Splunk is proud to be recognized as a Leader in SIEM by Forrester, Gartner® and IDC. Download the latest Magic Quadrant to see why. Get the report →
Learn more about Splunk's Security Products & Solutions:
These days, security is more important to companies than sales. When your company must maximize renewals, you’re not selling your product once — you’re selling it day in, day out. The moment your security breaches or your services go down, guarantee your customers and users are considering your competitor.
Strong cybersecurity helps safeguard your data and your networks from theft, fraud and unauthorized access. To build security into everything you do, let’s look at a foundational security concept: confidentiality, integrity, and availability, known collectively as the CIA triad.
The CIA security triad guides information security strategies to inform areas like security framework implementation and cyber threat intelligence. Security experts I talked with underscored how these concepts are absolutely useful today, though maybe they’re in need of some updates.
Let’s take a look.
This is a comprehensive article, so let's sum it up briefly:
Identifying key attributes of information that every organization must protect, the CIA triad enables security teams to analyze risks effectively and quantitatively. Yes, there’s some discuss in the industry about whether these concepts need some updating, which we’ll get into later.
First, you might be wondering why security is so important — or why it’s so difficult to achieve.
Google Trends shows that more people than ever are searching online for “cybersecurity” and “it security”. Those peaks indicate highest search volume. People also are searching for “computer security” less often, probably because we’re all well aware that security affects us anywhere we leave digital footprints: computers, cell phones, streaming TVs, at-home and smart devices.
And sure, it’s not all that hard to protect your own individual stuff, right? Password managers, multi-factor authentication, thumb drives, key fobs, VPNs. Now imagine that you’re chief of information security (CISO) for a large, multinational organization. Security just got a lot more challenging.
Now let’s turn to the foundations of cybersecurity.
Confidentiality is up first, and for good reason, says Larry Kinkaid of BARR Advisory:
“Security strategies tend to place the most focus on protecting data from prying eyes. At its most basic level, this means users are required to authenticate their identities and prove who they are, and then the system determines whether they are authorized to ‘read.’ This is the reason encryption has been around for a long time — to further protect data both at rest and in transit.
So, we can sum up confidentiality as protecting information from unauthorized access. What sorts of information? A lot:
The question then becomes, how do you protect confidential data from unauthorized access? Well, let’s first how confidentiality fails, then we can see how to ensure it.
A breach occurs when unauthorized entities have access to your confidential data. This can happen in various ways, including data breaches, insider threats, social engineering attacks and even brute force attacks.
For example, a data breach might occur when an attacker gains access to a database that stores sensitive information like credit card numbers and personally identifiable information (PII). An insider attack happens when an employee, carelessly or intentionally, accesses sensitive information and leaks it.
A social engineering attack is when an attacker tricks an employee into revealing sensitive information like login credentials. Phishing is a common example of this.
In each example, the confidentiality of your sensitive information is now compromised: Unauthorized individuals can access it and potentially use it in harmful ways. Even if it’s not harmful, it’s a vulnerability you must consider.
(Explore vulnerabilities, threats and risk, another foundational security principle.)
To ensure confidentiality, businesses can take several steps.
Next up is integrity. Integrity (or data integrity) is the accuracy and consistency of data as well as the completeness and reliability of systems. It means that data is complete and accurate from its original form. For systems, integrity means that systems are free from corruption, tampering or unauthorized modification.
Ensuring the integrity of data and systems allows businesses to make confident and reliable decisions based on their data. Further it helps prevent operating errors, breaches and losses that can damage the business.
Traditionally integrity might come second to confidentiality, with more modern approaches, the two might be woven together.
A breach of integrity occurs when there’s a change in data. This can happen in various ways:
To ensure integrity, logical access controls like periodic access reviews and the principle of least privilege are great places to start. By authorizing only specific individual in, these controls ensure the integrity of the information. Kinkaid notes that data encryption can be useful when it comes to integrity:
“Often considered a control for confidentiality, encryption is also designed to ensure that data is not modified in transit and enforces the principle of non-reputation.”
Businesses can use checksums or cryptographic hashes to verify that data isn’t changed or corrupted. Additionally, they can use transaction logs or audit trails to track changes to data and systems so they can detect and correct any unauthorized or improper changes.
