CIA Triad - The Model For Data Security

July 23, 2020

The CIA triad is one of the most well known and established models for security and policy development among businesses around the world. The aim of the CIA triad is that it allows businesses to develop internal security whilst following a global standard security model.

 So, the CIA triad, what is it? The triad is made up of three parts:

Confidentiality: The overall meaning of confidentiality is that some information is being kept incredibly private only to be read or known by a select few - if any at all. With regards to the CIA triad, this is virtually the same pretense, however, in more specific terms, it involves the information/data to be kept confidential by using security mechanisms such as passwords, usernames, access control lists (ACL’s) and also encryption. The idea is that the information is kept confidential rather than at the risk of being in the wrong hands. Most commonly, data is kept in the order of most risk to smallest risk if someone was to obtain that data, for example, someone’s full bank details and address will be kept incredibly secure; someone’s first name and country of origin will be kept secure however less than the bank details and full address. This is at the businesses discretion however this is also governed by law such as GDPR.

 How to ensure this is applied: Make sure that all access control lists and all file permissions are frequently checked and updated, this ensures there are no out of date permissions or access granted where it shouldn’t be. Ensure all data is encrypted through standard methods such as strong passwords and if possible, in addition to this, via a form of two-factor authentication - this can be an email address and phone number for example.

Integrity: Alongside having confidentiality, it is incredibly important to have data integrity. Maintaining the integrity of data and how it is handled internally in businesses is important as it allows prevention of accidents when editing data by authorized members of staff/business colleagues and in even worse cases, when edited by unauthorized people, this could be classed as a data breach if it happens which is another problem in itself. Data can be protected in multiple different ways, version control is a huge positive to apply data integrity, another way you can apply and ensure data integrity is by adding in file permissions and user access controls, having these in place means that the chances of accidental deletion or editing of the files is incredibly reduced by internal staff and potential external people trying to cause a data breach.

How to ensure this is applied: Whenever documents are changed, ensure version control is updated and with the colleague/staff members name attached to it, this ensures that if something is changed with any potential malicious intent that it is recorded. Data logs are also needed to be kept which ensures when data is changed it’s recorded/updated on the log. Make sure that you have a backup and recovery process setup, if possible use a backup and recovery software, it will make it easier for you than trying to set an entire process up yourself but it still ensures there is a process in place if needs be. Ensure that your company has a regularly updated security and IT policy, employees and colleagues should be aware of any data retention policies your company has, this all helps towards having your data set up in the most secure way possible.

Availability: Having availability within the CIA triad means that the data, information and resources are readily available to the correct people with the correct access when required, this can be implemented in a huge range of ways, these are processes such as failover, RAID, redundancy and high-availability clusters. These are used to migrate any sensitive and protected data when something goes wrong, they are used as a completely secure and protected backup incase of a serious malfunction or data breach. Disaster recovery plans need to be in place as well - they will ensure, alongside your hardware, you have a plan if something does go wrong. The idea is that data is kept safe and secure however also available to the required people.

How to ensure this is applied: Make sure that as a business you have a disaster recovery plan in place, this ensures that if you do have an issue - you can get the data back that was breached or at least get to a point where all staff can then work again. Make sure you have monitoring systems on your network infrastructure, this will ensure that it is monitored at all times for potential issues. With all of the network and server applications available, it is vital that they are always kept up to date with the latest version.

 The overall concept of the CIA triad can seem daunting to many people as there are a multitude of factors to consider, whilst ensuring you and your business are fulfilling the three steps. If you or your business need help in any of these steps or any other cyber security needs, please do not hesitate to contact us today and find out how we can help you become cyber secure.

Follow Us

Be the first to know

You might also like

DAST in DevOps: Why It Matters

October 14, 2024
DevOps is a popular practice, especially among large organizations. However, while it comes with numerous benefits, it presents numerous risks as well. One notable challenge is the increased velocity of deployment, which often complicates how developers implement and ensure application security throughout the development and deployment process. DevOps is a popular practice, especially among large organizations. However, while it comes with numerous benefits, it presents numerous risks as well. One notable challenge is the increased velocity of deployment, which often complicates how developers implement and ensure application security throughout the development and deployment process. According to a recent survey, almost 80% of CIOs expressed concerns about the difficulty of discerning trusted elements from untrusted ones within DevOps environments. In particular, the pressure to deliver services at a faster pace sometimes prompts DevOps teams to take security shortcuts, resulting in potentially costly repercussions. These include data breaches, application downtime, and compliance violations.  So, how can you strike a balance between the demand for agile DevOps practices and the need to maintain robust security measures?

Why DAST Testing is Important

October 4, 2024
Testing applications for security flaws during production is a vital process of the development lifecycle, and this is where Dynamic Application Security Testing (DAST) comes in. DAST is a security testing approach in application security (AppSec), in which testers assess an application in real-time, while it’s actively running. This process can be conducted even without testers knowing the application’s internal interactions or system-level designs. Applications fuel the engine of the world’s economy, but enterprises can encounter substantial hurdles when striving to retain a competitive advantage in a rapidly changing digital landscape. Businesses must continuously pursue inventive solutions, even as they contend with sophisticated adversaries looking to exploit opportunities to disrupt operations, compromise vital information, and inflict harm. According to recent research, approximately 17% of cyberattacks aim to exploit vulnerable web applications. Yet, 98% of web applications are susceptible to attacks that can lead to malware infection or redirect users to malicious websites. All the while, 72% of these vulnerabilities result from coding errors. Testing applications for security flaws during production is a vital process of the development lifecycle, and this is where Dynamic Application Security Testing (DAST) comes in. DAST is a security testing approach in application security (AppSec), in which testers assess an application in real-time, while it’s actively running. This process can be conducted even without testers knowing the application’s internal interactions or system-level designs.  This is because DAST tools operate without access to the application’s source code. Instead, they emulate genuine attacks, akin to those carried out by real hackers, to identify security weaknesses. This “black box” testing method examines the application from an external perspective, scrutinises its runtime behaviour, and observes how it reacts to simulated attacks. These simulations help evaluate whether the application exhibits vulnerabilities and if it is potentially susceptible to malicious attacks.

The Evolution of Hacking

September 25, 2024
In this blog post we look back at the origin of the term “hacking”, as well as how activities that might be described as hacking have existed throughout history, even prior to the advent of computer systems – and what if anything these can teach us today. Hacking is attacking and breaking into computer systems illegally… isn’t it? The meaning of the term “hacking” has in fact changed substantially over time, morphing from describing essentially benign (or at worst mildly disruptive) activities into its modern attribution to largely criminal and illegal activities. What’s more, in its original usage, “hacking” doesn’t necessarily even need to involve computer systems at all.  In this blog post we look back at the origin of the term “hacking”, as well as how activities that might be described as hacking have existed throughout history, even prior to the advent of computer systems – and what if anything these can teach us today.
More Posts
Share by: