This is the second part of a four-part blog series covering the CIA Triad. The first part discussed the CIA triad as a whole (Part I). Part II will cover Confidentiality with parts III and IV covering Integrity and Availability.
Three can keep a secret, if two of them are dead.
Benjamin Franklin, Poor Richards Almanac
Confidentiality, the C in the CIA triad, tends to be the principle that gets the most attention. There is an overemphasis placed on keeping things secret or private. News stories about data breaches or leaks, tout the amount of privacy that was lost and how much personal information has been gathered by criminals. There is an element of trust that we place in vendors and products that we purchase or use; that our information will be kept safe. If we’re trusting a professional services firm, such as accountants or lawyers, our expectation is that our records will only be shared with us and our representatives. So what are we really talking about when we talk about confidentiality? What are the considerations around it and how do we account for it when building a security program?
We can’t really consider all angles of confidentiality until we’ve determined what it actually means. Many of us are familiar with the word. “Keep this confidential.” We all know that means not telling anyone else the secret we’re being entrusted with. The simple fact that something is being classified as confidential implies that it is to be kept secret. Confidential is akin to “need to know.” This information should only be shared with those who have a need to know. In security, the CIA triad is often data-centric. So it is the data that we are ensuring stays confidential. Think of the accountant from earlier. If I’m trusting them to handle my taxes, I’m going to provide them with all of the appropriate forms and information they need to perform that task for me. I am also trusting them to not share my information with anyone else. There’s often an expectation that they’ll limit access to my data internally to only the staff that are working on my return.
The amount of resources and the level of confidentiality that we apply to data is based on the consideration of the potential fallout if this data is accessed by an unauthorized party. This consideration has many facets, it’s not just about data falling into the hands of criminals or being exposed publicly in a leak. You must also consider data being exposed internally to personnel that does not have any reason to access it. This could be the financial information for the organization, the upcoming business plan, partner meeting minutes, employee HR records, employee payroll records; the list can go on and on. Remember, we’re working from the perspective of the need to know. Just because data exists within an organization is not enough reason to allow that data to be accessible to everyone that works there. Referring back to the Franklin quote in the beginning, if we’re looking to ensure that our data maintains the highest level of confidentiality possible for it, we need to be smart about who actually has access to the data.
One method is access control. We can put controls in place that limit whose accounts may access that data within our file storage or what systems may access that storage area. Many times this is done with folder and file permissions. It is always a good idea to use groups whenever possible when creating permissions and not specific users. Generally speaking, if someone is a member of a group that has access to one set of data, that same group likely is permitted access to various data sets. If you set permissions by the individual, there is a lot more administrative maintenance required to ensure that our confidentiality plan is always being met. We could also use different storage locations for different data sets based on their classifications, then control who has access to the various document libraries based on their need to know.
Encryption is another method used for confidentiality. If we encrypt data, it can only be read by those who possess the ability to decrypt it. That should be limited to resources that we’ve determined. Yes, some encryption may be able to be cracked and quantum computing threatens to render modern encryption moot, but there are no perfect solutions. Encryption, when done properly, provides a strong level of confidentiality for our data. We’re not going to get into too much detail about encryption and how we could use it, that’s another post for another time. But keep in mind that encryption is a very valuable tool for security professionals, including hashing and digital signatures, and you will find yourself implementing it in a number of areas. And its a tried and true method, with its use dating back millennia.
But confidentiality is not always the most important principle. Sometimes the integrity or availability of the data is more critical because of its use and value within an organization. If you read Part I, you may remember I referenced marketing slicks. Our marketing materials are data that we create to promote our business. If we go back to the initial question, what’s the fallout if this information should become public, then we can see that we aren’t too concerned with that here. Marketing materials are made to be shared wide. We’re not talking all marketing data or even all the data that is used and created by our marketing department, we’re solely looking at the data designed for public dissemination. Confidentiality is not of the utmost concern. We would focus our resource expenditure on areas of Integrity and Availability more than we would Confidentiality. So we may set our access controls to allow for more of the general user base to have read access but greatly limit what people have editing controls.
The CIA Triad is an important, core principle for security. We need to always remember that that does not mean that all three elements need to be considered of equal importance for every piece of data. Confidentiality focuses on the risk to the business of the specific data being accessed by a party, either internal or external, that has no need to know. There are various risks that are connected to confidentiality. Regulatory, legal, business market share impacts, and our business’s reputation may be at risk from various data breaches and/or leaks. Risk, and its acceptance, is what we apply when considering the level of confidentiality acceptable and necessary for data. But for our purposes here, it’s important to understand that confidentiality is a straightforward concept. It isn’t about keeping secrets from those who should know. It is about ensuring that data is protected from beyond its accepted audience.