Confidentiality, Integrity, and Availability or the CIA triad is the most fundamental concept in cyber security. It serves as guiding principles or goals for information security for organizations and individuals to keep information safe from prying eyes.
Confidentiality is about ensuring access to data is restricted to only the intended audience and not others. As you may expect, the more sensitive the information is, the more stringent the security measures should be. Many privacy laws rely on confidentiality security controls to enforce legal requirements.
Some measures to keep information confidential are:
- Two-factor authentication
- Security tokens
Integrity refers to maintaining the accuracy, and completeness of data. In other words, it is about protecting data from being modified by unauthorized parties, accidentally by authorized parties, or by non-human-caused events such as electromagnetic pulse or server crash. For example, a hacker may intercept data and modify it before sending it on to the intended recipient.
Measures to maintain the integrity of information include:
- User Access Controls
- Version Control
Lastly, information must be available when it is needed. To ensure high data availability, you must maintain a correctly functioning hardware and software and provide adequate bandwidth. But these measures alone are not enough because there are external forces at play; data availability can further be compromised by:
- Denial of Service (DoS)
- Power outages
- Natural disasters
DoS, for example, might be employed by a rival company to break your website so that its own website becomes more popular.
Measures to mitigate threats to availability include:
- Off-site backups
- Disaster recovery
- High-availability clusters
Challenges for the CIA Triad
Big data is especially challenging to the CIA paradigm because of the ever increasing amount of data that needs to be safeguarded. As technology advances, more devices are adding to the increasing stream of data in a variety of different formats. Also, because the main goal of handling big data is often to collect and make interpretations with all of the information, responsible oversight can be a secondary concern.
Internet of Things privacy and security is particularly challenging. Every year there are more internet-enabled devices on the market, which can remain unpatched or use weak passwords. While many devices don't transmit particularly sensitive information, it's possible for an attacker gather enough information from each endpoint, analyze it, and potentially reveal information you would rather keep private.
Other than the CIA triad, there are also other frequently recurring themes in information security:
- non-repudiation: assurance that someone/ something cannot deny something (e.g. one cannot deny the authenticity of a digital signature)
- authentication: proving that a person is who they claim to be
- reliability: confidence that one can depend on a system or process
- privacy: a generalized counterpart of confidentiality which also address the social consequence of failing to meet the requirement