INTRODUCTION
For anyone in the cybersecurity field, or for anyone that is just learning the basics of cybersecurity, the most important concepts to understand are the confidentiality, integrity, and availability of data. Together, confidentiality, integrity, and availability make up the “CIA Triad”, and they are cited everywhere inside the cybersecurity world.
As described by current infosec professionals, the CIA triad is “the foundation of everything we do.” Confidentiality, Integrity, and Availability are the guiding principles applied to every single security decision and they are always kept in mind when exploring how to better protect a user’s data. Therefore, it is essential to know the three parts of the triad by heart:
CONFIDENTIALITY
“Confidentiality is ensuring that the people who are authorized to have access to information are the only people who are able access that information.”
The confidentiality, or privacy, of data can be compromised if too many people have access to the same information. If a large group of people have access to data that is restricted, then it is more likely for the data to leak or become compromised through association. Therefore, by basic rules of probability, the smaller the number of people with access to confidential data, the less likely that information will circulate or run amok. The best ways of limiting access include restricting Unix file permissions for employees, deploying encryption, and using multi-factor authentication (MFA).
To maximize confidentiality, it is also vital that information is only provided to those with the “need to know”. For example: Access to a confidential app development project should not be given to an HR representative (unless the project calls for one). It is also often that access to confidential data is given to individuals that should not have access based on their job position or ranking. Enforcing Role Based Access Control (RBAC) is a perfect way to limit free will by having more than one employee perform all essential duties to a task (example: instead of having only one employee in charge of keeping payroll, you assign different aspects of the job to four individuals).
Varying degrees of access should be granted in order to get work done, but it is imperative to remember: If someone doesn’t really need to know, then they should not know. Ensure that this principle is upheld by continuously updating your access lists, as well as monitoring the duration of an individual's access to a project (not too long, not too short, but just the appropriate amount of time to allow work to be completed).
INTEGRITY
“Integrity ensures that information is accurately reflected and can therefore be trusted; no one has manipulated it or modified its contents, and it can be recalled back to its source.”
The integrity of data is ensuring that all information is accurate and that it has not been tampered with. In many instances, the integrity of data is violated quite easily.
Employees from inside the organization may choose to make bad or immoral decisions with the information they have access to, giving rise to an insider attack. Adversaries constantly try to change the data (insert malicious code, give themselves ultimate control, or the good old fashioned tactic “get in and break stuff”) in order to inflict damage on users and the company.
Whenever data is being transferred, it is especially vulnerable. When information is being moved from one place to another, it is possible for it to become corrupted in-transit, to not be converted to the correct form, or to become lost in the process. In order for information to be trusted, it must always be questioned as to whether it is reliable in its current state. Compare-by-hash is a common method to test the integrity of data. It works by comparing the original hash value of encrypted material with its current hash value (if the hashes do not match, it is likely that the data has been unlawfully altered.) The integrity of data matters greatly for the reputation of an organization and its business. If users cannot trust the organization to keep their data always intact, then the organization may fail entirely.
AVAILABILITY
Availability is about ensuring that the appropriate users can access their information anytime, anywhere. A system is still up and running and data is backed up for whenever users need it.
The challenge of maintaining ultimate availability usually comes into play when organizations are conducting Disaster Recovery Planning (DRP) or establishing a Business Continuity Plan (BCP) for the company; both essential frameworks to ensure that business operations are alive and well during the time of a crisis. Although DRPs and BCPs often get confused for their similar purpose, to differentiate:
Disaster Recovery Plan- a plan to help the organization deal with the effects of a natural or man-made disaster during or after the crisis has taken place. Involves dictating instructions for team members on what to do in the event of a power outage, hurricane, cyber-attack, insider threat, etc.
Business Continuity Plan- a contingency-based plan that operates by identifying single points of failure in the organization's system and coming up with alternatives to ensure that the company is able to remain running during an emergency.
In order to allow access for users from California to Florida to their information, there must be continual maintenance on a system or product. Whether it be the replacement of hardware, software updates, bug removal, renewal of bandwidth, (etc.) a system must always be up and running to accommodate users for when they need to access their information.
In case of a natural disaster or scenario where information may be lost, implementing failover systems, DRPs, BCPs, and regular system backups should always be completed and in place.
CONCLUSION
It should be known that sometimes not all three branches of the CIA triad (Confidentiality, Integrity, and Availability) are used simultaneously. Each scenario must be weighed carefully by infosec professionals to decide how much confidentiality, integrity, or availability should be granted. For example: There are some cases when information must be shared with more people (gathering a larger team of data protection professionals) in order to protect the privacy of one individual. Based on the level of secrecy that a system contains, it may also be best not to have it be highly available to users who could see things that they are not supposed to.
Overall, the main principle of the CIA triad is to always apply the right amount of each branch to every situation. It is your correspondent’s opinion that the integrity of data should always be held to the highest standard (for who would not require information to always be accurate?), but there will often be varying degrees of confidentiality and availability according to an event.
SOURCES
“Cybersecurity Leadership” by Mansur Hasib
forcepoint.com “What is the CIA Triad? The CIA triad defined, explained, and explored”
whatis.techtarget.com “confidentiality, integrity, availability (CIA Triad)”
コメント