In any Info Sec class that you may take, one of the first things that you'll hear about is the CIA triangle/triad. In this case, CIA does not stand for the Central Intelligence Agency, but instead three bullet points of security: Confidentiality, Integrity, and Availability. These three cornerstones are fundamentals to guiding an IS operation to succeed. Let's go over what each of these means in a security context.
Confidentiality is the restriction of access to sensitive information. This is the crux of information security. When any information is created within a company, it should be subject to evaluation for how sensitive it is, then given standardized access control to prevent unwanted parties from seeing the information.
Real-World Example: When payroll data is processed, there should only be a few people within the company who can view payment information for employees. Just because the CEO is in charge of the company doesn't mean that he needs to have access to all information in the company, and should therefore be confidential to this user. This prevents a malicious party from having access to unlimited information through the compromise of a single user account on the network.
Integrity is the confidence that the information is accurate upon receipt. When files are saved or sent, there must be monitoring and layers of security in place to prevent a malicious party from modifying or deleting information. The protects the validity and trust-worthiness of information over periods of time.
Real-World Example: Susan sends Joe an email with finalized budget information for Joe's department. The total budget that she sent was for $450,000. Bob, a sales manager from a competing company, intercepts the email and changes the budget to $820,000, then forwards the modified email to Joe. This results in extreme overspending in Joe's department because the integrity of the information was compromised due to lack of encryption in sending and receiving internal company emails.
Availability is the ease in which information is accessible to those who require it. If an information system is not available to those who need it, there is little use to having digital information at all.
Real-World Example: Susan saves a report for a client that is due to the client at 10:00 AM on a network drive before she leaves for work. When she comes in the next day at 8:00 AM, she cannot access the network drive. She later gets an email from the IT department saying that the data server has been compromised and all files have been deleted. There is also no backup of the files on the server, leading to a lack of availability of the information.
The biggest issue with the CIA triangle is balancing the three concepts to work efficiently with each other. If we security guys could have it our way, we'd make confidentiality have the heaviest weight on all decisions. However, a business cannot operate efficiently if they have to go through a million layers of security to access their information. If an employee who is unaware of security threats could have it their way, they would put the heaviest weight on availability. However, with no security, there can be no integrity. If anyone has the ability to alter the information within company files, how can you trust that it is accurate?
This is the struggle of all information security professionals, but we must work diligently every day to maximise the effectiveness of all three of these fundamental concepts.