Finally, implementing policies and procedures for data management, such as regular backups and access controls, can help ensure data and system integrity.
Availability refers to maintaining the ability to access your resources when needed, even under duress (like a natural disaster) or after suffering intentional cyberattacks. And if this definition feels like a moving target, you’re not alone. Indeed, Kinkaid sees that “availability” as a concept has changed the most in recent years.
Today, availability is making its impact in practically every conversation around uptime and availability of services. (Of course, we are experiencing more natural and security disasters, too). Availability plays crucial roles in concepts like:
“While these plans have always existed,” Kinkaid points out that “they are much more formalized and mature now, and often created to be essentially customer-facing. A robust security program that addresses availability is a value-add and potential differentiator between an organization and their competition.”
Some common causes of availability breaches include hardware or software failures, network outages, power outages, natural disasters and cyberattacks.
A hardware failure might cause a server to crash, preventing users from accessing its data or services. Network outages might prevent users from accessing data or systems over the internet. Power outages might prevent users from accessing data or systems that rely on electrical power. A natural disaster, such as a flood or earthquake, might cause physical damage to data centers or other critical infrastructure, disrupting access to data and systems. A cyberattack, such as a denial-of-service attack, might overwhelm a system with traffic, preventing legitimate users from accessing it.
Ensuring availability must be baked into many areas of network and software development:
(Learn more about availability management.)
Today, the CIA triad remains foundational and useful. But let’s look at two arguments within the security industry: whether to add more InfoSec properties to the concept, and its practicality when everyone is a digital user.
Of course, security professionals know that computer security doesn’t stop with the CIA triad. ISO-7498-2 includes two more properties for computer security:
Some folks argue that the CIA triad should add more components, such as non-repudiation or physical security. Walter Haydock, Founder and CEO of StackAware, disagrees, citing redundancy:
“Mission critical and life-sustaining systems such as operational technology in power plants and embedded medical devices rely on data integrity and availability to function correctly, making the protection of life and limb a 'downstream' byproduct. And in military and intelligence contexts, data confidentiality can often mean the difference between survival and death.”
Despite the non-stop evolution of cyber threats as well as technology, Haydock says the CIA triad remains a simple — and effective — framework for InfoSec.
Cybersecurity is no longer relegated only to NOCs and SOCs. It’s baked into every decision we make, deciding which enterprise vendor to onboard on a five-year contract all the way to whether to download an app on our cell phone to track our exercise. This is particularly true when you look at any modern workplace, relying on a wealth of third-party vendors and software.
That means every single person within an enterprise must also take responsibility for security. Andreas Grant, a network security engineer, says that internal threats are “an open secret” making cybersecurity an even bigger issue. Does the CIA triad account for end users, like employees within your organization? Grant argues:
“The CIA triad does not prepare the users in any shape or form to tackle inexperienced end-users. While people with malicious intents are different, there should be a fail-safe for inexperienced people. A cybersecurity infrastructure should also account for its users and their basic understanding of cybersecurity. At least in big companies, there must be some sort of training in organizations to prevent inside attacks. Unfortunately, this is mostly considered as an option after a leak.”
Ultimately, Grant believes that end user behavior must also be accounted for. “I have seen time and time again how a super-strong infrastructure got messed up”, he continues “only because the employees didn’t know better.”
Certainly, if you follow the best practices laid out in this article, including the ongoing education of all players, you’ll be in as strong a spot as possible. Still, every security pro knows that 100% security is never possible.
See an error or have a suggestion? Please let us know by emailing ssg-blogs@splunk.com.
This posting does not necessarily represent Splunk's position, strategies or opinion.
The Splunk platform removes the barriers between data and action, empowering observability, IT and security teams to ensure their organizations are secure, resilient and innovative.
Founded in 2003, Splunk is a global company — with over 7,500 employees, Splunkers have received over 1,020 patents to date and availability in 21 regions around the world — and offers an open, extensible data platform that supports shared data across any environment so that all teams in an organization can get end-to-end visibility, with context, for every interaction and business process. Build a strong data foundation with Splunk.