The DNA of Security: Decoding Confidentiality, Integrity, and Availability

Source: www.securitymagazine.com

The Triad

Security management concepts and principles are important elements in creating a secure environment. They establish the necessary guidelines for a security policy and the implementation of effective security measures. The primary objectives of a secure environment are to protect confidentiality, maintain data integrity, and ensure availability (commonly known as the CIA Triad). Security controls are evaluated based on how well they address these three core principles of information security. Similarly, vulnerabilities and risks are assessed based on the potential harm they can cause to the CIA Triad principles.

Confidentiality

The idea of confidentiality refers to the procedures used to protect the privacy of information, items, or resources. To prevent or reduce illegal access to data, confidentiality protection aims to protect sensitive information. Protections against disclosure and unauthorized access are provided by confidentiality.

Confidentiality ensures that information is accessible only to authorized individuals or entities. It involves protecting sensitive data from unauthorized access, disclosure, or theft. Confidentiality measures aim to maintain privacy and prevent data breaches.

Concepts, conditions, and aspects of confidentiality include the following:

• Sensitivity — refers to the quality of information, which could cause harm or damage if disclosed.
• Discretion — is an act of decision where an operator can influence or control disclosure in order to minimize harm or damage.
• Criticality -the level to which information is mission critical is its measure of criticality. The higher the level of criticality, the more likely the need to maintain the confidentiality of the information.
• Concealment -is the act of hiding or preventing disclosure. Often concealment is viewed as a means of cover, obfuscation, or distraction. A related concept to concealment is security through obscurity, which is the concept of attempting to gain protection through hiding, silence, or secrecy.
• Secrecy -is the act of keeping something a secret or preventing the disclosure of information.
• Privacy -refers to keeping information confidential that is personally identifiable or that might cause harm, embarrassment, or disgrace to someone if revealed.
• Seclusion -involves storing something in an out-of-the-way location, likely with strict access controls.
• Isolation — is the act of keeping something separated from others.

The framework

Who: Access to sensitive information should only be granted to authorized individuals or organizations.

What: Sensitive information that must be safeguarded against illegal access or publication.

When: No matter if the data is in motion (in transit) or at rest (being stored).

Where: Data sent via networks, stored in file systems, or stored in databases.

How: By implementing access controls, encryption, and secure communication protocols to restrict access to authorized users, prevent eavesdropping, and safeguard data from unauthorized parties.

Encryption is one method of ensuring confidentiality. For instance, when you visit your online banking account (how), data is transmitted securely through HTTPS utilizing secure communication protocols between your device and the bank’s server (how). Because of the encryption, even if data is intercepted by an unauthorized person during transmission, they will not be able to decrypt the sensitive information (how).

The use of access controls is another strategy. To limit access to sensitive data, for instance, an organization in a corporate setting may have various levels of access permissions (how). Certain confidential information, such as customer or payroll information, is only accessible to authorized employees who fulfill specific roles (who). By doing this, it is ensured that only those who need access to private information do so, and that unauthorized people cannot access sensitive information, which protects privacy.

The examples of confidential data include the following:
• Intellectual property
• Personal identity information
• Credit card information
• Bank account information
• Personal health information
• Business or trade secrets

Breach

When personal information or data provided by a client of an organization that is subject to certain data confidentiality agreements is either purposefully or mistakenly exposed to a third party without the client’s consent, there has been a breach of confidentiality.

In many nations across the world, there are numerous laws and guidelines in place that allow a corporation to be sued if it reveals confidential information to a third party without the client’s agreement. Cyber hacking typically results in an inadvertent confidentiality violation. The following are the primary sources of confidentiality violations:

• Theft of employee laptops
• Leaving computers with confidential information unattended
• Providing unauthorized access to the unconcerned person
• Unauthorized access by hacker through malware
• Consulting company employees violating confidentiality agreements
• Unlawful use of information for personal or business gains

Integrity

Integrity is a method of defending the accuracy and dependability of data. Integrity protection stops unauthorized data changes. Integrity protection that is implemented correctly gives authorized users a way to make changes while guarding against malicious and intended unauthorized activities (like viruses and intrusions) as well as errors made by authorized users (like slip-ups or mistakes).

Throughout its lifecycle, information must maintain its integrity to remain accurate, consistent, and unaltered. It entails safeguarding data from unauthorized addition, deletion, or modification. Integrity controls try to keep data trustworthy and reliable.

Integrity is dependent on confidentiality and access control. Concepts, conditions, and aspects of integrity include the following:

• Accuracy: Being correct and precise.
• Truthfulness: Being a true reflection of reality.
• Validity: Being factually or logically sound.
• Accountability: Being responsible or obligated for actions and results.
• Responsibility: Being in charge or having control over something or someone.
• Completeness: Having all necessary components or parts.
• Comprehensiveness: Being complete in scope; the full inclusion of all needed elements.

