What is CIA (in Cybersecurity)?
By Bill Bernard
No, we’re not talking about the Central Intelligence Agency.
Like other unfortunate acronyms out there in the world (one of our favorites is the WTF, aka the World Trade Federation), CIA can often mean a few things. Normally, yes, it does refer to the Central Intelligence Agency. But when it comes to cybersecurity, it means something entirely different.
In cybersecurity, CIA refers to the CIA triad — a concept that focuses on the balance between the confidentiality, integrity and availability of data under the protection of your information security program.
This concept has emerged over the past two decades as a key tenet for information security professionals as it helps direct efforts, spend and hours when trying to create and optimize a cybersecurity program and align it to the needs of the business.
Read more: Cybersecurity Terminology in Layman’s Terms
Breaking down the CIA of cybersecurity
Keeping data secure
At its core, the tenet of confidentiality is about keeping what needs to be private, private. Government regulation, industry compliance requirements, expectations from your business partners and your company’s own business priorities all play a role in defining what data needs to be kept confidential.
In practice, confidentiality is about controlling access to data so that only authorized users can access or modify it. No matter what industry a business is in, it’s that business’s responsibility to keep their data and their clients’/customers’ data out of the hands of those who would misuse it. This is perhaps then the most obvious of the three CIA components.
Confidentiality can be violated both intentionally and unintentionally, through direct attacks meant to gain access through vulnerable parts of a network or through carelessness and human error. Having strong controls and good training for employees goes a long way in maintaining a business’s confidentiality.
Keeping data clean
Integrity focuses on keeping data clean and untainted, both when it’s uploaded and when it’s stored. This means making sure only those who are allowed to modify it, modify it.
While data being leaked is a problem, having data be maliciously or accidentally altered can also create a world of problems and weeks of headaches for businesses. When this happens, trust flies out the window. Businesses, their partners and their customers need to be able to rely on accurate, reliable, up-to-date information at all times. If this cannot be the case, there’s a problem.
This requirement isn’t just applicable to data that must be kept confidential. Content on a company’s website needs to be accurate, too. Pricing, descriptions and even store hours need to all be accurate. This sort of publicly visible data must have its integrity protected as well.
Keeping data accessible
Availability essentially means that when an authorized user needs to access data or information, they can. It can sometimes be confused with or even seem to contradict confidentiality.
While confidentiality is about making sure that only the people who need to access the data can get to it, availability is about making sure that it’s easy to access that data should an authorized person need to. This can include making sure networks and applications are running as they should, that security protocols are not hindering productivity or that a resource is on-hand for when an issue arises and needs fixing.
When availability comes under attack or gets left by the wayside, business can come to a halt. Whether it’s a block on payroll or email or confidential data required to operate a business, if employees can’t get to what they need to work, well, they can’t work. Finding the balance between accessing data and making sure that your business can still operate is a key part of the CIA triad.
Confidentiality, integrity and availability set the foundation for all security frameworks. The tug of war that sometimes exists between them varies from industry to industry and helps set priorities for cybersecurity teams. What is CIA in cybersecurity in action?
For example, imagine you run a successful e-commerce business.
- PCI compliance requires — and your customers expect — credit card information to be securely stored so that fraudulent transactions don’t occur (confidentiality).
- Your e-commerce site must be available 24 hours per day, 7 days per week so that you can service shoppers whenever they choose to shop (availability).
- And when their order arrives, they don’t want to have received the wrong thing because the product description on the site did not reflect the product properly, or because something on the back-end got messed up (integrity).
To address each of these will require cooperation of the security team and the business. Developers will be asked to write code that complies with PCI requirements. IT will be asked to secure and maintain quality hardware (or cloud services) and software to run the website reliably. Sales and order fulfillment will need to work to ensure they put the correct information on the website and that appropriate methodologies are in place to ensure the correct package is sent to the correct buyer. Security needs to work with all of these departments to help ensure those goals are met.
In this situation, while all are obviously important, confidentiality and accessibility will likely take precedence over integrity as a stolen identity and fraudulent claims are more important than an incorrect package.
But now, imagine you’re a government contractor. The classified information you work with on a daily basis (confidentiality) and trustworthiness of that information (integrity) take precedence over how easy it is for someone to access it (availability), dictating your priorities in that direction. An extra few sign-in steps mean nothing when national security is on the line.
Finding the right balance between the different components of the CIA triad for your business isn’t always easy and takes a strong partnership with the business needs of your organization to do properly. But when it’s out of balance, your business will suffer.
Effective security operations are critical to meeting the goals of CIA
Without effective monitoring, analysis and alerting on the security events in your environment, you won’t be able to measure how well you’re meeting your CIA goals, and you may miss violations of those goals, escalating events to incidents.
Deepwatch was built to provide valuable managed security operations services to help customers maintain visibility into their performance, identify security events and incidents and meet their cybersecurity CIA goals.