CIA triad

From Hill2dot0
(Redirected from CIA)
Jump to: navigation, search
The C-I-A Triad

Confidentiality means that information is only available to authorized users.

Integrity assures that the information has not been altered or changed.

Availability means that information is available when users require it.

Maintaining Confidentiality

Every business today generates information that ultimately should be kept safe and guarded from unauthorized access. Examples such as employee and customer records, customer financial data and supplier information must be kept confidential. If such information were to fall into the wrong hands, even inadvertently, the results could be public embarrassment, loss of business or even prosecution.

For instance, according to common law, the responsibility of maintaining confidentiality requires that a solicitor respect the proprietary and personal nature of their client's affairs. Information that a solicitor obtains about his or her clients' affairs may be confidential, and must not be used for the benefit of persons not authorised by the client. Confidentiality is a prerequisite for legal professional privilege to hold.

Maintaining confidentiality is crucial in this age of proprietary, sensitive, and confidential data transfer and storage. In many cases, new regulatory requirements such as the Health Insurance Portability and Accountability Act (HIPAA) [1] [2] are mandating it. Not only must one be aware of the confidential requirements, but also answer the question of how is the confidentiality going to be maintained? Who has the rights to see the information? A lack of confidentiality can also undermine the integrity of the information.

Maintaining confidentiality is now a key consideration in any security process.

There are numerous ways to maintain confidentiality.

  • Requiring that users of information log on to a network, server, or file to obtain the information
  • Multiple levels of Authentication, Authorization and Accounting (known as AAA)
  • Creating separation of responsibility
  • Keeping files under lock and key
  • Recording who had access to what and when

Maintaining Integrity

Integrity is about trust. When data has integrity, you can trust that you will get an accurate response in a timely manner, or that the information has not been changed or altered. If the information or the systems cannot be trusted, the information and systems and their successful use, potential productivity, and service value are all undermined. It is possible today, that altering or changing the information can have legal ramifications.

Integrity, in terms of data and network security, therefore is the assurance that information can only be accessed or modified by those authorized to do so. Measures taken to ensure integrity include controlling the physical environment of networked terminals and servers, restricting access to data, and maintaining rigorous authentication practices. Data integrity can also be threatened by environmental hazards, such as heat, dust, and electrical surges.

Practices that can be followed to protect data integrity in the physical environment might include:

  • making servers accessible only to network administrators
  • keeping transmission media (such as cables and connectors)covered and protected to ensure that they cannot be tapped
  • protecting hardware and storage media from power surges, electrostatic discharges, and magnetism.

Technologically, network administrator might use tools such as:

  • maintaining current authorization levels for all users
  • documenting system administration procedures, parameters, and maintenance activities
  • creating disaster recovery plans for occurrences such as power outages, server failure, and virus attacks.

Creating Availability

Availability is what networking is all about. Making information available to those who need it, where they need it, and when they need it provides employees an edge in productivity and a competitive advantage, and also enhances customer loyalty and value. Not everyone needs access to everything. But when they do, perhaps they are not in their office safely behind a corporate firewall. How does a remote employee gain access to private corporate information in a secure manner? If a Virtual Private Network (VPN) is being used, what type of VPN, and how will it be deployed?

There are numerous methods of creating VPNs which are discussed under that section.

Summary

Network attacks or exploits compromise some or all of these goals of network security. The role of the network security specialist is to maximize the confidentiality, integrity, and availability of information and systems appropriately and cost-effectively. Different applications require different levels of confidentiality, integrity, and availability.


One thing to keep in mind is that there are various tools that can be used to create C-I-A. Physical tools, Administrative tools and Technological tools can be used individually or in combination to create the desired level of confidentiality, integrity or availability as defined by the security policy.

Additional References

The C-I-A Triad podcast

See Also

Information Security