Marc Andreu

I have been a front end, backend and quality testing software engineer now I am following the path towards cybersecurity.

The CIA triad in cybersecurity

Shall we play a quick game?

Please, try to relate the items of the following columns:

Description Is? Name
1 Your customers expect their personal information to be securely stored. =? a)Integrity
2 When the orders arrive, your customers don’t want to receive the wrong items because of the incorrect product description on the site or because something else got messed up. =? b)Availability
3 Your customers want to buy what they need at any time, 24 hours per day, seven days per week. =? c)Confidentiality

Was it difficult? Probably not, but life is not always that easy, isn´t it? Solution: 1-c, 2-a, 3-b

Why are those concepts useful?

In the vast and complex world of cybersecurity, these three terms help people communicate better using common and more conventional terminology. The CIA triad allows people to understand and comprehend better the nuances of the vast array of security software, services, and techniques in the marketplace.

Keeping the CIA triad in mind helps teams evaluate which of the three elements is the most important on each design option. Therefore teams can make informed design decisions when there are conflicting requirements that challenge the system’s security.

So, what is CIA?

  • Confidentiality: Secured data. Only authorised users and processes should be able to access or modify the data.

    Anything that restricts access to data falls under this notion, primarily, this includes the two significant As in Information Security:

    • Authentication: any processes to determine if a user is who they say they are.
    • Authorisation: the rules to know who has the right to access which data.

    In practice, Public-key Cryptography is the infrastructure that enforces booths As.

    The loss of confidentiality is named a Data Breach; this occurs when an unauthorised person gets access to the protected data.

  • Integrity: Clean data. Data should be maintained in a correct state, and nobody should be able to corrupt it, either accidentally or maliciously.

    At run time, the same processes used for confidentiality will also cover data integrity, as it is not possible to modify the data that we can not access. Furthermore, we ought to protect data integrity from data corruption due to dysfunctional physical storage devices. Any method designed to preserve the physical integrity of the stored data can also save the virtual integrity of data.

    In practice, in cybersecurity, any process related to regular backups and checksum of the data will help to enforce data integrity.

    The violation of data integrity can bring negative consequences like losing customer’s trust, modifying business data to affect decision-making, mangling into a financial system to briefly inflate the value of a stock or bank account, loss of reputation, etc.

  • Availability: Accessible data. Authorised users should be able to access the data whenever they need to do so.

    The best way to guarantee that your data is available is to constantly monitor that all your systems can properly function while handling the expected workloads.

    In practice, this principle requires keeping software and hardware up-to-date, monitoring the usage of the services and providing disaster recovery capabilities if systems go down. The availability needs to be in balance with the other two principles of the CIA triad. For example, having read-only files would be a balanced solution between Integrity and Availability.

    The loss of availability in a system could result in a Denial of Service DoS; this is usually a brute force attack on the exposed services. The DoS attacks do not access or modify the integrity of the data; instead, this kind of attack only blocks access to the data.

Where does this “CIA” triad come from?

It’s also not entirely clear when the three concepts began to be treated together. The three terms were more or less coined around the 1970s and 1980s. In “The CIA triad: Definition, components and examples” article, there is an excellent detailed explanation of those early triad notions.

In summary

Arranging these three principles in a triad clarifies that they have to live, in many cases, in balance with one another. Some contrasts are pretty obvious. For example, requiring a very secure authentication user flow may help ensure confidentiality. Still, it can also mean that some users may find it hard to access the system, thus reducing the data availability.

In summary, finding the right balance between the different elements of the CIA triad in any organisation is not always trivial. It demands a strong connection with the business needs to do it properly, and when the energies are out of balance, the company will suffer.

Image by cristianrodri17 from Pixabay