This is the third part of a four-part blog series covering the CIA Triad. The first part discussed the CIA triad as a whole (Part I). Part II covered Confidentiality. Part IV will cover Availability.
Integrity. Many people hear or see that word and their first thought is of an individual’s trustworthiness. Do they have “integrity”? Will they do the right thing? Can they be trusted? It is this last one that comes closest to the meaning of “integrity” within the context of the CIA Triad. Does the data have integrity? How do I know that this data has integrity? Can I trust that this data has not been altered in some manner that I am unaware of occurring? So how does integrity fit into the three core principles of security?
One point that many people, often those new to security, forget or lose sight of, is that “security” is not strictly ones and zeroes, identifying attacker code, seeing an attacker’s actions, monitoring tools, or anything else that Hollywood replicates with random bits of characters rapidly scrolling across a green screen. (What’s interesting about the choice of green is that we haven’t had mono-color monitors in decades. And yet…, all hackers, good or bad, do everything in green.) Security is about mitigating the risks to the business. This may tighten its focus to the data of the business but the element of risk mitigation is always present. Data is often critical to the system and purpose that it serves. That means the data needs to be accurate and trusted. Entire business plans, market strategies, and more, are determined based off the analysis of all of the available data that the organization has at its fingertips. If any of that data has been altered unbeknownst to the organization, the conclusions based off its analysis could be greatly flawed. If those flawed conclusions become the basis for decisions, an organization is putting itself at great risk by making the “wrong” move.
It is a critical part of data classification and identification to know how to apply the elements of the CIA triad to that specific data. We must remember that we cannot, and do not, apply the same level of importance to all three principles for each type of data that we are entrusted with securing. The guidance and importance provided by leadership will let us know which of these three principles we need to prioritize. This is almost always, if not always, tied back to its business use and need. Financial data, for example, that is used for budget planning, cost projections, and similar business needs, must be trustworthy and reliable. The data must have integrity. Leaders using that information as part of their calculus must be able to trust that there have been no changes made to the data that affect the integrity of the information that they have available to them. Who needs access, to what purpose and extent, and why, will be covered by the components of confidentiality and availability. However, when we come to a crossroads where we must sacrifice either of those or integrity, the determination has been made that integrity must take priority. This is no different when we’re looking at data where confidentiality is paramount and must choose it over either of the other two principles.
Remember, it isn’t just financial data where integrity may be the most critical principle. That was just an example here and may not hold at your organization. Leadership will always help set priority, hopefully based on need. Our solutions must always be fit for form and fit for purpose. We must consider these elements within the context of the CIA triad and the order of principle per dataset. Integrity comes down to trust in the data. We can trust its source, we can trust its current iteration.