Show
If you’re familiar with the cybersecurity world, you’ve probably heard the term "CIA triad." This concept breaks information security measures into three key components: confidentiality, integrity, and availability. The CIA triad is particularly useful in guiding policies and developing frameworks for information security. It’s also the foundation for major governmental data regulations like the European Union’s GDPR.
The concept of the CIA triad originated at a time when cybersecurity was shifting from a defense sector concern to a commercial industry concern. Banks, financial services, and other businesses wanted to ensure not only confidentiality but also integrity, since it was important that their electronic data remain unmodified by unauthorized users. The CIA triad itself was introduced in the 1972 Anderson Report, which discussed computer security for the Air Force’s Electronic System Division. But the CIA abbreviation wasn’t coined until the late 1980s, around the time when the first internet DoS attack had demonstrated the need for availability.1 The CIA triad todaySome experts believe that the future of cybersecurity will require a broader paradigm — but the CIA triad is still highly relevant to information security today.2 With the growing threat of ransomware and other cyberattacks, data confidentiality, integrity, and availability are still critical qualities to consider in data protection. Indeed, as the Institute of Electrical and Electronics Engineers put it, "Confidentiality, integrity and availability (CIA) are the very foundation of data protection and privacy." 3 Below, we’ll go into depth about the three components of the CIA triad and explain why they’re relevant to cybersecurity in 2022 — and why they might be vulnerable to failure. Data confidentialityThis first pillar of the CIA triad governs who data can be disclosed to and under what conditions. It keeps information private from viewing, sharing, use, and modification to prevent identity theft, legal problems, and other consequences. Some common examples of highly confidential data include:
Luckily, laws and regulations exist to help protect confidential information. In the United States, the Healthcare Insurance Portability and Accountability Act (HIPAA) was passed in 1996 to prevent the disclosure of medical data. Similarly, the Gramm-Leach-Bliley Act (GLBA) was passed in 1999 to remove certain legal barriers for financial companies — but it incidentally contains provisions that financial institutions must safeguard customer data and provide consumers with data privacy notices. Unfortunately, these regulations aren’t always enough to protect confidential data against compromise. Both malicious and accidental exposures of highly sensitive data have repeatedly made the news. For instance, attackers in 2013 exposed the account information from a shocking 3 billion Yahoo user accounts. A year earlier, 165 million LinkedIn user email addresses and passwords were sold by an attacker for only five bitcoins.4 And in 2017, information on more than 120 million US households was exposed after an Amazon Web Services (AWS) S3 storage bucket was misconfigured. Sadly, even organizations that have experienced a major confidential data breach aren’t always able to protect their data more effectively moving forward. For instance, LinkedIn saw data associated with 700 million user accounts posted for sale in on the dark web in 2021. How can data confidentiality be strengthened?Physical measures like air gaps, locked doors, and secure company laptops are an important start. It’s also important to use a secure internet connection and devices with appropriate firewalls, anti-malware systems, and other security measures. But data confidentiality doesn’t stop there. Data encryption — which uses a key to convert data into secret code — and encrypted communication channels are often used to protect highly sensitive data. Even encryption, though, can sometimes fall short. With enough time and computational power, determined attackers can decrypt full data sets. Encryption also involves significant key management issues and can be unwieldy for some organizations’ needs. An alternate way to strengthen data confidentiality is microsharding. Often used in place of or in tandem with encryption, microsharding breaks data files into four-byte microshards without compromising performance. ShardSecure’s patent-pending Microshard™ technology uses microsharding to eliminate the possibility of sensitive data and contextual metadata existing together in the same storage container. The resulting four-byte microshards cannot be reassembled by unauthorized users, ensuring data confidentiality. Microshard data is also not subject to a single point of failure like encryption, since it does not involve any concept of a key and therefore cannot be compromised by key corruption or loss. It can be used in addition to encryption. Data integrityData integrity ensures that data remains accurate, consistent, and complete through every stage of its lifecycle. Whether it is being stored, retrieved, or modified by authorized users, data should remain consistent, correct, and whole. The second component of the CIA triad, data integrity is particularly important as the volume of data gathered and stored by businesses continues to grow. It’s also a key component of compliance with data protection and privacy regulations like GDPR, HIPAA, the Sarbanes-Oxley Act, the Gramm-Leach-Bliley Act, and more.5 Some key threats to data integrity include:
