C.I.A, is a well-known abbreviation that is known among those within the Information Security/IT community. In the world of information security you will find it in many books and articles when studying for certifications. So what is the CIA triad and how does it fit within information security?
CIA triad is a model designed to guide company policies on information security and are considered the three most important pillars within information security.
The letter ‘C’ is short for Confidentiality and should be used to identify sensitive data viewed only by those with the correct permissions. There are two types of data; data in motion and data at rest.
Data in motion: is data that is traversing through a network or a series of networks to a destination. Imagine the following, a Postman has a letter he has picked up from the depot and it is addressed to you. He puts the letter in his bag along with other letters for your neighbors and proceeds to the area to deliver the letters. Your letter is delivered, unopened and is addressed to you only. The confidentiality has been maintained because only you have opened the letter from the sender. The postman hasn’t broken confidentiality while the letter was on the way to the destination, this is maintaining confidentiality while data is in motion.
Data at rest: is data that is stored on a system, either electronically or physically by someone. If we take the postman scenario again, when letters are at the depot for sorting, they are more than likely separated into different piles based on destination. The letters are then left in those piles until a postman collects them for delivery, this means the letters are not moving or in transit, this is data at rest.
The letter ‘I’ is short for Integrity and focuses on the trustworthiness of the data. This means any changes to data is made only by authorized individuals/systems. Failure to maintain the integrity of the data means the trustworthiness is jeopardized and might not be trusted.
To maintain integrity, cryptographic hashes can be used; these can include Secure-Hash algorithms such as SHA-1 or SHA-2.
The letter ‘A’ is short for Availability and looks at how often data is available. Providing we are authorized to access data, we should be able to access the data when required. When we cannot access data when it is required, we have failed to maintain availability. In networks, we often have measures such as redundancy, failover devices and even load-balancing in place so that we can maintain availability.