When you hear the acronym ‘CIA’, you naturally might think of the Central Intelligence Agency and agents wearing earpieces with hidden microphones. CIA Triad, then, sounds like a hit new TV drama – some kind of cross between Homeland and a Jackie Chan movie. (If there are any TV executives reading – you’re welcome).
In the context of cyber security, however, CIA stands for something else altogether:
The CIA Triad is a model designed to guide an organisation's policies on information security. The elements of the triad are considered the three most crucial components of security.
Compromise any one element of the triad and your data security is compromised.
The CIA Triad of information security
Confidentiality, Integrity and Availability are fundamental elements of any security strategy. Let’s break down what each of those elements looks like in practice.
The first and best way to protect your data and information is to restrict who can access it. The fewer people can access it, the more secure it is.
In the real world, a sign saying ‘Do not enter’ may work to deter casual passers-by from entering restricted areas, but if you want to keep out the folks with malicious intentions you need to lock the door... at the very least – maybe several doors, all locked, with security guards, barbed wire, CCTV... and a couple of dogs. It depends what you’re trying to protect.
The same logic applies to cyber security.
If you want your data to remain confidential, you need to put the appropriate protections in place. This includes policy, of course (the equivalent of that ‘do not enter’ sign), but should also extend to security technologies.
Question to ask: How do I maintain confidentiality of my data, considering my people, processes and technologies?
As well as controlling access to data, your security measures should also limit what people can do with that data.
For instance, the ability to copy, move or alter data should be restricted. This protects the integrity of your data, ensuring that those authorised users are accessing the right data at all times...
Access controls help you remain confident in the integrity of your data, as well as tying in with the Confidentiality side of the triad - ensuring that data cannot be shared without authorisation.
If hackers were to breach your system, what could they do to your data? Implementing the right security measures at this stage can make a huge difference to the amount of damage an attacker could inflict. Consider your worst-case scenario and plan your defences accordingly.
Of course, in doing all this, you have to be careful not to over complicate access for those who need it. That’s where Availability comes in.
Think of the careful balance of online banking, as an example – access must be secure without being too difficult for actual customers to make use of.
Complicated security measures can be a bottleneck to access, particularly if systems aren’t properly maintained or if problems aren’t immediately rectified. There are a number of protocols to ensure system Availability, including ensuring the appropriate bandwidth is available and having backup and disaster recovery methods in place.
A DDoS (Distributed Denial of Service) attack is your classic tactic to compromise the Availability of systems, by flooding the bandwidth or resources of a targeted system, typically a website.
Hear from Comtact's Chief Technical Officer, Joe Bertnick, who breaks down the CIA Triad and explains the benefits of applying it to your organisation.
Benefits of the CIA Triad
As models go, the CIA Triad is a good one to put your cyber security strategy into context. Think of the three elements as your guiding principles, with every aspect of your strategy relating back to at least one of these principles.
You could use it together with the five technical controls of Cyber Essentials to assess your systems security and identify where you have gaps, to improve the overall structure of your cyber security plan.
It’s also worth noting that the CIA Triad doesn’t discriminate between external attacks and internal misuse. The principles apply equally to hackers as they do to internal users. The Confidentiality, Integrity and Availability of data has to be protected from unauthorised actors, wherever they’re based.
If you’re looking for a high-level, world renowned example of internal misuse of data, look no further than Edward Snowden. He had legitimate access to top secret information, but was able to copy that data for unauthorised use.
3 elements to maintain data security
Each element of the CIA Triad is integral to systems security – but the fundamental requirement of the CIA Triad is to considers them all together.
- Protecting the Confidentiality of data is like Cyber Security 101 – it forms the basis of many people’s security strategy.
- Data Integrity is essential to the validity of that data – if you can’t trust that the data is unmodified, what’s the point in keeping it?
- And maintaining Availability is critical to having a functional relationship with that data.
So the CIA triad make a good team – but they can’t work alone!
- 6 steps to a successful cyber security improvement programme
- WEBINAR: The difference between endpoint protection and traditional antivirus
- Cyber Essentials vs Cyber Essentials PLUS: What's the difference?
- INFOGRAPHIC: SOC team roles and responsibilities
- INFOGRAPHIC: Malware examples: What are the different types?
About Comtact Ltd.
Comtact Ltd. is a government-approved Cyber Security and IT Managed Service Provider, supporting clients 24/7 from our ISO27001-accredited UK Security Operations Centre (SOC).
Located at the heart of a high security, controlled-access Tier 3 data centre, Comtact's state-of-the-art UK Cyber Defence Centre (SOC) targets, hunts & disrupts hacker behaviour, as part of a multi-layered security defence, to help secure some of the UK's leading organisations.