The keyword “CIA” used here does not signify well known US intelligence agency, instead, it is comprised of different letters with different meanings: C=Confidentiality, I=Integrity, and A= Availability.
In the digital world, users have an enormous amount of data that are used again and again extensively. Due to dark threats lurking inside this infinite world, each user has the urge to keep their data and information safe and seek means so that no other would get a hand on their assets, modify them, or even make it impossible to use their own data. This is where the CIA triad comes into play. Using this concept is very vital to any organization because most of the goals setting, planning, and implementation of security policies and frameworks depend upon the ideas generated through it. That is why the CIA is not solely based on tools or any high advanced technology, it is rather a way of thinking and planning.
So, let’s break-down each component.
1. Confidentiality
Who doesn’t want their data to be protected from unauthorized access? Confidentiality simply means keeping things hidden whereas it depends upon how well private information is managed, data access control, and who is authorized to use it. Therefore it is an effort to keep data private or secret but remember it does not mean privacy. For example, you have a credit card, only you have to have access to its pin, password, or OTP (one-time password) or two-factor authentication unless you share with someone you trust. Data management and classifications, access controls, awareness, and steganography (process of hiding sensitive information within pictures, images, audio, or video) ensure confidentiality. If you are not authorized to have access to an object, you should never have access to it.
2. Integrity
What if the user’s data has been changed or tampered with? If yes, does it violate the concept of integrity? Well, of course, yes. Integrity means keeping data accurate, whole and untampered. The modified data without the user’s consent signifies a weak point within security measures. This modification can be caused by corruption, accidental access that leads to modification, or modifications that are malicious in nature. If organizations have followed strict defense policies, their sensitive information would never have been changed in the first place, or even compromise users' systems. Integrity is a matter of trust and subsets all aspects like credibility, consistency, truthfulness, completeness, accuracy, timeliness, and assurance. For example, after each transaction, the bank should be able to update the user’s bank balance and their account. Or another example, you probably use the online system to buy items, the information regarding products must be accurate and should not be changed after placing an order. Encryptions, hashing, digital signatures and certificates, version and access controls ensure integrity.
3. Availability
What could be more frustrating than not getting access to something in time of need? How do you feel if all your colleagues have access to something and you don’t? It feels horrible and frustrating, right? Well, availability means information we have and can be used instantly or accessible to those people that should have it. The data found publicly can be used by anyone whereas, within organization policies, it can be a little different. For example, an intern network engineer cannot have access to server configuration because a simple mistake can cause heavy loss and a lot of work will be halted. This can involve topics such as proxy configurations, outside web access, the ability to access shared drives, and the ability to send emails. Another example will be you can still use the banking feature even if your bank branch is closed. There are various factors that could affect availability like hardware and software failure, Dos and DDoS attack, host unreachable, and so on. To counter this, fault tolerance, backup servers, Master role (FSMO), and Disaster recovery plan are required.
Information or resources, no matter how safe and sound, are useful only if they are available when called upon.
There are other two concepts that you should know about: Accountability and Authenticity.
1. Accountability means that any individual is entrusted to protect and safeguard very sensitive information and data from misuse of sudden loss. Users are held responsible to protect their private data by any means required. But if their data is being protected by other sources, the responsibility will be of that source that took the contract. For example, if you paying cloud services to protect your data, they will be held responsible for actions. To some extent it is the same as integrity, the only difference is rule of law. Accountability works by following standard measures of rules and contracts and is transparent in nature. It is also a matter of perspective. One claiming good thing must provide proof why to trust it.
2. Authenticity is the ability to state that an object such as a piece of data or message came from a legitimate and identifiable source. This is an important property for an item to have because it states that the source of action is valid and known. Because the sender has signed their digital signature with their private key, the subsequent verification of the signature using their public key proves the sender’s identity and thus authenticates the sender and the origin of the message. The concept of it is derived from cryptography.
To see it in clear view, claiming only the CIA triad ensures data protection is still debatable because of the flexibility and whimsical nature of technological change and business requirements. But to some extent, if we were to seek a better option, it will be best to understand the relation between CIAA and security and privacy.
Comments