Data integrity processes prevent the loss and corruption of sensitive information. They also play an important role in business continuity — particularly in the cases of ransomware and disaster recovery. Data integrity encompasses physical integrity measures, which seek to protect data from problems like power outages and hardware failures.6 It also includes logical integrity measures, which ensure that data remains accessible, unchanged, and error-free. How can data integrity be ensured?Organizations can maintain data integrity by implementing constraints and processes to ensure that data — whether it be data-in-use, data-in-transit, or data-at-rest — remains valid and unchanged by any unauthorized user. These constraints govern actions like data entry, deletion, transfer, and updates. Here are a few key ways to strengthen this second component of the CIA triad:
ShardSecure helps secure data backups. Microshard technology integrates with your existing backup solution to microshard and secure your backup data in the cloud storage locations of your choosing, including in multi-cloud and hybrid cloud environments. This helps provide an extra layer of security for your most sensitive data backups. Microshard technology also performs multiple data integrity checks to help ensure that critical data at rest stays secure and available. In the event of unauthorized data modification, ShardSecure immediately alerts your organization and restores data to its last unaltered state. Data availabilityThe third principle of the CIA triad, data availability, refers to the reliability, accessibility, and timeliness of data. If you’re an authorized user, data availability ensures that you’ll be able to access what you need, at a normal level of performance, whenever you want it. Unless they put policies in place to ensure data availability, organizations may well experience interruptions to business continuity whenever there is a hardware outage, server failure, or other downtime issue. Some major data availability risks and challenges include:
How can data availability be improved?First, data backups should be made so information can be restored quickly in the event of an outage or loss. These backups should also be tested from time to time to make sure the data remains available and that the backup and restore process works. Second, data loss prevention tools may be helpful. These tools, which often come in the form of SaaS platforms that monitor and control access to data, can help mitigate risks to this pillar of the CIA triad. Third, data should be inventoried.7 This ensures that your organization knows the different types and amounts of data you have, and it helps inform better data management practices. Lastly, data should be securely disposed of once it’s no longer needed. Sensitive data sets in particular should be destroyed or securely erased to ensure that their contents cannot be accessed. The National Institute of Standards and Technology (NIST) offers three main actions for sanitizing data8 in its Special Publication 800-88:
How can Microshard technology help?Microshard technology inherently upholds the CIA triad. Our self-healing data and our RAID-5-like ability to reconstruct affected data means that we can rebuild Microshard data whenever they’re tampered with, deleted, or compromised — thereby supporting data integrity and availability. We also strengthen confidentiality through our innovative Microshard technology, which desensitizes sensitive data for use in multi-cloud and hybrid-cloud environments with a three-step microsharding process.
Interested in learning more about how ShardSecure can help your organization uphold the CIA triad? Contact us today to schedule a demo and learn more about Microshard technology. Sources
Which triad of information security ensures that the information can be accessed only by authorized users?The three components of the CIA triad are discussed below: Confidentiality: This component is often associated with secrecy and the use of encryption. Confidentiality in this context means that the data is only available to authorized parties.
Which part of the CIA triad ensures that the data objects and resources are accessible only to authorized subjects as and when required?Confidentiality ensures that information is accessible only by authorized individuals; Integrity ensures that information is reliable; and. Availability ensures that data is available and accessible to satisfy business needs.
What element of the CIA triad ensures that data is available?Integrity: This component of the CIA triad ensures the data is correct, authentic and reliable. In other words, it ensures that the data has not been tampered with and therefore can be trusted.
Which component of the CIA triad relates to authorized users have access to the systems?Confidentiality. Confidentiality has to do with keeping an organization's data private. This often means that only authorized users and processes should be able to access or modify data.
|