The security triad, the 3 main components of security, the security pillars, the security triangle; many words exist to refer to the CIA TRIAD; but do you know what these 3 initials refer to?
The CIA TRIAD refers to the 3 pillars of information security:
These 3 concepts depend perfectly on each other, here we explain what each one refers to.
Do not disclose information to unauthorized parties!
Data security refers to “Ensure that information is only available to the right people”.
The confidentiality property must exist in the data in any of its 3 states:
- in storage,
- in process
- and in transit.
There are many mechanisms to provide confidentiality, however, very few can provide this property in all 3 states.
A confidentiality breach can occur due to:
- cyber attackers,
- failures in the implemented security mechanisms,
- in the definition and knowledge of the organization’s security policies
- or configuration failures.
A human error can also affect confidentiality; the clearest example is when we walk away from our desk and leave our computer equipment unlocked. Sound familiar?
Having critical or sensitive information on paper and leaving it for anyone to see can be “risky”, as there are always people outside the organization walking down the hallways who can see information behind the user’s back.
The TIP here is to use some of the mechanisms to minimize risks such as authentication, access controls and data encryption.
Information integrity refers to ensure that information has not been modified, in any of its 3 states (in-store, in process, or in transit).
Integrity should be analyzed from 3 perspectives:
1. preventing someone with modification permissions from making a mistake and modifying the data.
2. Prevent someone without modification permissions from making any changes.
3. Prevent any program or application that interacts directly with the “target” information from making any change.
Integrity violations can have many reasons like cyber attackers, failures in security mechanisms, configurations or even human error. Do you know anyone to whom this has happened?
The tip here is to implement mechanisms to guarantee the integrity of the information.
Applying authentication in the access to the information, access controls, and limiting the functions of the personnel with respect to the information.
Indeed, information must always be accessible to authorized persons!
The availability of information refers to maintaining active access to the necessary information to those persons who must have access to it at the time it is needed.
As with the previous properties, the impact to availability can also be due to human error.
The tip here is to employ mechanisms such as the following to minimize impacts.
– Implement redundant solutions
– Backup schemes
– Business Continuity Plans (BCP) and Disaster Recovery Plans (DRP).
But How do These 3 Properties Depend on Each Other?
These three information security properties depend on each other in the following way:
If there is no confidentiality . . . then the likelihood of a breach of information integrity potentially increases. Giving rise to the possibility that an unauthorized person can modify the information.
As we know if the integrity of the data is changed, then key business information or applications will be affected and will not be able to provide the expected service, leading to an impact on availability.
So, this is how confidentiality, integrity, and availability become important gear for information security, where if any of these elements fails, the consequence impacts all of them.
Furthermore, it is important to consider the human factor because as you noticed in each of the pillars human error prevails.
Without a doubt, most organizations use the “triad” to review the security mechanisms of the applications they use, all with the aim of minimizing risks.
It is not a matter of using one or the other, but all of them in a balanced way.