CIA Triad

Overview

The CIA Triad is a conceptual model for thinking about the security of information. The triad is composed of the concepts of Confidentiality, Integrity, and Availability. There are multiple conceptual models for thinking about information security. Other conceptual models, such as the OECD’s Guidelines for the Security of Information Systems and Networks have nine principles, and the NIST’s Engineering Principles for Information Technology Security model has 33 principles. While there is no single generally agreed upon conceptual model for describing all aspects of information security, a benefit of the CIA Triad is its simplicity, which drives easy adoption by both information security workers as well as other stakeholders within the organization.

Confidentiality

The data pillar of the CIA Triad involves ensuring that data stored within an organization’s information systems only be accessible to authorized individuals. There can be a variety of reasons for ensuring the limited availability of data, from the data being a matter of national and/or regional security, the data being business critical intellectual property, or the data involving an individual’s personally identifiable information that various regulations specify must be controlled in a particular manner. The confidentiality pillar of the CIA triad model is about putting in place the appropriate controls to ensure that the dissemination of information is limited to the intended audience and remains unavailable to unauthorized persons.

For example, an organization may have an online store. The backend information systems infrastructure of this online store includes a database that hosts customer account data. This data includes email address and an associated online store password kept in the form of a cryptographic hash. A successful attacker might compromise the information systems of the organization and get access to the email address and password hash pair. Even though the password was stored as a cryptographic hash, it is often possible, using pre-calculated tables of such hashes, known as “rainbow tables,” to determine the characters that constitute the original password.

Alternatively, an attacker might compromise a database that stores customer credit card information, exfiltrate that data, and then sell it. Another attacker might compromise an organization’s email system and publicly disclose sensitive internal communications. These scenarios would constitute a failure of information systems within the confidentiality pillar of the CIA Triad model as information has become exposed to those that should not have access to it.

Solutions such as Microsoft’s Azure Information Protection allow organizations to address the confidentiality pillar of the CIA Triad. Azure Information Protection not only allows protected files to be accessed by authorized persons but can be used to limit how that access occurs. For example, blocking sensitive documents from being opened on unrecognized networks, which minimizes the chance of information leakage.

More Information: You can find more about Azure Information Protection here.

Integrity

The integrity pillar of the CIA Triad involves ensuring that data retains its veracity over its lifetime. This means that data isn’t modified or deleted without authorization. It also means that authorized modifications are tracked as it is possible for an authorized person to make an unauthorized modification. For example, if an Excel spreadsheet created several years earlier is subject to legal discovery as part of ongoing litigation, the court will want to ensure that the spreadsheet hasn’t been modified from its original state. If an organization has put in place controls to address the integrity pillar of the CIA Triad, they’ll be able to demonstrate to the court that the document is in the original, unmodified state.

Integrity of data

To address the integrity pillar of the CIA Triad, an organization needs to ensure that data retains its veracity and hasn’t been subject to unauthorized modification. There are multiple risks involved if an organization does not address the integrity pillar. For example, information that is business critical could be modified or deleted, causing the organization financial damage.

Ensuring the integrity of data isn’t just about ensuring that the data has the appropriate security permissions applied. While only authorized people should be able to modify data, it’s also necessary to ensure that it’s possible to detect when authorized people make unauthorized modifications to data. This can only be done if auditing and change tracking are implemented.

Integrity of configuration

Today the configuration of information systems is increasingly performed through code rather than traditional manual methods. Technologies such as Puppet, Chef, and PowerShell Desired State Configuration transform data describing system and application configuration into actual system and application configuration.

Ensuring the integrity of configuration data is important because a hypothetical attacker could, rather than attacking a running system directly, instead attack the code that describes the configuration of that system. In doing so, they’d be able to indirectly modify the configuration of the systems, making it simpler to attack those systems. The systems that host the code that describes the configuration of other systems needs controls in place to ensure that unauthorized modifications are not made to the system configuration code and that all authorized modifications are tracked.