Security must start somewhere. This somewhere is usually the prioritization of the principles: confidentiality, integrity, and availability. These are the primary goals and objectives of a security program. Anything we do in security can be measured by how well we address the core principles.
Let’s take a look at the three pillars, what they mean, how to support them, and what kind of attacks can violate availability, integrity, and availability.
Confidentiality
Confidentiality protects the secrecy of data, objects, or resources. The goal of this principle is to prevent or minimize unauthorized access to data. Authorized users can access or interact with objects while confidentiality actively prevents unauthorized users from doing so. Many security measures or controls support confidentiality.
Technical and Organizational Measures (TOM) supporting confidentiality:
- encryption
- access control
- authentication and authorization
- data classification
- segregation of duties
Examples of violations of confidentiality:
- capturing network traffic
- stealing passwords
- port scanning
- privilege escalation
- social engineering
- data leak
Violation of confidentiality (disclosure) is not limited to intentional attacks. Many times the cause for unauthorized disclosure are the result of human error and oversight. Events leading to disclosure include failing to encrypt a transmission, accessing malicious code, walking away from a computer while sensitive data is displayed on the screen, misconfigured security control, or oversight in a security policy.
Confidentiality and Integrity are depending on each other. Without object integrity, confidentiality cannot be maintained. Integrity means the inability of an object to be modified without permission.
Confidentiality concepts, conditions, and aspects include:
Sensitivity refers to the damage caused by the disclosure of data
Criticality defines how important an object is for the functionality of an organization
Secrecy describes the act of preventing disclosure
Privacy refers to keeping personally identifiable data confidential
Organizations need to evaluate the level of confidentiality they wish to enforce on objects.
Integrity
Integrity is the concept of protecting the reliability and correctness of data. Integrity protection prevents unauthorized changes to data. It ensures that data remains correct, unaltered, and preserved. Well-implemented integrity provides the functionality of authenticated change while it prevents intended and malicious unauthorized activities as well as mistakes by authorized users.
Objects must retain their correctness and can only be intentionally changed by authenticated users, to maintain integrity. Integrity mechanism and protection provide a high level of assurance that the data, object, and resources are unaltered from their original protected state.
Unauthorized and unwanted changes should not occur while an object is in storage, in transit, or in process.
Technical and Organizational Measures (TOM) supporting integrity:
- access restrictions
- activity logging
- version control
- input verification
Examples of violations of integrity:
- coding errors
- malicious modifications
- malware
Integrity is checked from three perspectives:
- Preventing unauthorized subjects from making modifications
- Preventing authorized subjects from making unauthorized changes (mistakes)
- Maintaining consistency of objects so that their data is correct
Integrity concepts, conditions, and aspects
Accuracy is correct and precise
Truthfulness is a true reflection of reality
Authenticity refers to genuine and authentic
Accountability means being responsible for actions and results
Responsibility refers to being in charge of having control over a subject or object
Comprehensiveness is the complete scope of all elements
Nonrepudiation is not being able to deny having performed an activity or action
Validity is factual and logically correct
Availability
The last principle of the triad is availability. It refers to authorized subjects having timely and uninterrupted access to objects. Availability implies that infrastructure, like network services or authentication systems, is functional and allows authenticated users to gain authorized access.
Technical and Organizational Measures (TOM) supporting availability:
- redundancy of systems
- performance monitoring
- backup systems and functional data backups
- (D)DoS protection
- business continuity planning
- performance testing
Examples of violations of availability:
- device failure
- environmental issues
- software and hardware errors
- (D)DoS attacks
- network interruptions
- overutilizing hardware and software components
- accidental deletion of data
Availability depends on confidentiality and integrity and cannot be maintained without the two.
Availability concepts and aspects:
Usability refers to easy to learn, understand, control, and apply
Accessibility is the concept of a wide range of subjects can interact with an object
Timeliness means providing a low latency response or being within a reasonable timeframe.
CIA Priority
Every organization has unique security requirements. Knowing which assets are more important than others guides the development of a dedicated security posture and the deployment of security solutions.
Prioritizing with the CIA Triad is a good start and can be replicated for design, architecture, deployment, maintenance, and development. The prioritization focuses the efforts of an organization on one aspect over the other. It doesn’t mean that the second or third prioritized items are ignored or improperly addressed. Each organization decides its dedicated security priorities.