The CIA Triad of Data Security
CIA Triad
The CIA Triad (Confidentiality, Integrity, and Availability) – these terms sound simple and security posture is adequate for an organization if the concepts of CIA are well understood and maintained.
‘Need to Know’, ‘Least Privilege’, ‘User Identification’, ‘Authentication’ and ‘Authorisation’ are all buzz words within this subject with further details below
Confidentiality
Information will often be applicable only to a limited number of individuals because of its nature, its content or because its wider distribution will resultin undesired effects including legal, finacial penalties or embarrassment to one party or another.
Restricting access to information to those who have a “need to know” is good practise and based on confidentiality – revolves around the principle of ‘least privilege.’ This principle states that access to information, assets, etc. should be granted only on a need to know basis so that information which is only available to some should not be accessible by everyone.
The core for good confidentiality, or need to know, is a strong data classification policy; since without classification it will difficult to maintain and control who has access to what.
So – Identification, Authentication, and Authorization are principles which are achieved through various access and privacy controls that support Confidentiality.
Controls to ensure confidentiality form a major part of the wider aspects of data security
Integrity
Information is only useful if it is complete, accurate and remains so
Maintaining these aspects of information (its integrity) is often critical and ensuring that only certain people have the appropriate authority to alter, update or delete information is another basic principle of data security
Integrity makes sure that the information is not tampered whenever it travels from source to destination or even stored at rest. Information stored in underlying systems, databases, etc. must be protected through access controls and there should be an accepted procedure to change the stored/transit data.
Availability
Information that is not availabe when and as required is irrelevant data.
There will always have to be a compromise between security in its purest sense and availability of information