Foundations of Information Security - CIA Triad

Every action that you perform on the Web — whether it’s placing an online order, checking your bank account, or signing up for a new social media platform — generates data. However, the problem with data is that it needs to be stored somewhere. And not just that it needs to be stored, but it also must be secured. This may sound easy, but in fact, companies struggle to offer high-quality online services while maintaining data security and ethicality. This lesson aims to explain the basic requirements that makes information or a system secure. Let’s get started.

Prerequisites	You should know what security is and be familiar with common security jargon.
Objective	To get a comprehensive understanding of the fundamental principles of information security and why they are important.
TL;DR	Computer engineers defined a set of three fundamental principles of information security: Confidentiality, Integrity, and Availability (CIA Triad). For a system to be considered secure, it must meet all these fundamental principles of information security. Any security incident is a violation of one or more principles. Confidentiality refers to keeping the information free from being exposed to unauthorised parties. Integrity refers to keeping the information free from the danger of being unauthorised changed in any way. Availability refers to keeping the information free from intentional or accidental loss.

Over time, computer engineers defined a set of three fundamental principles of information security: Confidentiality, Integrity, and Availability. These principles describe the core threat areas for information systems and provide the mandatory requirements for a system to be considered secure. Together, they are known as the “CIA Triad”.

CIA Triad

This frameworkCIA Triad is so comprehensive that anytime a data breach is announced, a system is attacked, a website is taken down, or any other security incident occurs, there is — for sure — a violation of one or more information security principles.

In the previous lesson, we introduced the concept of vulnerability. Now, we can extend that definition and say that a vulnerability is a violation of the CIA Triad. Also, we talked about risk. Security professionals evaluate the risk of a vulnerability based on its impact over these three principles: Confidentiality, Integrity, and Availability. The more affected principles are, the dangerous a vulnerability becomes.

In the next section, we will discuss each security principle and then explore several real-world applications of the CIA Triad. Let’s start with Confidentiality.

Confidentiality

From ancient times, people understood that information is power, but only if kept private. This first principle of information security, called confidentiality, says that information that should stay secret stays secret, and only authorised people may be able to access it. Considering the nature of the information collected and handled by most companies nowadays, confidentiality is a very important aspect. Moreover, some organisations working in finances, health, or e-commerce are obliged by law to protect the privacy of customers’ data.

The two mechanisms that allow us to keep the information confidential are access controlsAn access control is a security mechanism that controls access to systems and resources. and cryptography — these concepts are discussed in-depth in the next lessons.

Integrity

The second principle, called Integrity, is concerned with the correctness, completeness, and trustworthiness of the information. Simply put, this principle says that information must be protected from being unauthorized changed, whether by human error or intentional tampering. User data travels across many systems while being processed, thus ensuring the integrity of the information both on-transit and on-rest is a crucial step from a security point of view. In most of the cases, attacks targeting the integrity are hard to detect and can cause significant damage. As Mike Gault — the founder of Guardtime, says, “A confidentiality breach in your car means someone learns your driving habits. An integrity breach means they could take over your brakes.”

Availabily

The third, but not the least important principle of information security is availability. For information to be secure, it first must be available to the users when they need it. After all, how useful are encryption and access controls if the server is shutdown?

A system that is not fault-tolerant may allow an attacker to prevent legitimate users from having access to their data through a Denial-of-Service (DoS) attack. However, intentional interruption is not the only concern when we talk about availability. Natural disasters or human errorse.g., servers destroyed due to a fire/earthquake/flood, incorrect handling of data by an employee can also affect data availability.

Recap

So, for a system to be considered secure, it must meet all three fundamental attributes of information security. Let’s quickly recap their definition:

• Confidentiality refers to keeping the information free from being exposed to unauthorised parties.
• Integrity refers to keeping the information free from the danger of being unauthorised changed in any way.
• Availability refers to keeping the information free from loss.

Without a strong understanding of these three principles, you will near-miss tons of vulnerabilities that are not so obvious.

Disambiguing the ambiguous

I know — all these new concepts may sound a bit too academic, so let’s take a simple example to illustrate the principles.

When you send data over the Internet (e.g., a message to a friend from a different country), it doesn’t go straight to your friend’s computer since you are miles away from him. Instead, your message travels across multiple other systems before reaching its destination, as illustrated in Figure 2.

This is quite similar to kids passing notes during classes, isn’t it? So let’s suppose Tom, a six-grade student, wants to send a secret note to his colleague, Alice. Unfortunately, Tom is too far to deliver the message himself, so he needs to pass it to Mike, who is closer to Alice. Next, Mike should pass the note to someone else and so on, until the note reaches Alice.

From an information security perspective, this scenario violates all the three principles described above. First, any of Tom’s colleagues along the path can read the message. Thus, the information is no longer confidential.

Second, any of Tom’s colleagues along the path can alter the content of the message. Thus, the information losses its integrity.

Last, any of Tom’s colleagues along the path can destroy the note, resulting in loss of availability.

Why understanding CIA Triad is essential?

Many times, people ask us: “Hey, I found this file or this endpoint, or I got this error. Do you think it’s a vulnerability? Should I report it?”. Well, when this question comes from a beginner, it’s understandable — it takes a bit until you understand how things work. But sadly, not all of these people are beginners. Some of them have several years of experience and still are not able to differentiate an intended behaviour from a vulnerability. Why?

Because they skipped the basics. This lesson is perhaps the most important so far, as we literally discussed the anatomy of a vulnerability, or in other words, what makes an application vulnerable. Without a strong understanding of these three principles, you will near-miss tons of vulnerabilities that are not so obvious.