The CIA Triad is a security model that highlights core data security objectives and serves as a guide for organizations to keep their sensitive data protected from unauthorized access and data exfiltration.
Components of the CIA Triad
Despite the name, the CIA Triad is not connected with the Central Intelligence Agency – but is an acronym for:
Get the Free Pentesting Active
Directory Environments E-Book
- Confidentiality ensures that information is accessible only by authorized individuals;
- Integrity ensures that information is reliable; and
- Availability ensures that data is available and accessible to satisfy business needs.
How to use the CIA Triad
As a security model, the CIA Triad is best thought of as a way of thinking and reasoning about how best to protect the data on your network.
- When a new application or service is being evaluated, ask yourself: “How will this affect the confidentiality, integrity, and availability of the data that it touches?”
- Instead of conducting blanket security reviews, instead, focus on just one leg of the triad at a time. Re-evaluate procedures to see where improvements can be made.
- Educate end users on the CIA triad as a framework for considering their own actions: “Will sending this spreadsheet of user data to an outside agency impact CIA?”
When should you use the CIA Triad
Like all security models, the CIA Triad has a particular point of view. In this case it’s that data is the center point around which you should structure your security efforts.
Some other models focus on permissions management, data classification, identity, and access management, and user behavioral analytics (UBA). By applying multiple different approaches to your security architecture you’re better able to deter and challenge cybercriminals and malicious insiders from stealing your intellectual property, healthcare data, financial data, and personally identifiable information.
So, to answer the question: you should always use the CIA Triad, but you should never use it in isolation. It should be paired with other overlapping security models so that defense in depth can be achieved.
CIA Triad Example: DatAdvantage
To better understand how to apply the CIA Triad principles to your own organization, we’ve evaluated our own product DatAdvantage on the three components.
To ensure that sensitive data is only accessible by authorized individuals, the first step is to eliminate global access to sensitive data. To do this, Varonis DatAdvantage leverages the following metadata streams to make permissions recommendations to your company’s IT admin: users and groups, permissions, access activity, and content classification.
With those same metadata streams, Varonis DatAdvantage and your IT admin – in a collaborative effort – can take the next steps to identify who has access to a data set, fix broken ACLs, eliminate unused security groups, identify data owners and even enlist Varonis DataPrivilege to allow your company’s data owners to review data access.
Businesses run smoothly when data is readily available and accessible. However, when a security incident occurs – preventing access or yielding too much access – a strong audit capability can assist and determine the root cause.
To track down the source, Varonis DatAdvantage takes the access activity metadata stream and automatically generates an audit trail of every event, timestamped – create, delete, read, modified. What’s more, an audit trail combined with the users and groups metadata stream will help investigators answer a question often unanswerable: who accessed the data?
Incomplete data, missing, or outdated data can negatively impact the quality of data. Varonis DatAdvantage and Data Classification Engine leverage the access activity and content classification metadata stream to identify stale data and content type, while the Data Transport Engine can automatically move, archive, detect and quarantine regulated data based on retention limits.
Even though information security is often associated with the CIA triad, Varonis goes beyond these three attributes. What’s more, information security at Varonis isn’t a checklist or just about compliance. It’s a journey.
Michael has worked as a syadmin and software developer for Silicon Valley startups to the US Navy and everything in between.