Home / Blog / General / How to apply the CIA triad to your organisation

July 23, 2019

We’ve written before about the CIA triad – not a secret service vocal harmony group, but in fact a framework for applying three core principles of cyber security to your organisation.

  • Confidentiality – Ensuring that access to sensitive data is restricted through policy and security measures.
  • Integrity – Preventing the modification of data by unauthorised actors to ensure your information is authentic and valid.
  • Availability – Ensuring reliable access to data for those who need it, including through the use of backup and disaster recovery functions.

All good, sensible stuff – but what does this look like in real terms? And how can it help in the event of an attack?

How to apply the CIA triad to your organisation
How confidentiality keeps your data safe

The confidentiality string of the triad’s bow is all about keeping data secure and private. We do that by implementing security measures to restrict access to data. The fewer access points there are to information, the harder it is for attackers to get their hands on it.

For example…

If someone hacks your organisation through a junior executive’s account, but that junior exec doesn’t have access to secured data, the hacker will be stymied, and the impact will be significantly less than if the CEO’s user account were to be hacked.

All this sounds pretty straightforward. We’re all familiar with the kinds of information organisations store and we know there are laws to protect it. (Anyone still suffering the headache of GDPR?) Intellectual property, government secrets, financial information, personal data – the cyber security industry has grown up around trying to protect these kinds of information.

And yet, major security breaches continue to happen – and one of the problems appears to be that access to data is not sufficiently restricted.

The protection exists to help solve this problem, but it needs to be properly applied within organisations to prevent the accidental or intentional misuse of private data. It may seem overly dramatic to think of access to data in terms of ‘need to know’ or ‘eyes only’ – it’s not. It’s sensible.

Have a look at your current setup. Could you be more circumspect in regards to your policy on access and permissions? How secure is your current authentication process?

How integrity ensures the validity of your data

Imagine someone got into your system and made changes to some of your data.

  • What would you do?
  • Would you know how much of the data was affected, or would you have to guess?
  • Could you be sure?

This pillar of the CIA triad is all about guaranteeing the validity of your data. It works first by restricting the ability to edit data. As with data access, the fewer people who have the ability to modify your data, the harder it is for an attacker to do it.

The second way that integrity works is by ensuring you can tell which data is affected and when the changes have occurred, you can recover valid data from your backup quickly and effectively.

Setting up your integrity strategy

It not only protects you from attacks and enables you to recover from them more easily; it also reduces the potential for accidental damage, which can be equally catastrophic if you don’t have a plan in place.

Familiarise yourself with your system’s controls in terms of privileges and permissions – and how to amend those in the event of an attack. Swift action to prevent an attacker from editing, copying or moving data could make all the difference to the recovery time.

Why does availability affect security?

Today’s cyber security strategy isn’t only about preventing attacks – it’s about acknowledging that attacks are inevitable and how we recover from them is as important as how we stop them. In this respect, availability is about getting your system functioning again – as quickly and safely as you can.

This means ensuring you have backups, that you have a disaster recovery plan – both for security incidents and other events, such as fire – and that you can keep the system running to the fullest extent possible.

Of course, while an attack is taking place, you may have to cut availability altogether. You should also plan for that. Will you have to shut everything down, or will you be able to locate which specific server is affected? What will happen during this unplanned outage? What will happen when you start back up?

Maintain availability

Another aspect of this strand of the CIA triad is ensuring you keep up with maintenance, updates and any upgrades required to maintain availability. Availability isn’t something that is only considered in a time of crisis, but something that you are continually aware of.

Finally, a reminder…

Simply creating a backup isn’t enough. You also need to be able to access it if you’re going to restore your data quickly and safely. Consider every scenario. What if the WiFi goes down? What if you can’t access the backup remotely? Is there another way to connect to the backup?

Time isn’t just money, in these scenarios. It’s confidence. The longer you take to recover, the more you lose people’s trust. Not just from clients or users, but from your staff, too.

Don’t worry about the attack, worry about the data

One of the pitfalls of the CIA triad is that it’s vague. It’s a system based on principles rather than details.

But that is also its main strength.

It doesn’t tie you to specific scenarios or solutions, it merely asks that you consider these three things – confidentiality, integrity and availability – in every aspect of your cyber security. It effectively puts your data at the heart of your security strategy instead of the unknown and largely unknowable malware.

That’s a good thing because it’s easy to get tunnel vision when we read in the news about ransomware, or hear that a competitor has been subject to a phishing trip.

But we can’t know what cyber threat is coming our way. And the truth is that when it comes it will probably be from a totally unexpected source.

The beauty of the CIA triad is that it broadens your perspective on risk, prevention and recovery. By focusing on the things that are in our control, such as access, permissions and maintaining a comprehensive backup, it represents a true defence model: designed to work whatever your battleground.

Related articles:

About Comtact Ltd.

Comtact Ltd. is a government-approved Cyber Security and IT Managed Service Provider, supporting clients 24/7 from our ISO27001-accredited UK Security Operations Centre (SOC).

Located at the heart of a high security, controlled-access Tier 3 data centre, Comtact’s state-of-the-art UK Cyber Defence Centre (SOC) targets, hunts & disrupts hacker behaviour, as part of a multi-layered security defence, to help secure some of the UK’s leading organisations.