The CIA Triad
The foundational principles of computer security are known as the CIA Triad. Each letter represents an important concept for information security:
- Confidentiality: Ensuring that information is accessible only to authorized individuals or entities. Confidentiality prevents the disclosure of sensitive data to unauthorized parties.
- Integrity: Maintaining the accuracy, completeness, and trustworthiness of data. Integrity ensures that information is not altered or tampered with by unauthorized parties.
- Availability: Ensuring that authorized users have reliable and timely access to information and resources when needed. Availability prevents disruptions to the accessibility of systems and data.
These three principles form the core objectives of information security and are used to guide the design, implementation, and maintenance of computer security measures. By upholding the CIA Triad, organizations can protect their critical information assets and ensure the overall security of their computer systems.
Confidentiality
All data can be categorized as to the level of privacy that needs to be
applied to it and the protection levels for that data can be matched to the
security needs. As an example consider a medical device company.
Marketing materials related to their products should be accessible to
everyone inside and outside of the company. Their client list or product
design documents should be accessible only internally to the people who
need this information to perform their job.
In order to guard against unauthorized access the company might encrypt
very sensitive data and provide access to that data only to those who are
authorized. Authorization can take the form of user ids and passwords or
security tokens. To be extra safe with sensitive data the company may
choose to require two-factor authorization (2FA) to access the most secure
data.
Integrity
The integrity of the data must be guaranteed, data should be protected
from being inadvertently modified or damaged. This can be done using file
permissions and access control, version control, checksums to verify data
integrity and backups to restore to original state in case of damage. Data
verification should be done both on data that is stored and data that is
transferred.
Availability
Data and applications should be reliably available, authorized users need
dependable access to the data and applications they need to do their job.
This is accomplished by maintaining the hardware and keeping the
operating system up to date. Providing consistent reliability also involves
ensuring that communication bandwidth suits the number of users. The
system should prevent against bottlenecks in general by making sure
everything is scaled according to the number of users. Systems should
build in hardware redundancy in case any components fail. Erecting
firewalls and proxy servers can help guard against DNS (Domain Name
Server)attacks. Finally, having a comprehensive data recovery plan,
including isolated backup copies in case of data loss, is an important
component of a reliable system.