CIA triad – The Basic Principals of Data Security

by Phillip Robinson
02.16.2017   IT Security

ciatriad

There are three basic principles to consider when deciding how to provide access to sensitive data in a secure manner, namely: Confidentiality, Integrity, and Availability. These principals are collectively known as the CIA triad.

Confidentiality

The level of confidentiality will naturally determine the level of availability for certain data. Confidentiality is a question of how, and where, the data can be accessed. To ensure confidentiality, one must safeguard the data using encryption as well as protecting the physical network and storage devices. However, it’s not only attackers monitoring the network for sensitive information that we need to be concerned about, but we also need to watch out for ‘social engineering’ attacks. Social engineering attacks are when a user is deceived and manipulated in a way that encourages them to hand over certain sensitive information. Such attacks are becoming increasingly more common, and increasingly more sophisticated. Since such attacks are based on erroneous human actions, they are not easy to monitor and prevent. Training must be provided which ensures that staff members are vigilant and able to identify such attacks.

Integrity

Data has integrity if it is accurate and reliable. To maintain the integrity of the data, we need to focus on both the ‘contamination’ and ‘interference’ of the data – or in other words – the data that is stored on disk, and the data that is transmitted. While we are often made aware to the existence of certain viruses circulating the web, it is often the case whereby a disgruntled or troublesome employee – such as a programmer – installs a back-door, leaving the data open to attack. Network monitoring, encryption, and strict access controls can be used to protect against these kinds of attack. The integrity of the data can also be compromised in various non-malicious ways, such as incorrectly entering data or using the wrong applications to edit the data. The system should be setup to check against such eventualities and alert the users accordingly. Encryption techniques can also be used to ensure that information isn’t being tampered with during transit.

Availability

There are many factors which may affect the availability of your system, such as: faulty or mismanaged network devices, network congestion, configuration changes, power outages, denial of service (DoS), as well as various environmental factors such as fire’s, hurricanes etc. According to the University of Michigan, 23 percent of total network downtime is attributed to router failure, which is often the result of configuration changes. Availability of information doesn’t necessary imply that all information must be available on request. If you are frequently storing large amounts of data, you may not have sufficient storage space and may be required to utilize an offline storage unit.

Since the CIA triad is used to define which data is confidential, how that data can be accessed without compromising its integrity, and whether the data is available to those who are permitted to access the data, it is obviously important to ensure that a well-considered privacy policy is put in place.


Lepide® is a Registered Trademarks of Lepide Software Private Limited. © Copyright 2017 Lepide Software Private Limited. All Trademarks Acknowledged.