What are three 3 areas of information security that require a security program priority?

The fundamental principles (tenets) of information security are confidentiality, integrity, and availability.  Every element of an information security program (and every security control put in place by an entity) should be designed to achieve one or more of these principles.  Together, they are called the CIA Triad.

What is Confidentiality?

Confidentiality measures are designed to protect against unauthorized disclosure of information. The objective of the confidentiality principle is to ensure that private information remains private and that it can only be viewed or accessed by individuals who need that information in order to complete their job duties.

What is Integrity?

Integrity involves protection from unauthorized modifications (e.g., add, delete, or change) of data. The principle of integrity is designed to ensure that data can be trusted to be accurate and that it has not been inappropriately modified.  

What is Availability?

Availability is protecting the functionality of support systems and ensuring data is fully available at the point in time (or period requirements) when it is needed by its users. The objective of availability is to ensure that data is available to be used when it is needed to make decisions.

Effectively executing all three tenets of the Security Triad creates an ideal outcome from an information security perspective. Consider this example: An organization obtains or creates a piece of sensitive data that will be used in the course of its business operations. Because the data is sensitive, that data should only be able to be seen by the people in the organization that need to see it in order to do their jobs. It should be protected from access by unauthorized individuals. This is an example of the principle of confidentiality.

When the individual that needs that piece of data to perform a job duty is ready to utilize it, it must be readily accessible (i.e. online) in a timely and reliable manner so the job task can be completed on time and the company can continue its processing. This describes the principle of availability. And finally, the data will be used in calculations that affect business decisions and investments that will be made by the organization. Therefore, the accuracy of the data is critical to ensure the proper calculations and results upon which decisions will be made. The assurance that the data has not been improperly tampered with and therefore can be trusted when making the calculations and resulting decisions is the principle of integrity.

LBMC Information Security provides strong foundations for risk-management decisions. We design our security risk assessments to arm your organization with the information it needs to fully understand your risks and compliance obligations. Learn more about our Risk Assessments / Current State Assessments.

Video

Providing Solutions to Cybersecurity Problems

• F5 Labs
• Learning Center

Understanding the significance of the three foundational information security principles: confidentiality, integrity, and availability.

July 08, 2019

4 min. read

Introduction

F5 Labs education articles help you understand basic threat-related security topics. 

In the information security (InfoSec) community, “CIA” has nothing to do with a certain well-recognized US intelligence agency. These three letters stand for confidentiality, integrity, and availability, otherwise known as the CIA triad.

Together, these three principles form the cornerstone of any organization’s security infrastructure; in fact, they (should) function as goals and objectives for every security program. The CIA triad is so foundational to information security that anytime data is leaked, a system is attacked, a user takes a phishing bait, an account is hijacked, a website is maliciously taken down, or any number of other security incidents occur, you can be certain that one or more of these principles has been violated.

Security professionals evaluate threats and vulnerabilities based on the potential impact they have on the confidentiality, integrity, and availability of an organization’s assets—namely, its data, applications, and critical systems. Based on that evaluation, the security team implements a set of security controls to reduce risk within their environment. In the next section, we’ll provide precise and detailed explanations of these principles in the context of InfoSec, and then look at real-world applications of these principles.

Confidentiality

Confidentiality refers to an organization’s efforts to keep their data private or secret. In practice, it’s about controlling access to data to prevent unauthorized disclosure. Typically, this involves ensuring that only those who are authorized have access to specific assets and that those who are unauthorized are actively prevented from obtaining access. As an example, only authorized Payroll employees should have access to the employee payroll database. Furthermore, within a group of authorized users, there may be additional, more stringent limitations on precisely which information those authorized users are allowed to access. Another example: it’s reasonable for ecommerce customers to expect that the personal information they provide to an organization (such as credit card, contact, shipping, or other personal information) will be protected in a way that prevents unauthorized access or exposure.

