Bluff:

The CIA Triad is a cybersecurity model that dates back to the late 90s when confidentiality, integrity, and availability were first viewed together. Each of these pillars is considered a foundational element of cybersecurity. While some say the CIA triad is outdated based on modern frameworks, it is still considered a foundational element. Two key aspects of the CIA triad are authentication and authorization. Authentication is proving who you are and that you should have access, while authorization drives what you are allowed to do. These two elements are key to implementing proper access control in any technological environment.

_________________________________________________________________________________________

The CIA Triad:

Formalized in 1998, the CIA triad is a cybersecurity model designed to guide an organization’s security policies. Sometimes called the AIC triad, the CIA triad consists of three pillars: confidentiality, integrity, and availability. Each of these pillars broadly covers a large part of the cybersecurity framework. Confidentiality, or privacy, focuses on preventing the leak of sensitive data. The controls around the protection of sensitive information should appropriately scale and become more restrictive as the sensitivity of the data increases. Integrity focuses on maintaining the quality and consistency of the data. Ensuring the data has not been altered is paramount within the integrity pillar. Availability deals with the high availability of data or applications. A key component of this is the infrastructure and hardware the data resides on. It is essential to understand these interrelated concepts for the framework for the triad and to help guide an organization’s development of its data security policies.

Confidentiality:

When considering the first part of the CIA triad, confidentiality, one must ensure that only the right people can access the data. More commonly known as authentication, tools employed to safeguard information include a username, password, and second factor. Unfortunately, not all second factors are created equal. With the rise of social engineering, the cybersecurity industry has pivoted to phishing-resistant factors such as Biometrics, Passkeys, and hard tokens that meet the FIDO 2 standard. Other strategies that can be implemented include requiring a VPN to prevent external access or even air-gapping the computer, making it only accessible when physically in the room with the machine. Encryption is another strategy available to cybersecurity professionals to help ensure the confidentiality of data. By encrypting the data, you ensure that even if the data is leaked or stolen, it is not readable by threat actors and is still protected. At its core, confidentiality centers around ensuring that sensitive data is always protected. The more sensitive the data, the stricter the controls should be to prevent unwanted access to the data.

Integrity:

Data integrity, the second pillar in the CIA triad, focuses on the trustworthiness of the data. Is the data providing the correct information? This broad-reaching category includes everything from protecting from accidental data loss to ensuring the data was not changed or tampered with to ensuring the data has been properly backed up and can be quickly and efficiently restored. Data backup and restoration has become such an integral part of business continuity that it has spawned an entire industry from tape backup stored by companies like Iron Mountain to onsite high-density network attached storage (NAS) through companies such as Veem or Pure Storage. Data integrity also extends to the fidelity of data while in transit through email, for example. Ensuring the message that was sent is the same message received without alteration, or missing components has become more important than ever with our hyper-reliance on email and application programming interfaces (APIs) for cross-application communication. With the world’s reliance on data for everything from video streaming to financial and healthcare information, ensuring the correctness of our data has never been more critical.

Availability:

With today’s reliance on data, ensuring it is always available is the third leg of the CIA triad. This philosophy of “high availability” spans all seven layers of the OSI model, influencing network design and architecture and the redundancy of physical hardware the data sits on. Regarding the network, availability means implementing multiple data ingress and egress pathways. This consideration needs to be made for an organization’s office building and any data center they may employ. Building your physical sites on top of SONET fiber rings, for example, is an easy way to ensure the high availability of your network. When planning for the high availability of your hardware, employing multiple data centers found within geographically different regions has become a modern-day standard. By having two sets of hardware with the same data in different locations, you have a way to spread the demand for data across your infrastructure and protect your organization from natural disasters and other catastrophic events that may render one of your locations inoperable. This n+1 architecture in both network and infrastructure design is key to ensuring data availability. The last strategy to ensure availability is to take security precautions to protect against downtime by threat actors. Attacks such as denial-of-service (DoS) attacks can consume available resources, making them unreachable to employees or customers. It is paramount that the proper security measures, such as firewalls and proxies like Cloudflare, be put in place to prevent these types of attacks.

Authentication vs. Authorization:

As part of confidentiality, usernames, passwords, and second factors were discussed; this is known as authentication within the realm of cyber security. According to NIST 800-63-3, Digital Identity Guidelines, authentication is the process of establishing confidence in the authenticity of the user’s identity. We do this today by using and knowing a user’s credentials. Verification of a unique username and a memorized secret is how we establish some level of trust that the user is who they say they are. To strengthen this trust, modern cybersecurity best practices employ a second factor to strengthen the user’s assurance level. Once these controls have been satisfied, the user is authenticated, indicating they have the right to be there. Just as important as authentication is authorization, which dictates what you can do once access has been granted. For example, this can best be seen in the user’s permission when accessing a document. If the user is only allowed to view a document but can not make changes, their permissions authorize them to read the document but do not authorize them to make changes or write. Conversely, if users have read and write permissions, they are authorized to view the document and make changes. Authentication and Authorization go hand in hand and are a key pillar of cybersecurity frameworks. A practical example of this intersection is a hotel room key. The possession of the room key tells the world you are allowed to be there, authentication. But a hotel room key will not let you into any room on the property. The key will only work for your room, the elevators, and the gym, where you are authorized to be. Other guest rooms, as an example, are outside of your scope of privilege.

Conclusion:

The CIA triad has long been a foundational piece of the cyber security framework. While some contest it has become outdated and needs to be modernized, its three pillars of confidentiality, integrity, and availability still hold as true today as they did when first formed in 1998. They focus on limiting access, ensuring the accuracy of the data, and always making the data accessible. A key component of this cybersecurity model is the intersection of authentication and authorization. Verifying the users are who they claim to be to ensure they are supposed to have access and limiting what a specific user can do once access has been granted are key to protecting data and a strong cybersecurity posture.



Citations:

Grassi, Paul A, et al. “Digital Identity Guidelines.” NIST Special Publication 800-63-3, 22 June 2017, nvlpubs