The guiding force behind the protection of data relies on the efforts and security policies of
various companies is the CIA Triad. “CIA” is the acronym for confidentiality, integrity, and
availability. This triad aids IT security professionals in developing security polices, as well as
identifying key security issues, and developing suitable solutions to those issues.
Confidentiality: limiting access to information
Companies handle various types of data, and the sensitivity of some data is more sensitive than
others. Types of data include client data, company data and personal identification information of
both customers and employees. In the technology-driven world, data is dubbed the new gold, as
cybercriminals aim to encrypt or steal data. Thus, these criminals most commonly use
ransomware to encrypt valuable data in exchange for ransom, which is typically in the form of
cryptocurrency. Furthermore, the price of the payout to be made by organizations to get
information back may vary depending on the sensitivity of the encrypted data (Auger et al., 2021).
Typically, these ransomware attacks begin when threat actors send phishing emails to
employees of the companies, hoping the employees open some sort of attachment or log into a
server. Once this happens, these threat actors can have unauthorized access to information
when they shouldn’t have.
However, not all data breaches are criminal in nature. For instance, a company employee might
have accidentally sent classified information to the wrong employee, when it was meant for
someone else who has appropriate authorization to that information. Another example, another
example would be a worker leaving their computer unattended without logging out to prevent
prying eyes or unauthorized access. Regardless of how these breaches occur, the consequences
are always sharing classified information with unauthorized individuals (Auger et al., 2021).
How can we maintain the confidentiality of sensitive data?
Confidentiality can be increased by using various countermeasures, as well as special training in
organizations to prevent data breaches and increase confidentiality. The use of strong passwords
is highly recommended instead of simple, easy-to-guess passwords. Additionally, special training
familiarizes authorized personnel about how to handle sensitive documents, as well as risk
factors and how to guard them can increase confidentiality. For more sensitive information, it can
be stored only in air-gapped computers, disconnected storage devices or in hard-copy form that
is stored in a locked room or filing cabinet. Data encryption can also include 2-factor
authentication to securely authenticate users, in addition to biometric verification, security tokens,
key fobs or soft tokens (Chai, 2022).
Restricting data access using authentication and authorization
The first countermeasure to limiting data access is authentication. Authentication is composed of
numerous processes that enable computer systems to authenticate users to who they say they
are. Passwords, biometrics, security tokens cryptographic keys and other techniques for
authentication are used for establishing the identity of users logging into the computer system.
Authorization is another technique to counter unauthorized access to data. Processes related to
authorization determine who has access and who doesn’t have access to certain data. Although
authorized users have access to a computer system or server, they don’t have access to all data.
Instead, they are limited to data that they’re authorized to view (access control). For these user
accounts, data access mechanisms are implemented in the event user accounts are hacked or
have employees that have gone rogue can’t compromise data (Fruhlinger, 2024).
Integrity: maintaining the correct state of data
This core pillar of the CIA triad is ensuring that data stays intact and unchanged. The integrity of
data is important for data that is stored, as well as data that is in transit. Additionally, alterations to
data shouldn’t occur, whether it is unauthorized or unintentional. Furthermore, the maintenance
of data integrity begins with access control, which ensures that users authorized to modify data
are allowed to do so. However, if access controls are not maintained, employees can access a
file and may delete or make changes to the file that results in data loss or complications to the
network (Auger et al., 2021).
How can we maintain the integrity of data?
The use of file permissions and access controls for users can maintain the integrity of data.
Version control use can prevent erroneous changes or accidental deletion by authorized users.
Many companies implemented means to detect changes in data should non-human activities like
an electromagnetic pulse or a server crash that impact the integrity of data. Data integrity can be
verified by checksums, as well as the use of cryptographic checksums. Another technique for
data integrity is the use of data restoration means like backups or redundancies should always
be available (Chai, 2022).
Availability: reliable and timely access to information
This pillar ensures that authorized users have uninterrupted access to readily available
information. However, there are threats like cyber-espionage in which the attacker impacts the
network by encrypting all available data. Consequently, organizations are either forced to give
ransom to the attacker or start over from scratch, which is expensive and time-consuming.
Another type of attack that can impact data availability is denial of service (DoS) attacks. This
attack involves flooding the organization’s server with too many requests, which ends up
overwhelming the server and disrupting valuable service for clients and customers alike. Apart
from malicious activities, unintentional activities like natural disasters, bandwidth, or unscheduled
software patches can impact the availability of data (Auger et al., 2021).
How can we maintain the availability of data?
Companies can maintain the availability of data by performing hardware maintenance, as well as
maintaining the operating system. In addition, the use of redundancy, failover, and RAID can
reduce consequences should hardware issues occur. In the event of a fire or natural disaster, the
organization’s data should be backed up frequently and stored in a geographically isolated
location. Moreover, data backups should be stored in fireproof and waterproof locations. The use
of various equipment or software like firewalls and proxy servers can prevent downtime and
inaccessible data by things like DoS attacks and network intrusions (Chai, 2022).
Conclusion
The CIA Triad is a valuable tool for information security. It is useful in guiding security decision
making, in addition to making security polices, while focusing on the three pillars of the CIA Triad.
Confidentiality makes sure that unauthorized people don’t have access to organization data,
whereas authorized users do have access. The use of access controls, user authentication, data
encryption, and implementing company-wide training can increase awareness of looming
cybersecurity threats. Integrity is about making sure that data that is stored or in transit is true,
complete, and accurate using version control and access controls for users. Lastly, the availability
pillar consists of making sure that data is readily available, and authorized users can access the
desired information without interruption. This can be accomplished by maintaining appropriate
hardware, as well as performing the necessary upgrades, and servicing the operating system to
ensure optimal availability. Furthermore, using backups and redundancies are effective
techniques in the event of corrupt data and natural disasters.
References
Auger, G., Scott, J., Helmus, J., & Nguyen, K. (2021). Cybersecurity career master plan: Proven
techniques and effective tips to help you advance in your cybersecurity career. Packt
Publishing, Limited.
Fruhlinger, J. (2024, July 12). What is the CIA triad? A principled framework for defining
infosec policies. CSO Online. https://www.csoonline.com/article/568917/the-cia-triaddefinition-components-and-examples.html
Hashemi-Pour, C., & Chai, W. (2023, December 21). What is the CIA triad?: Definition from
TechTarget. TechTarget. https://www.techtarget.com/whatis/definition/Confidentialityintegrity-and-availability-CIA