Confidentiality can be violated in many ways, for example, through direct attacks designed to gain unauthorized access to systems, applications, and databases in order to steal or tamper with data. Network reconnaissance and other types of scans, electronic eavesdropping (via a man-in-the-middle attack), and escalation of system privileges by an attacker are just a few examples. But confidentiality can also be violated unintentionally through human error, carelessness, or inadequate security controls. Examples include failure (by users or IT security) to adequately protect passwords; sharing of user accounts; physical eavesdropping (also known as shoulder surfing); failure to encrypt data (in process, in transit, and when stored); poor, weak, or nonexistent authentication systems; and theft of physical equipment and storage devices.

Countermeasures to protect confidentiality include data classification and labeling; strong access controls and authentication mechanisms; encryption of data in process, in transit, and in storage; steganography; remote wipe capabilities; and adequate education and training for all individuals with access to data.

Integrity

In everyday usage, integrity refers to the quality of something being whole or complete. In InfoSec, integrity is about ensuring that data has not been tampered with and, therefore, can be trusted. It is correct, authentic, and reliable. Ecommerce customers, for example, expect product and pricing information to be accurate, and that quantity, pricing, availability, and other information will not be altered after they place an order. Banking customers need to be able to trust that their banking information and account balances have not been tampered with. Ensuring integrity involves protecting data in use, in transit (such as when sending an email or uploading or downloading a file), and when it is stored, whether on a laptop, a portable storage device, in the data center, or in the cloud.

As is the case with confidentiality, integrity can be compromised directly via an attack vector (such as tampering with intrusion detection systems, modifying configuration files, or changing system logs to evade detection) or unintentionally, through human error, lack of care, coding errors, or inadequate policies, procedures, and protection mechanisms.

Countermeasures that protect data integrity include encryption, hashing, digital signatures, digital certificatesTrusted certificate authorities (CAs) issue digital certificates to organizations to verify their identity to website users, similar to the way a passport or driver’s license can be used to verify an individual's identity. , intrusion detection systems, auditing, version control, and strong authentication mechanisms and access controls.

Note that integrity goes hand in hand with the concept of non-repudiation: the inability to deny something. By using digital signatures in email, for example, a sender cannot deny having sent a message, and the recipient cannot claim the message received was different from the one sent. Non-repudiation assists in ensuring integrity.

Availability

Systems, applications, and data are of little value to an organization and its customers if they are not accessible when authorized users need them. Quite simply, availability means that networks, systems, and applications are up and running. It ensures that authorized users have timely, reliable access to resources when they are needed.

Many things can jeopardize availability, including hardware or software failure, power failure, natural disasters, and human error. Perhaps the most well-known attack that threatens availability is the denial-of-service attack, in which the performance of a system, website, web-based application, or web-based service is intentionally and maliciously degraded, or the system becomes completely unreachable.

Countermeasures to help ensure availability include redundancy (in servers, networks, applications, and services), hardware fault tolerance (for servers and storage), regular software patching and system upgrades, backups, comprehensive disaster recovery plans, and denial-of-service protection solutions.

Applying the Principles

Depending on an organization’s security goals, the industry, the nature of the business, and any applicable regulatory requirements, one of these three principles might take precedence over another. For example, confidentiality is vital within certain government agencies (such as intelligence services); integrity takes priority in the financial sector where the difference between $1.00 and $1,000,000.00 could be catastrophic; and availability is critical in both the ecommerce sector (where downtime can cost companies millions of dollars), and the healthcare sector (where human life could be lost if critical systems are unavailable).

A key concept to understand about the CIA triad is that prioritizing one or more principles can mean the tradeoff of others. For example, a system that requires high confidentiality and integrity might sacrifice lightning-speed performance that other systems (such as ecommerce) might value more highly. This tradeoff is not necessarily a bad thing; it is a conscious choice. Each organization must decide how to apply these principles given their unique requirements, balanced with their desire to provide a seamless and safe user experience.

To learn about other foundational security concepts, read What Are Security Controls?

Debbie Walkowski (Author)

Security Threat Researcher, F5 Labs

What are the three 3 primary concepts in information security?

What are the 3 main types areas of security?

What are the three information security?

What are the three 3 categories of threats to security?