CIA: These letters are often associated with the formidable United States spy agency. However, in cybersecurity, CIA refers to a triad of concepts that serve as the core building blocks in establishing effective security systems. These are confidentiality, integrity, and availability.
Confidentiality calls for the protection of sensitive data from unauthorized access. Integrity is about the completeness, accuracy, and tamper-proofing of data. Meanwhile, availability entails the accessibility of complete and accurate data for those authorized to access it. These concepts sound simple and unsophisticated, but they form the foundation of dependable security systems, which are crucial amid the growing aggressiveness of cyber threats.
In 2022, the FBI’s Internet Crime Complaint Center (IC3) reported a 68% increase in cybercrime complaints compared to pre-pandemic levels in 2019. This underscores the urgency for organizations to reevaluate and adapt their cybersecurity strategies to effectively balance the need for confidentiality, integrity, and availability in the face of new challenges and threats.
The conflict between confidentiality, integrity, and availability
As building blocks of a security system, the elements of the CIA triad are expected to be complementary to each other. However, these concepts can pose challenges to each other’s actualization. Here’s a look at how confidentiality is important but also potentially a hindrance in achieving data integrity and availability, and how integrity can make it difficult to ensure that data is highly available.
Confidentiality vs. Availability
Confidentiality requires the imposition of limits on data access, which can make data less available. By implementing data encryption, access controls, user authentication, and other security controls, data access becomes limited and available only to selected users. Some would view these controls as an inconvenience, especially among those who have been accustomed to being able to access data easily because of their positions or long tenure in an organization. There are also instances when even those who have authorized access have a hard time getting the data they need because of authentication protocols and other security measures.
On the other hand, availability in the field of information technology is not just about data being accessible. This accessibility also needs to be granted in a timely and speedy manner, especially in the age of DevOps and agile development. It is unproductive to make users wait turns to download files or have their data transfer speeds curtailed because of multiple users accessing the same server. Redundancy, load balancing, and disaster recovery planning should be in place to ensure fast and timely availability.
One example of the confidentiality-availability conflict is demonstrated in the use of strong encryption for sensitive data. While encryption helps ensure confidentiality, the corresponding decryption can take some processing overhead, making the data not immediately available to authorized users. Similarly, enforcing strict access controls may improve confidentiality but can also cause delays in accessing critical systems, especially during emergencies.
Confidentiality vs. Integrity
Integrity suggests completeness, accuracy, and being free from unintended modification or distortion, which are attributes everyone would want for their sensitive data. However, there are instances when data integrity efforts result in weakening confidentiality.
One example of the confidentiality-integrity conflict is the use of data hashing for authenticity verification. While hashing ensures data integrity, it can potentially reveal patterns or other information about the original data. This can result in data confidentiality breaches. Another notable scenario demonstrating the confidentiality-integrity conflict is the logging or monitoring of activities involving data access or modification. This is helpful in maintaining data integrity, but it may inadvertently expose sensitive information to unauthorized personnel.
Organizations usually implement measures like checksums, digital signatures, and version control systems to detect and prevent unauthorized modifications. However, some integrity controls might create opportunities for security breaches. For instance, version control systems, which are part of software supply chains, can become an attack vector. The Kaseya ransomware, for example, was spread to thousands of unsuspecting users by exploiting vulnerabilities in cloud-based software repositories.
Integrity vs. Availability
A possible integrity-availability conflict could arise in situations where frequent data backups are performed to ensure availability. This practice increases the risk of unauthorized modifications and the propagation of data corruption, thus affecting data integrity. Backups and redundancies are important, but careless configuration can turn them into vulnerabilities.
Also, many organizations tend to prioritize uptime over security updates and system maintenance. They delay the application of crucial software patches to avoid going into temporary downtime. This practice is unsafe and can result in serious security issues, as it allows vulnerabilities to be open for possible exploitation for a long time.
High availability can be achieved without sacrificing data integrity. Unfortunately, many organizations fail to implement suitable measures and balance in configurations to achieve both.
Strategies in Balancing the CIA Triad
Successfully balancing the CIA Triad requires organizations to implement a combination of strategies that address the trade-offs and conflicting priorities among confidentiality, integrity, and availability. The following key solutions can help.
Risk Assessment and Management
To determine the most suitable security controls to use and the proper configuration, it is vital to undertake risk assessment and management. This involves the routine identification of threats and vulnerabilities to understand the risks an organization is dealing with. Sometimes, organizations use excessive encryption for almost all of their data to ensure confidentiality. This may not only be unnecessary but also potentially antithetical to the goal of high availability.
Risk assessment is a precursor to risk prioritization, which is important in determining which data should be kept confidential and what kind of methods to use to achieve the desired confidentiality. For example, the encryption of all backups and all network traffic can become counterproductive, as they considerably slow down access to data used in routine tasks that are already secured by other security controls like web application firewalls.
Layered Security Approach
Another way of balancing confidentiality, integrity, and availability is by implementing layered security. Instead of having an all-in-one security approach across the board, different security controls can be used for different scenarios. This does not mean, however, that only one security control may be employed for certain processes like only implementing access control during logins and encryption when using communication apps. Multiple controls may be used for certain actions as necessary.
The point of having layered security is to make sure that there are no single points of failure. If one security control fails to stop an anomalous action, there should be another control on another level that can detect and block the anomaly that made it through a control level that failed. Some controls become dysfunctional because of a glitch or the failure to apply security updates.
Layered security is a form of redundancy designed to anticipate software issues and other problems that allow threats to penetrate. This approach provides a more robust cyber defense, making it easier to balance the objectives of the CIA Triad effectively.
Adopting a Data-Centric Security Model
Cybersecurity is sometimes referred to as a data problem. Threat actors chase data because it is known as the currency of the digital age and it can provide hints about vulnerabilities. Cybercriminals steal or corrupt data for various purposes. Also, hackers analyze data to find security weaknesses or opportunities to attack.
As such, it is important to focus on protecting data at its source and establishing a data-centric model, one that prioritizes the security of data instead of fixating on the protection of systems. Data should be evaluated to determine its sensitivity. Low-risk data may not need strong security measures while high-risk ones should be prioritized in implementing security techniques that tend to slow down processes and reduce availability.
A security model that has data at its core helps in making informed decisions on security concerns. It tends to be proactive as it also looks into patterns in the threat landscape instead of merely reacting to security events or threats detected by the controls.
The need for a strategic balancing act
Balancing the CIA triad is far from easy. Organizations need expertise and experience to properly determine the right security measures or controls to implement and the best configurations. It is crucial to be aware of the trade-offs and to reconcile conflicts in achieving confidentiality, integrity, and availability.