Computer scienceCybersecurityBasics

Confidentiality, integrity, availability

Provided by: JetBrains Academy
5 minutes read

Welcome to our exploration of the CIA triad - a fundamental concept in the world of cybersecurity. As we delve into this topic, it may evoke the sensation of being akin to James Bond, navigating through the classified realms of the Central Intelligence Agency. Fortunately, we have been granted authorized access to this treasure trove of highly confidential knowledge.

What is CIA?

The three fundamental characteristics determine a computer system's security.
Grasping these is essential not just for individuals stepping into the realm of cybersecurity, but also for everyone associated with an IT company.
Understanding this is paramount for smooth communication during software development and in understanding the end users of our product.

Confidentiality, Integrity, Availability

Diagram illustrating the CIA triad

Confidentiality

  • Confidentiality as Information Protection: In the CIA triad context, confidentiality means safeguarding data from unexpected access or disclosure. It makes sure only users with the correct permissions can access information.

  • Confidentiality as a Security Strategy: Confidentiality works as a security strategy featuring multiple protective layers to prevent unauthorized information disclosure. It employs varied tools and techniques, including encryption, access control, and multi-factor authentication.

  • Confidentiality as an Ethical Obligation: In IT security, confidentiality signifies an ethical duty to protect user privacy by securing their data from unauthorized access or disclosure. This matter is central to maintaining a company's trust and credibility.

Integrity

  • Integrity as Preservation of Data Invariance: Within the CIA triad, integrity means preserving data invariance and authenticity. It assures that unauthorized individuals do not modify or erase information.

  • Integrity as a Protection Mechanism: Integrity serves as a protection method that guards data from unauthorized changes using techniques and tools like checksum controls, system audits, and Security Information and Event Management (SIEM) systems.

  • Integrity as Organizational Responsibility: Integrity also denotes an organization's obligation to continuously monitor and protect data to maintain its accuracy and consistency. This obligation is crucial for preserving customer trust and complying with legal norms.

Availability

  • Availability as Uninterrupted Operation:Availability, the third aspect of the CIA triad, involves ensuring that information systems and data are readily available to authorized users to facilitate the organization's ongoing operations.

  • Availability as a Resilience Strategy: Availability serves as a resilience strategy that protects information systems against failures and disruptions. It contains different measures like redundancy, business continuity planning, and regular backups.

  • Availability as the Key to Customer Satisfaction: Availability is crucial for customer satisfaction as it assures that customers can always access the organization's services and resources, which is key to securing their trust and loyalty.

If you're keen to delve deeper into the detailed definitions of this captivating triad, you can refer to the FIPS 199 standard.

Overview of methods to protect data

Confidentiality:

  • Access Restriction (various access control models)

  • Cryptographic methods

  • Authentication

  • Organizational measures (non-disclosure agreement, etc)

Integrity

  • Version control

  • Checksums

  • Digital signatures

  • Backups

Availability

  • Data recovery

  • Fail-over clusters

  • Redundant Array of Independent Disks(RAID)

  • Failover

We'll discuss more methods behind these concepts in future topics.

In the upcoming section, I will present a generalized example of applying different methods related to specific elements of the CIA triad.
This example should hint at the fact that the choice of different methods, associated with the CIA triad, should be analyzed based on the specific business aspect under consideration.

The CIA Triad in practice

Imagine finalizing a contract with an e-commerce company. The client wants to establish a system based on a microservice structure. Let's analyze what we should focus on during the business case analysis through the CIA triad lens.

Confidentiality
For protecting confidentiality in an e-commerce application, organizations can implement:

  • Data Encryption: Implementing the HTTPS protocol, which encrypts data exchanges between the client and server, helps ward off data interception by third parties.

  • Application-Level Security: By introducing Identity Management Systems to control access to sensitive parts of the application, like administrative panels.

  • Secure Password Storage: By employing advanced hashing techniques, like bcrypt, to secure user passwords in the database.

  • Data Masking: Data masking hides specific data in production and non-production environments, thus protecting sensitive information from unauthorized access.

Integrity
To ensure data integrity in an e-commerce application, procedures can include:

  • Digital Signatures: Utilizing digital signatures to verify the integrity of data communicated between various microservices.

  • Data-Level Access Control: Implementing thorough access control policies to prevent unauthorized modifications of product data or user information.

  • Automated Monitoring and Alerts: By integrating monitoring systems that automatically detect and alert about unauthorized data modification attempts.

  • Blockchain for Financial Transactions: Using blockchain technology to record financial transactions ensures the immutability and transparency of each transaction.

Availability
Strategies to ensure availability in an e-commerce application can include:

  • Autoscaling: Implementing autoscaling mechanisms that dynamically adjust resources during traffic surges, ensuring even load distribution.

  • Load Balancing: Incorporating load balancers to distribute network traffic among various servers to prevent overloads.

  • Disaster Recovery Plan: Developing thorough disaster recovery plans that detail procedures for handling different emergency situations.

  • Geo-Redundancy: Establishing a geo-redundant infrastructure that allows swift shifts between different data centers in various geographic locations, ensuring the continuity of operations even during local failures.

Given the increasing cyber threats, particularly in the e-commerce sector, organizations should strictly adhere to local and international cybersecurity regulations. Compliance with these standards not only lessens the risk of data breaches but also fosters a security culture within the organization.

Within this setting, the organization should also comply with local and international cybersecurity regulations. This compliance may require implementing additional data protection measures and incident response procedures. If we identify the region where our client aims to operate, we need to familiarize ourselves with regulations applicable to that specific region.

Conclusion

In this topic, we have discussed the primary objectives of security. We have familiarized ourselves with the Concept of CIA, its underlying principles, and the wide-ranging concepts of data protection methods tied to each triad element. We also examined a practical example of applying various methods related to the individual elements of the triad, which differ depending on the business case.

2 learners liked this piece of theory. 0 didn't like it. What about you?
Report a typo