security posture. If just one of the elements in the triad fails, it could provide a window of opportunity for malicious actors to weed their way into your network.
However, how you prioritise the mix between Confidentiality, Integrity and Availability is completely down to your organisation’s requirements. There are instances where one of the pillars is more important than the others, for example, the availability of your processes may be more important than the confidentiality of your information, therefore sterner measure should be taken to ensure availability at all times.
Commissum can help
As a long established, Cyber and Information Security advisory company, Commissum is perfectly placed to provide expert advice and support to protect your critical business assets. We take the holistic approach of understanding your organisation’s technologies, data processing activities and works force needs before mapping out the detailed steps you need to take in order to become more secure. Offering solutions for testing services, training, and consultancy, we can help you establish a level of information security that you can be proud of.