Managing Enterprise Information Security with CIA (Confidentiality, Integrity, and Availability): What Comes First?

Confidentiality, integrity, and availability (CIA) is a model designed to guide policies for information security within an organization. In this context, confidentiality is a set of rules that limits access to information, integrity is the assurance that the information is trustworthy and accurate, and availability is a guarantee of ready access to the information by authorized people. The model is sometimes known as the CIA triad.

So what does the CIA triad do for enterprise IT departments? I have tried to explain in detail each aspect of the CIA.

  • Confidentiality prevents sensitive information from disclosure to unauthorised people. All kinds of information can be classified as confidential, most know are related bank accounts, credits cards but also health and other personal information. Data encryption is a common method of ensuring confidentiality. A very prominent example will be SSL/TLS, a security protocol for communications over the internet that has been used in conjunction with a large number of internet protocols to ensure security. Other methods include User IDs and passwords as a standard procedure; but two-factor authentication is becoming the norm and biometric verification is an option as well.
  • Integrity involves maintaining the consistency, accuracy, and trustworthiness of data over its entire life cycle. Data must not be changed in transit, and steps must be taken to ensure that data cannot be altered by unauthorized people (for example, in a breach of confidentiality). For example, if you were sending an online money transfer for $100, but the information was tampered in such a way that you actually sent $10,000, it could prove to be very costly for you. As with data confidentiality, cryptography plays a very major role in ensuring data integrity.
  • Availability of information refers to ensuring that authorized parties are able to access the information when needed. Availability is best ensured by rigorously maintaining all hardware, provide a certain measure of redundancy and failover, adequate communications bandwidth and preventing the occurrence of bottlenecks, and guarding against malicious actions such as denial-of-service (DoS) attacks.

Security in context

It is critical to remember that "appropriate" or "adequate" levels of confidentiality, integrity and availability depend on the context, just as does the appropriate balance between prevention and detection. For example when running in Critical Infrastructure or SCADA environments, Availability has the highest priority, followed by Integrity and Confidentiality, but in IT environments it is the opposite.

This difference of priority should always be kept in mind while validation the security level of any system. It is the context that matter and the test method must adapt to this context. In any case all aspects are important. A solution such as Spirent Avalanche allows you to validate all of the aspects in the different environments adequate and appropriate.

comments powered by Disqus
× Spirent.com uses cookies to enhance and streamline your experience. By continuing to browse our site, you are agreeing to the use of cookies.