This is part 1 of a four-part series. We’ll introduce the CIA concept overall here in the first of the series. Then cover each component more in-depth in subsequent posts
One of the most critical concepts for security professionals is the CIA (confidentiality, integrity, availability) triad. It is at the core of everything we do, regardless of which area of info/cyber security we work in. It is a component for the SOC analysts, threat intel, GRC, privacy officers, OpsDevSec SecDevOps DevSecOps, reverse engineering, and the other colors of the rainbow. Yet it seems that a lot of folks coming out of certificate and college degree programs are not familiar with this core element of security. Some may have heard of it but struggle to remember what the abbreviation stands for. Some have never heard of it. And there are some who have heard of it, know what the abbreviation is short for but still cannot explain its concepts, do not understand the meaning behind the letters themselves, and have little to no understanding of its importance across security. So I thought I would put together a bit of a primer, an introduction to the concept and its elements. If you are a long-time security professional, this probably won’t seem like it goes deep enough or is broad enough. That will be fair. This is intended as an introduction to the CIA triad. It is for those who are new and those who were never taught but now find themselves hearing people use it to frame conversations in relation to their careers.
You probably already noticed that we’re dealing with yet another abbreviation. (CIA is an abbreviation, not an acronym. An acronym has a specific definition and formatting. The core of which is that the letters used to create the acronym must form a dictionary word. The fact that people just start pronouncing an abbreviation does not make it an acronym. Sorry, my father was an English professor and this is a bit of a pet peeve of mine. Words have meaning. Now where was I?) What is it with security and its abbreviations? The IT and security world sure do love their abbreviations, don’t they? It’s half of the learning experience, just keeping all of the abbreviations straight. It doesn’t help that the broader you look, you start to see that various specialties actually have the same abbreviations but different meanings. Never mind the abbreviations we have that have vastly different meanings in other professional arenas. Oh, and it’s not always the CIA triad, some people do it alphabetically and go with the ACI triad. Still, others tend to AIC. Regardless of the order of the letters, their meaning remains the same. The letters stand for:
- Confidentiality – maintaining the appropriate level of “secrecy” for the data
- Integrity – knowing that data is accurate and has not had an unauthorized change occur since it was last used/accessed
- Availability – the people who need access to the data will have it when they need it, where they need it, and only to the extent that they should be allowed to interact with the data (read-only versus full authority, for example)
These three concepts cover the considerations and perspectives businesses and their security personnel should consider when planning to secure their data. The CIA triad tends to be data focused. I argue that it can go above and beyond that. We can take it to assets, process, and even reputationally for the business and its overall health. But that’s for another day. For now, let’s just work with the standard data considerations that all security professionals utilize when looking at the data they are charged with protecting. We are always considering the requirements around the confidentiality, integrity, and availability of the data. What is required for each? How will that impact business use and business workflows? Which is the critical consideration for this data?
That last question is one that I find a lot of new security professionals struggle with in the beginning. Once they understand the three components and what they mean (more on each of them to come in subsequent posts), the struggle becomes understanding that all three are not equal at all times. While we consider the CIA triad when considering how to secure our data best, we need to understand that all three are not of equal importance to all data. The type of data and its meaning to the business indicate which of the three principles is more important for our consideration and planning. Some data needs its confidentiality to be paramount, with integrity second and availability the principle leadership is willing to sacrifice a little to ensure its confidentiality needs are met. A good example here is the business mission meeting minutes a partner group of a company has. It is critical to their business, but they cannot afford for that information to get out, even within their own company. Confidentiality is critical. Unlike their marketing slicks (the flyers on vendor tables at conferences, used for posting and marketing across social media, etc.). A company isn’t really concerned about the confidentiality of its marketing slicks. If they were to get out to the general public, there isn’t really much of a risk there. The whole point of having the slicks is to get them out to the public. But their integrity? That is critical. You want to make sure you know that the data has not been altered or changed in any way, and is no different than what was approved. Availability is important but needn’t be restrictive. The last thing you want is to not be able to access your marketing slick data at a moment’s notice.
One method an organization may use to help determine which order to stress the CIA principles is through data classification. You can set the importance of the triad components according to each data classification you may implement. Data “A” is classified as “Private” so it must have a high level of confidentiality and integrity, with allowances for its availability. Data “B” is “General” so we’re even less concerned with availability restrictions and we aren’t too worried about achieving a high level of confidentiality because there’s a minimal impact if it should get out to the public. We do want to know that it is accurate so we’re going to make sure the Integrity of the data “cannot” be compromised. There is a lot of thought that goes into data classification and its methods. Far too much for it to be more of a component than it is for this post. Just be aware that data classification exists, can be a helpful utility, and implies which part of the triad is stressed more than the others.
The components of the CIA triad are the lens through which we’re looking at vulnerabilities and addressing risk. As you go through a threat assessment, the question you’re ultimately considering is what risk does this threat present to the confidentiality, integrity, and/or availability of my data? Is the principle most at risk the one that we classify as the most important for this data? If your answer is no, the principle most at risk from the threat is one we’ve determined to be of least importance, then the risk is much lower. If the risk is lower and acceptable, the amount of resources needed to secure it does not need to be as high. Alternatively, if the principle most likely to be affected is the one we’ve deemed most critical, then we need to ensure we expend the proper amount of resources to reduce the risk to an acceptable level (this would be a risk mitigation approach. There are times when the risk is deemed too great for just mitigation and the organization could opt for another form of risk management; avoid or transfer the risk). Whenever you come across a business component, consider which impact is greater if compromised, C-I- or A, then approach how to address the risk. This applies to avenues to the data; how’s it stored, how’s it accessed by users, how is it shared, what should its backup cycle be, and does it require a business continuity alternative?
It doesn’t matter which security question you’re dealing with, the principles of the CIA triad are going to be at the core of your analysis. Network segmentation, policy writing, standard creation, business workflow development, and whether or not everyone is actively thinking in terms of the triad, it is definitely impacting your considerations and conversations. So if you are just beginning your journey into the world of security, please be sure to dedicate some time to understanding the triad and each of its components. Then consider how those components apply in each situation where you’re assessing your security posture. It will be knowledge and insight that will benefit you throughout the entirety of your career.