The Confidentiality, Integrity and Availability (CIA) Triad is a crucial information security model that guides and assesses how an organization manages data during storage, transmission, and processing. Each component of the triad plays a vital role in maintaining information security:
- Confidentiality means that data should not be accessed without authorization. Most times, it is equivalent to privacy.
- Integrity involves maintaining the consistency, accuracy, and trustworthiness of data over its entire lifecycle.
- Availability means information should be consistently and readily accessible for authorized parties only.
Although all components are equally essential, we were intrigued to ask cybersecurity professionals which attribute they consider the most important. To learn more, we asked industry experts the following question:
“If you were to ask a team in a typical office about which aspect of the infamous CIA Triad was most important to them, you would likely get different answers from different people. While confidentiality, integrity, and availability are all important and serve to function together, if you had to choose one factor as the most critical, what would you pick and why?”
The answers below reveal that each has its own preference (which is not a surprise); however, they express concerns about whether the triad is still applicable in the current and evolving technology & cybersecurity landscape. Let’s see what they say.
“Selecting the most important principle in the CIA Triad is like trying to select your favorite child,” says Antonio Sanchez, Principal Evangelist at Fortra. “You love your children equally, but they each have one uniqueness that separates them from the others. Same with the CIA triad. They are all important but for different reasons. However, if I were forced to select one, it would be Confidentiality. When I think of Confidentiality, I think of data which is the oil and lifeblood of an organization.”
Sanchez’s comment reflects the increased awareness and the rising concerns around privacy and sensitive data protection, showcased by the ever-growing number of privacy regulations and fueled by the expanding impact of data breaches.
Tyler Reguly, Senior Manager R&D at Fortra, agrees with that sentiment. “When I use a service, my immediate thoughts aren’t about availability and, in most cases, they aren’t about integrity. I find myself most concerned about whether my data will be kept confidential,” Reguly notes. Although he notes that availability is an important concern when streaming movies or playing online games, he admits that when he makes a purchase online, “I look to see if I trust the e-commerce vendor. At the end of the day, I need to know that the business I’m working with can keep my confidential data confidential. If they can’t, I’m looking to do business elsewhere.”
For Ian Thornton-Trump, Chief Information Security Officer at Cyjax, “an ‘Integrity’ focus of the organizational security mission may provide the most value in terms of security controls, especially the detection of anomalous activities.” He argues that the “detection of a potential integrity breach tends to be more proactive than a confidentiality breach or disruption (the antithesis of availability), as in those breaches, the damage has already occurred.” For an organization to detect potential integrity issues within their ecosystem, they need to answer “5W+H model” questions, which according to Ian, are:
- “Who’s accessing the system? Is the access authorized?”
- “What data is being accessed? Is the access authorized for the person above?”
- “Where is the access occurring? Is the access location appropriate for the person above?”
- “When is the access occurring? Is the access time appropriate for the person above?”
- “Why is the access occurring? Is the access appropriate for the person’s usual activities?”
- “How is the access occurring? Is the device accessing the data a managed asset?”
“If this information is collected, collated, and triaged appropriately,” argues Ian Thornton-Trump, “focusing on Integrity controls for the organizational crown jewels will provide the business value everyone is looking for when applying the CIA model.”
Nick Hogg, Director or Technical Training at Fortra, says that the most important attribute is availability. He goes on to elaborate that Data Loss Prevention (DLP) and compliance projects fail “due to overly restrictive policies preventing users from accessing the data that they need to do their job and stopping them from being able to share it with the appropriate recipients in a timely manner.”
According to Hogg, data availability is affected when “organizations aren’t able to successfully differentiate between the data that is genuinely sensitive to the business versus the information that should be freely shared” and when “blanket policies apply to the whole organization, interrupting legitimate business processes, causing frustration for the users and dramatically increasing the workload of the security and compliance teams.”
Security Advisor, Jon Stanford, elaborates further “While all three are theoretically equally important, the practical reality is that availability is usually front and center.” He details that availability has been woven into the IT and cyber DNA since the days when “all computing was done in dedicated back rooms, operated by technicians, who produced reports for management.” Moving forward into today’s computing environments, Stanford argues that “The default embedded culture of IT is largely centered around availability, especially the systems and networks which support critical business functions. Nobody wants the call in the middle of the night because the system is down.”
Is the CIA Triad still applicable?
An interesting angle that emerged from the professionals’ answers is the applicability of the CIA Triad in the modern and evolving technology and security landscape.
“The triad has outlived its practical usefulness,” argues Jon Stanford. He explains that “The world has changed dramatically since the triad originated from the on-premises environments of the 1970s and 1980s. Mapping CIA objectives to supply chain, cloud, blockchain, remote access, mobile computing, AI, and other current technologies can be challenging. Today's systems don't fit these old definitions easily. On top of all this, the CIA triad doesn't adapt well to Operational Technology (OT) and Industrial Control System (ICS) environments. These environments focus on cyber-physical attributes like Safety, Protection, Control, and View, not CIA.”
Ian Thornton-Trump echoes the same concerns. “A lot of argument continues in the infosec community on whether the CIA triangle - used as a description of the “mission” of security within an organization - is even relevant anymore.” While resilience has “become a popular way of describing the mission of a security team,” Ian believes that the term is so “ambiguous” that it requires “a lot of clarification from a risk perspective.” Otherwise, “resilience against everything would require an infinite budget!”
What should be the way ahead? “Instead of debating which order of letters in the CIA triad is best,” says Stanford, “I would argue it's time to retire it and move forward. A future security taxonomy must reflect today's modern tech stack and borderless access and be inclusive of both IT and non-IT use cases. Anything less would be a huge failure.”
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.