The Framework

Who: Authorized people or groups with the right to view or alter particular data.

What: Data that needs to be precise, constant, and unchanged.

When: Creation, storage, retrieval, and modification phases of the complete data lifecycle.

Where: Data repositories such as databases, file systems, or any storage medium.

How: By implementing mechanisms such as data validation, checksums, digital signatures, and access controls to ensure data remains unaltered and trustworthy. Regular backups and recovery processes can also help restore data integrity if it is compromised.

Data integrity is frequently ensured with digital signatures. For instance, if a software package or document is later modified after being digitally signed (how) by a reputable party (who), the signature will no longer be legitimate. By doing this, users are informed if any unauthorized changes have been made and the data is kept intact.

Techniques for data validation can also be used to guarantee integrity. For example, websites frequently employ form validation (how) to guarantee that user-submitted data is in the right format and complies with predetermined standards. By preventing inaccurate or malicious input from impairing the system’s usability or security, this helps maintain the integrity of the data contained in the system (what).

Breach

For the duration of its storage on the service provider’s server, any data should remain true, consistent, and valid. Data is usually stored and transmitted in encrypted form to protect its secrecy. The formats of the data vary, but ultimately, the data should be accurate and useful.

Data integrity breach activities include all actions that compromise the consistency, validity, and correctness of the data. The data may be corrupted as a result of the integrity violation, rendering it useless. The following methods are used by hackers to compromise data integrity:

• Introduction of malware on the server
• Undoable malicious encryption of data
• Manipulation of original data
• Introduction of viruses
• Malicious insiders

Availability

Availability means authorized subjects are granted timely and uninterrupted access to objects. Often, availability protection controls support sufficient bandwidth and timeliness of processing as deemed necessary by the organization or situation. Availability includes
efficient uninterrupted access to objects and prevention of denial-of-service (DoS) attacks.

Availability ensures that information and systems are accessible and usable when needed by authorized users. It involves preventing disruptions, downtime, or denial-of-service attacks that could render data or systems inaccessible. Availability measures aim to ensure continuous operation and timely access to resources.

Availability depends on both integrity and confidentiality. Without integrity and confidentiality, availability cannot be maintained. Concepts, conditions, and aspects of availability include the following:

• Usability: The trait of being simple to use, simple to understand, or simple to comprehend and control by a subject.
• Accessibility: The assurance that, regardless of their abilities or limitations, the broadest variety of subjects can interact with a resource.
• Timeliness: Being prompt, on time, within a reasonable time frame, or providing low latency response.

The Framework

Who: Users with permission who need access to data or systems.

What: Systems, applications, data, or resources that should be accessible and usable.

When: Whenever authorized users need to access or utilize the resources.

Where: Networks, servers, databases, or any infrastructure hosting the resources.

How: By implementing measures such as redundancy, fault tolerance, load balancing, disaster recovery plans, and security measures to protect against downtime, system failures, or denial-of-service attacks. Regular maintenance, monitoring, and response mechanisms help ensure continuous availability.

To ensure availability, redundancy and failover strategies are frequently used. For instance, load balancing, where many servers are employed to spread incoming traffic (what), may be used by a high-availability website (how). The load balancer automatically sends requests to the remaining servers if one server fails, ensuring continuous access to the website (how).

Plans for disaster recovery are essential for availability. In the event of a natural disaster or system failure, for instance, a business may periodically back up its data and have a plan in place to quickly restore services. These backup and recovery procedures aid in limiting downtime and ensuring availability (what) by ensuring that crucial systems and data can be restored quickly.

Breach

When the authorized user is unable to access online services or personal information that he or she is authorized for, this is known as an availability breach. Availability breaches are when approved digital resources are denied access or made unavailable.
The primary malicious behaviors used to interfere with the services’ availability include DoS attacks or network intrusions are used to transmit information. Once the hacker successfully gains access to the network, he or she illegally takes control of the servers and prevents permitted access to the resources or services by the legitimate users.

The main sources of breach of availability may include the following:
• Failure of hardware
• Malfunction of software
• Choking of data bandwidth
• Redundant arrangement failures
• DoS attacks

In summary, confidentiality, integrity, and availability are essential aspects of security. They work together to protect information from unauthorized access, ensure data accuracy and reliability, and maintain uninterrupted access to resources. Organizations and individuals need to consider these principles while designing security measures to safeguard their systems and sensitive data.

Reference:

Cybersecurity Fundamentals A Real-World Perspective- Kutub Thakur

CISSP (ISC)2 Certified Information Systems Security Professional Official Study Guide-Mike Chapple, James Michael Stewart

Let’s connect?

LinkedIn: www.linkedin.com/in/ravitejmbandlekar