CIA TRIAD

What is the CIA triad? How do we prioritize it in our organization and what are the implications if one of the principles are breached.

CIA TRIAD

Confidentiality, Integrity, and Availability are the fundamentals building blocks of every information security framework. These principles form the basis of an organization’s security infrastructure. Determining whether a cyber breach has occured is usually done by determining if one or more CIA principles were breached.

When carrying out a risk assessment, cyber security experts evaluate threats and vulnerabilities based on their potential impact on the confidentiality, integrity, and availability of the organization’s assets.

In this article, I will explain the three components of the CIA triad and give examples of how they are applied.

CONFIDENTIALITY

Confidentiality refers to protecting the privacy of information you hold. This means ensuring that only authorized users are given access to information they require. It entails restricting access of unauthorized persons to an information system.

One of the most common ways to ensure confidentiality of information is by encryption. Encryption is a process of converting data from a readable form known as plaintext to an unreadable form known as ciphertext. another name for encryption is encoding. The data can only be decrypted or converted to the readable form by persons with the correct decryption key. Confidentiality can also be ensured by creating a good access control and authentication system, using a strong and unique password, and enabling Multi-Factor Authentication.

INTEGRITY

This principle refers to the accuracy and authenticity of information. This means protecting information from any unauthorized modification.

A hash function is used to ensure the integrity of information. A hash function is a cryptographic algorithm that converts data of variable sizes known as input into an output of fixed size. The output is called a Hash value. Hashing is similar to encryption, however unlike encryption, its output which is the hash value can not be reversed - this is due to the mechanism used where you only get an extremely compressed "digest" of the file.

Each data or file has a unique hash value. There may be a small chance that two files will have the same hash value, that is called a hash collision. This may occur due to an error in the hash function, you were unlucky, or it was a complex malicious attempt. The slightest change in the file will generate a whole new hash value. Hashing is also used in storing passwords and for authentication.

AVAILABILITY

Availability refers to the accessibility of information. Information should be readily accessible by authorized users. situations like a natural disaster, power outages, and downtime can affect the availability of information. But this principle implies that information should be readily accessible by authorized users no matter the situation.

Availability is ensured by creating backups, redundancy, regularly updating software and systems.

APPLICATION OF THE CIA TRIAD

The CIA principles can be applied in a banking scenario. When a customer walks into a bank and deposits some amount of money in his account, he believes his money is safe with the bank. He does not expect that any random person can walk into the bank and ask about his banking details including the amount of money in his account and the information will be divulged to the person. This is confidentiality. He also does not expect unreasonable modification of the amount of money in his account. This is the principle of integrity. The customer expects his money to be readily accessible to him. That is availability.

Basically, the bank is responsible for protecting the confidentiality of the customer's banking information, the integrity of the amount of money in his account, and ensuring that he gets his money whenever he asks for it.

Though the CIA principles are the goals and objectives of information security, its significance varies by industry. Some businesses may value confidentiality, while others prioritize integrity and rest availability. This is determined by the nature of their business.

Some instances where one of the CIA principles is more important than the rest;

Confidentiality is the most critical principle of the CIA trinity in firms where intellectual property, trade secrets, or records of customers' information, such as credit card numbers, are the most prioritized assets. For example, if a corporation like Amazon is attacked and cybercriminals gain access to their customers' information, particularly their payment card information, the impact on the company will be greater than if their server goes down and customers are unable to access their website.

In financial institutions such as banks, integrity takes precedence over confidentiality and availability. A bank is more concerned with the integrity of the quantity of money or treasure that a client retains in their care than with the availability of that money or treasure or with the confidentiality of clients' information.

For broadcast media, the most crucial information security principle is availability. They are more concerned with the availability of their services than with any other CIA principle. As an example, consider Big Brother, a reality show. An interruption in the transmission of the show will have a greater impact on the company than the disclosure of private corporate information or the change of material.

HOW DO WE PRIORITIZE?

Prioritizing one principle over the others does not mean that the others are not important or applicable in that organization's information security infrastructure. For a strong information security system, the three principles must be in check.

Based on the potential impact of threats and vulnerabilities on the confidentiality, integrity, and availability of assets, organizations may trade off one or two principles for the other. The decision of the CIA principle to prioritize or trade off is made based on the impact of a breach on the organization. The principle with the greatest impact will be prioritized.

The CIA Triad is an important component of the information security program of every organization and as such, decisions on how they are prioritized should be made carefully.