February 12, 2020

Take Your Pick: the CIA Triad

Cybersecurity practitioners, savvy systems administrators, and business leaders alike are growing more familiar with the ubiquitous information security triad known as “CIA”, an acronym representing the elements of Confidentiality, Integrity, and Availability.  In academic environments, I sometimes like to pose a seemingly simple question: if you could only choose one of these, which element of the CIA triad would you guarantee on a given network?

Of course, most of the best answers to this question start with “well, it depends.”  Certainly, the purpose and technology of the system in question could factor into your answer.  But first, it helps to understand what each of these elements really means in the context of cybersecurity.

Confidentiality means that information cannot be revealed or otherwise observed on an endpoint or while the information is traveling among endpoints in a network.  Confidentiality is sometimes described in terms synonymous with “privacy”.  Many US Government and military programs rightly aim to protect the confidentiality of information.  Consider examples such as Operations Security, the protection of classified or sensitive military information, or private information.  Each of these aims to ensure that adversaries do not get their hands on sensitive information.  In a business context, this might be the prime concern: protecting trade secrets to maintain a competitive advantage is surely an important cybersecurity objective.  But in many scenarios, a confidentiality breach aims to elevate the adversary to a position where they can compromise the integrity of a system.

Integrity means that adversaries cannot alter or destroy information on an endpoint or while it is transiting across a network.  Security capabilities that seek to ensure data integrity also attempt to at least be able to notify receivers when data has been tampered with or destroyed.

Availability means people who need access to information are not impeded from doing so.  In a simplified sense, this element boils down to just keeping the system up and usable.  When I was a help desk operator, it often seemed to me that network availability was the most important element of security.  However, in retrospect, that aim was more about customer service metrics (which are certainly important!) than it was about cybersecurity.

So, in returning to our original question: if you could enable only one of these, which would you chose?  One could conceive any number of scenarios where each element could be framed as the most important of the three.  And still, others would argue that there is a lot more to cybersecurity than these three elements (and they would be right).  However, for my money, I choose integrity in nearly every scenario.  Confidentiality means protecting information from an adversary – and the compromise of that data could allow adversaries to go on and do bad things to victims.  Those bad things usually involve a data integrity attack of some kind.

For example, confidentiality describes efforts to protect the schematics or display data of a mission system that enables an air picture of a military theater of operations.  Availability describes efforts to make sure the air picture display capability does not vanish when needed by its users.  However, Integrity describes efforts to prevent adversaries from changing the information of an air picture display (such as deleting, moving, or reclassifying data).  The reason integrity would worry me most in this scenario is that by affecting data integrity, adversaries might tamper with the essence and purpose of the air picture itself: a system that enables leaders to accurately characterize a wartime environment and respond appropriately.

 

Your business example might be different.  Perhaps the most important thing is to have a conversation among your team and think deeply about your cybersecurity provisions.  The CIA triad is not the end of security wisdom, but hopefully, it can serve as a useful beginning.  What cybersecurity element would you choose for your team and why? Does your cybersecurity service provider discuss your security options with you and your key staff?  We would love to hear your thoughts and responses or to help you arrive at the best security solution for your needs.

Greg McCulley