What is the CIA Triad?
The course is part of this learning path
This course looks at the CIA triad, which is an essential component of cybersecurity. You'll learn about the three tenants of the CIA triad—confidentiality, integrity, and availability—and how they can be used to secure your environments.
This course is intended for anyone who wants to improve their knowledge of risk management in an information security context.
We recommend taking this course as part of the IT Security Fundamentals learning path.
Hello and welcome back. Let’s now introduce and discuss the CIA triad. The CIA triangle has three tenants: C-I-A: Confidentiality, integrity, and availability. The descriptions and their definitions are derived directly out of ISO 27000. So let’s examine the definitions:
Confidentiality is ensuring that information is not made available or disclosed to unauthorised individuals, entities or processes.
So we're always trying to protect the confidentiality of an asset. While similar to 'privacy,' confidentiality and privacy aren't interchangeable. Confidentiality is a component of privacy and it protects our data from unauthorised viewers. Examples of breaching confidentiality could be laptop theft, password theft, or sensitive emails being sent to the incorrect individuals.
In information security, data integrity involves maintaining and assuring the accuracy and completeness of data over its entire lifecycle. This requires us to ensure that data cannot be modified in an unauthorised or undetected manner. Information security systems typically provide message integrity alongside confidentiality.
For an information system to deliver a service, the information it provides must be readily available when that information is needed. This means the systems used to store and process the information, the security controls used to protect it, and the communication channels used to access the system and the information within it must be functioning correctly.
High availability systems aim to remain available at all times, preventing service disruptions due to power outages, hardware failures, and system upgrades. Ensuring availability also includes preventing malicious activity such as denial-of-service attacks. In a denial of service attack, a flood of incoming messages are sent to a system with the intent of slowing it or forcing it to shut down.
Maintaining availability will often be a cornerstone of a successful information security program. Availability is a core aspect of a business functioning. Business users need to be able to access a system to perform job functions.
There are a wide range of aspects and perspectives to availability: firewalls, security groups, network access control lists, proxy configurations, the ability to access shared drives and the ability to send and receive messages.
Maintaining availability often requires communication and collaboration across teams such as network operations, development operations (aka, DevOps), incident response, compliance and policy/change management. A successful information security team will include representatives from different key roles within the business.
So we could take our servers, we could lock them up in a caged server room, in a completely secure building with no windows and just one secured door. Those systems will then be incredibly secure. However they would not be available. If we focus on just one side of the triad like this, we risk neglecting one of the other sides. If we had a virtual ball and we pushed it towards confidentiality and integrity. Now we know the data won't change at all and it will remain complete because it was there, wasn't it? No one can get to it. No one can access the server. But then it's not really security. These are our tenants of security. CIA. If you breach these, you find yourself in a world of issues.
Now as organizations go, some make a preference on the type or the style of security that they prefer or that they will move towards.
Some organizations are more pushed towards confidentiality. It doesn't mean that they neglect integrity or that they neglect availability, it just means they prefer confidentiality. So most of their security for an asset or assets will be moved towards the confidentiality area and they'll just be less focused on integrity and availability.
Some may prefer two sides of the triad, such as confidentiality and availability, and integrity isn't too much of an issue for them but it doesn't mean it's neglected, it's just not a top priority.
Breaching that confidentiality, or maybe if we moved towards integrity, is more of an issue for them than it not being available for a few moments, maybe.
So integrity and confidentiality being breached may not mean as terrible fines as the availability of that system being breached so they'll focus on those two.
And that's why we now look at technology and the actual needs for an organization, for the controls to be put in place. And this is often the reason why technical folk mis-understand why their ideas get rejected by an executive board.
Let's say Mike has a website, it sells pictures of the British flag in different colours. So anybody that wants one of those hung up in their front room can purchase one. Another character, John, objects to the idea of the British flag being sold in this way.
So using his new found ethical hacker skills, John goes rogue and the ethical part is forgotten. He goes to hack Mike’s website. He manages to breach the website, find the customer database for everybody that's ever been able to purchase a flag from the website. John changes the customer passwords once he's in there and he also takes a copy of the database so that he can contact them and let them know what he thinks about the flag being displayed in the incorrect colours. Let’s examine what John has performed and what tenants of information security he has breached in the Triad.
Immediately recognisable are Confidentiality and Integrity. John has accessed user details so he has breached confidentiality. He has changed user details, so he has also breached data integrity.
He has also impacted availability to some degree as users may not be able to log in after the change to their credentials.
That means we have hit all three tenants of the triad. Authorised entities cannot get in, they don't have access, and the system is supposed to be accessible and usable upon demand.
An asset is anything that adds value to an organization. And that bears down in so many different ways. It could be the information that you hold. It could be software. It could be the physical assets such as computer hardware that we spend such a lot of time making sure we destroy the hard drives correctly so that the data itself—the information—isn't derived and then the hardware itself is actually gotten rid of.
The hardware could be really important to us so that's why we might put gates and fences and doors around stuff because it's an asset to us.
It could be your internet connectivity services that are an asset to your organization. If they’re lost, you're without the ability to make money for the day, connectivity is lost, your business comes to a standstill, you lose telephone services, E-pos services or whatever it might be.
This is really important. People. They always sort of throw people in here like we're assets. Well, we kind of are assets. We don't really become assets until we understand and are able to derive processes, wisdom, understanding and all the rest. Until that particular point in time, we're just resources, if you will, because resources are replaceable, you can replace resources.
Then you've got the intangibles such as skill and reputation and brand image. There is a company out there that was called Ratners. Ratners is a jewelry company. Gerald Ratner, the CEO of Ratners plc made a speech denigrating the products his business sold, and the stock market price of the company dropped significantly as a result. You can Google 'Ratners' to read the full story.
Brand reputation is really important because once reputation is lost, it's ever so difficult to repair.
Sony is a huge and successful organization. In 2013 they had a data breach to their PlayStation network. In the years following that, they slid right down the company trust and popularity ratings. Slowly they were working their way back to sixth position. However the brand reputation was impacted by the data breach. So although it was only a subsidiary of Sony that was hacked, the entire company felt it.
So your reputation is incredibly important. It now falls into our laps to take care of the company's reputation. And this is why we have to train individuals how to use their mouths: what to say, and what not to say.
Even if we had a breach, what people are allowed to say about what's actually happening overall. Because otherwise we then have to go and spend more money to have PR folk taking care of our situation.
The controls are put in place to protect either the integrity or the availability or the confidentiality of assets. That's where our controls work. We use controls and those controls are chosen based on our risk assessments of a situation or the risks to a particular asset and that's where those decisions are made.
Originating from a systems administration/network architecture career, a solid part of his career building networks for educational institutes. With security being a mainstay his implementation he grew a strong passion for everything cyber orientated especially social engineering. The educational experience led to him mentoring young women in IT, helping them to begin a cyber career. He is a recipient of the Cisco global cyber security scholarship. A CCNA Cyber Ops holder and elected for the CCNP Cyber Ops program.