Security+ Journey – CIA Triad

As with dealing with practically any task, project, or initiative, having a set of guidelines to assist us toward our goals can be very important and beneficial. Information security is no different. Just looking at and thinking about the words information security can be a bit daunting and overwhelming. Where do we even start when it comes to designing and implementing secure networks? That is where beginning with some guidelines can help. In working with Info Sec, there is a common set of guidelines we can look to, to assist us, called the CIA Triad. No, not that CIA. This CIA acronym stands for confidentiality, integrity, and availability. These high level components can be thought of as pillars when creating security policy and implementing security controls. Let’s unpack the components of the CIA Triad.

In my opinion, confidentiality covers two high level, yet tightly coupled concepts. The first is around keeping data private, and the second is around ensuring that only properly authenticated and authorized individuals have access to the data in question. When I see the term data privacy, my first thought is encryption. We need to make sure that certain data, whether it is in use, in transit, or at rest, is kept private. As soon as data that is deemed to be private is in clear text, especially in transit, that’s when we have issues. Having encrypted data is great and important but we also need to take it a step further. We also need to make sure that not just anybody has the ability to access, view, edit, and delete the data. Data deemed confidential or private should be secured by authentication and authorization. Only known, authorized individuals should have access to the data.

Data integrity is all about trust. Ourselves and our customers need to be assured that the data is trustworthy; that is has not been modified by unauthorized parties. From a practical application standpoint, technologies such as hashing and checksums are used to help ensure that the data has integrity and can be trusted.

Applications, systems, and services are no good to anyone if they cannot be accessed and used as they were intended. Security controls should be applied to prevent systems from going down or offline. The concept of security to promote availability does not apply to just the cyber realm. Security from an availability standpoint also applies to physical concepts such as potential power loss or weather events. Any issue or event that could impact the availability of a system can be thought of as a security-related concern.

Another concept that can go along with the CIA Triad is non-repudation. This is a term that I had not heard before starting my Security+ studies. Non-repudiation means making sure that the identity that created and/or sent data remains associated to that data. The purpose of this is to prevent the identity from successfully denying that they indeed created/sent the data. Essentially, I think this proves the need for logging and correlation.

I think that the CIA Triad gives us a good starting point when building and auditing security programs. We need to make sure that we can keep our systems and data confidential, with integrity, and available. Also, as a closing thought, I found that this model can be referred to as AIC to remove confusion from the other common acronym of CIA.

Published by Tim Bertino

Systems Architect passionate about solutions and design.

One thought on “Security+ Journey – CIA Triad

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: