What is the CIA Triad?
The CIA triad is a well-known model in information security that is used in the development of security policies. CIA stands for confidentiality, integrity, and availability, and refers to the core components of data and information protection. The data that organizations manage comes from various sources such as personal data, operational data, operational technology (OT), and information technology (IT). Data is one of the assets that is managed by security professionals, along with applications and critical systems. In order for security professionals to develop appropriate security policies through the CIA triad, they must consider the relationships between the three components- how they conflict, overlap, and operate dependently and independently.
Confidentiality. Confidentiality refers to the hiding, anonymizing, or obfuscation of information from people who are not authorized to view it. Following the principle of least-privilege, users should only have the read, write, and execute permissions that are required for them to perform functions of their job. Groups and individuals can be defined and classified so that it is clear which specific organizations, departments, teams, and/or individuals have permissions to access specific information. A breach of confidentiality may occur through may different means such as malicious insiders, negligent insiders, hacking, or social engineering.
Integrity. Data integrity refers to the certainty that data has not been tampered with or degraded during or after its submission. This certainty must endure throughout the lifecycle of data, from its creation to its destruction. The two points where data integrity can be compromised are during the upload or transmission of data, or during the storage of the data in a database or collection. An example of data integrity in data transmission is using the Transport Layer Security (TLS), which ensures that a user is transmitting to a valid entity when the data is cryptographically transmitted.
Availability. Availability refers to the information being obtainable to authorized users when it is needed. In order for a system to demonstrate availability, its computing systems, security controls, and communication channels must be functioning properly. Critical systems such as power generation, safety systems, and medical equipment often have significant availability requirement, ensuring that they are resilient against power outages, mechanical failures, cyberattacks, disasters, and other events that may impact system availability.
The CIA triad model is adaptable for any type of organization. An example of an application of the CIA triad model in e-commerce:
- Confidentiality: Two-factor authentication is used when users log into the e-commerce site.
- Integrity: Purchase history and customer service contact information are available to investigate any discrepancies.
- Availability: Users can access their accounts at any time and can contact customer service at established times.