Nick Lennon is the ANZ Country Manager at Mimecast, having joined in 2007 as a Channel Sales manager. As a leader in management excellence, Nick has personally grown the local team from five members to over 100 since Mimecast’s introduction to the ANZ market. Nick maintains a passionate focus on achieving rapid local business growth, understanding evolving challenges across all verticals and ensuring customers get the best service driven by Mimecast’s strong culture.
The CIA triad is a crucial concept. That’s partly because it introduces basic cyber principles that can help you manage risk better.
But it’s also because decisions that respect all three principles are much more likely to serve your organisations – and your data – in navigating an increasingly complex threat environment.
Crafting an effective cyber policy is challenging because each principle is almost in conflict with the other. You want to make sure data is properly secured, but you also want to make sure the right people can access it without too much trouble. At the same time, you need to make sure the data they do access is accurate, up-to-date and error-free.
Let’s take a deeper look at the triad and see how they fit together to build a resilient cyber policy.
What is the CIA triad?
The CIA triad features three broad pillars:
Confidentiality. Also known as privacy, it’s the principle that only authorised users or processes should be able to view, access or modify data.
Integrity. This means having measures in place to maintain data in its correct state, ensuring consistency and accuracy throughout its life cycle.
Accessibility. This is a function of availability, ensuring that authorised users can consistently access information when they need it.
The CIA triad, in one form or another, has been a widespread model in cyber since the late ‘90s. But why is it so relevant, and what does it look like in practice?
How the CIA triad can inform your cybersecurity policy
Looking at privacy, integrity and accessibility as interlinked parts of a single model encourages us to see the relationships between them. This relationship can be supportive: for example, if you protect data privacy, you also help ensure its integrity, since hackers that are denied access cannot maliciously alter data. Yet the principles may also work against each other: thorough authentication may help ensure data privacy, but it can also make it harder for users to gain access to data, reducing accessibility.
The CIA triad helps policymaking because it offers a clear framework to build on. Rather than blindly flinging resources at a surface-level security problem, organisations can ask simple, targeted questions about these three fundamental needs. The interplay between the three can also help your organisation assess whether it’s worth making sacrifices in one pillar in order to beef up another. Different sectors will have different priorities, and put different weightages on one or more of the pillars.
It’s worth taking the time to understand each pillar and its implications.
The first pillar: safeguarding privacy
The privacy principle says that data should only be visible to people who are meant to see it. It refers to a cybersecurity team’s ability to guard company information, intellectual property and data pertaining to customers or partners. Data will often be categorised based on the damage it could cause in the wrong hands, with access restricted accordingly.
Data breaches have an immediate impact on the people or companies whose data has been exposed, and the organisation that has been attacked will suffer serious reputational damage, not to mention having to divert resources to deal with the leak. In 2021 alone, the Reserve Bank of New Zealand (RBNZ) as well as healthcare providers and government departments across Australia have been hit.
Policy measures to keep data confidential can include:
Augmenting password use with two-factor authentication and biometrics
The automated monitoring of endpoints such as laptops, phones and IoT devices
Awareness Training to warn users about safe cyber behaviour
Encrypting data and using secure applications to transfer it
Network segmentation, or use of off-network storage devices
The second pillar: maintaining integrity
Data is only as valuable as its accuracy and authenticity, which is why cyberattacks are one of the key threats to data integrity. Once criminals have access to your data, they may change or delete it. Breaches are rarely sudden: rather, once cyberattackers have access they will gradually broaden their reach, compromising accessible systems and using their early footholds to misuse login credentials. Eventually, they may be able to amend transaction records to siphon cash, change crucial documents in acts of sabotage, or use your data to commit fraud.
Sometimes bad things happen without malice: a server can crash, a power surge or electromagnetic pulse (EMP) can corrupt data, or anything from flood, fires, even excess moisture, can compromise the integrity of your data.
Measures to protect data integrity include:
Ensuring all relevant privacy and security measures are in place
Ensuring all systems and processes are on top of compliance and regulatory requirements
Using threat detection and monitoring to identify and tackle malicious activity before it is able to damage your data
Using checksums to verify data is correct
Making frequent, thorough backups
Protecting physical storage by ensuring building and server security
Making crucial data read-only to selected users
Using digital signatures to ensure that the perpetrator can be identified if an incident does occur
The third pillar: ensuring accessibility
If your data isn’t available to appropriate users when they need it, your organisation is in trouble. To ensure always-on access, your hardware and network infrastructure needs to be fully operational. Systems must be kept running, be able to handle expected loads, be able to grant appropriate and authorised access to third parties, and have strategies to deal with bottlenecks. The same physical problems that can affect data integrity will also impact on accessibility: downtime, whether due to software errors or damage from natural disasters, is your enemy.
Cyberattacks are a constant risk to data availability. Distributed Denial of Service (DDoS) attacks may seek to overwhelm your network and make information and processes inaccessible – high-profile attacks on New Zealand financial institutions left thousands unable to online bank this year. Ransomware is an even greater threat, and even paying up may not guarantee the return of stolen or encrypted data. A shocking 64% of Australian businesses suffered ransomware attacks in 2021, with 54% paying the ransom, and almost a quarter of those not getting their data back despite paying.
Measures to ensure accessibility include:
Maintaining all hardware, and promptly repairing sub-optimal equipment
Staying on top of system upgrades and patches
Using firewalls and proxy servers to repel DDoS attacks
Monitoring bandwidth usage
Using solutions that combine threat detection, behavioural analytics and algorithms to predict and block ransomware
Working closely with cloud partners to prioritise data availability
Protecting physical storage and backing up data
Making all the pieces fit together
The CIA triad has been an important tool in cybersecurity for over two decades. That doesn’t mean it's without limitations. For one thing, aspects of the triad such as physical security and hardware maintenance are likely to fall in the territory of building services or IT rather than cyber, necessitating effective collaboration.
As we’ve seen, some measures (such as limiting access to data) may fall under more than one pillar (in this case privacy and integrity), but be in opposition to others (accessibility). The triangle’s principles are complicated further by recent developments, such as the rise of remote working (which increases the number of endpoints, and thus the attack surface) and the Internet of Things (IoT devices typically have very limited password protection).
Some observers have felt that the CIA triad is too simplistic, and alternatives have been proposed, such as the Parkerian Hexad, which adds possession, authenticity and utility to the equation.
But for the purposes of developing a well-rounded cybersecurity policy, the CIA triad gives us a good starting point to help us see which bases we need to cover. By setting simple principles of privacy, integrity and accessibility in a framework that’s simple enough for non-technical staff to understand, it can help organisations to adopt a robust cybersecurity posture. Using the model to inform decision-making at your organisation can lead to incremental gains, and build a foundation that will hold strong in the face of tomorrow’s threats.