We’ve written before about the CIA triad—not a secret service vocal harmony group but a framework for applying three core principles of cyber security to your organisation.
All good, sensible stuff – but what does this look like in real terms? And how can it help in the event of an attack? How Confidentiality Keeps Your Data Safe
The triad’s confidentiality string is about keeping data secure and private. We do that by implementing security measures to restrict access to data. The fewer access points there are to information, the harder it is for attackers to access it.
If someone hacks your organisation through a junior executive’s account, but that junior executive doesn’t have access to secured data, the hacker will be stymied and the impact will be significantly less than if the CEO’s user account were to be hacked.
This all sounds pretty straightforward. We’re all familiar with the kinds of information organisations store and we know there are laws to protect it. (Is anyone still suffering from the headache of GDPR?) Intellectual property, government secrets, financial information, personal data—the cyber security industry has grown up around trying to protect these kinds of information.
And yet, major security breaches continue to happen – and one of the problems appears to be that access to data is not sufficiently restricted.
The protection exists to help solve this problem, but it needs to be properly applied within organisations to prevent the accidental or intentional misuse of private data. It may seem overly dramatic to think of access to data in terms of ‘need to know’ or ‘eyes only’ – it’s not. It’s sensible.
Have a look at your current setup. Could you be more circumspect in regards to your policy on access and permissions? How secure is your current authentication process?
Imagine someone got into your system and changed some of your data.
This pillar of the CIA triad is all about guaranteeing the validity of your data. It works first by restricting the ability to edit data. As with data access, the fewer people who can modify your data, the harder it is for an attacker to do it.
The second way integrity works is by ensuring you can tell which data is affected and when the changes have occurred, so you can quickly and effectively recover valid data from your backup.
It protects you from attacks and enables you to recover from them more easily; it also reduces the potential for accidental damage, which can be equally catastrophic if you don’t have a plan.
Familiarise yourself with your system’s controls regarding privileges and permissions, and how to amend those in the event of an attack. Swift action to prevent an attacker from editing, copying or moving data could make all the difference to the recovery time.
Today’s cyber security strategy isn’t only about preventing attacks—it’s about acknowledging that attacks are inevitable and that how we recover from them is as important as how we stop them. In this respect, availability is about functioning your system again, as quickly and safely as possible.
This means ensuring you have backups, that you have a disaster recovery plan – both for security incidents and other events, such as fire – and that you can keep the system running to the fullest extent possible.
Of course, while an attack occurs, you may have to cut availability altogether. You should also plan for that. Will you have to shut everything down, or can you locate which specific server is affected? What will happen during this unplanned outage? What will happen when you start back up?
Another aspect of this strand of the CIA triad is ensuring you keep up with maintenance, updates and any upgrades required to maintain availability. Availability isn’t something that is only considered in a time of crisis, but something that you are continually aware of.
Simply creating a backup isn’t enough. You also need to be able to access it if you’re going to restore your data quickly and safely. Consider every scenario. What if the WiFi goes down? What if you can’t access the backup remotely? Is there another way to connect to the backup?
Time isn’t just money in these scenarios. It’s confidence. The longer you take to recover, the more you lose people’s trust, not just from clients or users, but from your staff, too.
One of the CIA triad’s pitfalls is that it is vague. It is a system based on principles rather than details.
But that is also its main strength.
It doesn’t tie you to specific scenarios or solutions; it merely asks that you consider confidentiality, integrity and availability in every aspect of your cyber security. It effectively puts your data at the heart of your security strategy instead of the unknown and largely unknowable malware.
That’s a good thing because it’s easy to get tunnel vision when we read about ransomware in the news or hear that a competitor has been subject to a phishing trip.
But we can’t know what cyber threat is coming our way. And the truth is that when it comes it will probably be from a totally unexpected source.
The beauty of the CIA triad is that it broadens your perspective on risk, prevention and recovery. Focusing on the things in our control, such as access and permissions, and maintaining a comprehensive backup, represents a true defence model designed to work on whatever your battleground.