If you’re familiar with the cybersecurity world, you’ve probably heard the term "CIA triad."
This concept breaks information security measures into three key components: confidentiality, integrity, and availability.
The CIA triad is particularly useful in guiding policies and developing frameworks for information security. It’s also the foundation for major governmental data regulations like the European Union’s GDPR.
- Confidentiality: the property of information not being available or disclosed to unauthorized users. Data can only be accessed by the intended individuals or entities.
- Integrity: the property of accuracy and completeness. Data cannot be modified by unauthorized users at any stage of its lifecycle or in transit.
- Availability: the property of accessibility and usability on demand. Data systems must function so that authorized users are able to access data whenever and wherever they need.
The concept of the CIA triad originated at a time when cybersecurity was shifting from a defense sector concern to a commercial industry concern. Banks, financial services, and other businesses wanted to ensure not only confidentiality but also integrity, since it was important that their electronic data remain unmodified by unauthorized users.
The CIA triad itself was introduced in the 1972 Anderson Report, which discussed computer security for the Air Force’s Electronic System Division. But the CIA abbreviation wasn’t coined until the late 1980s, around the time when the first internet DoS attack had demonstrated the need for availability.1
The CIA triad today
Some experts believe that the future of cybersecurity will require a broader paradigm — but the CIA triad is still highly relevant to information security today.2 With the growing threat of ransomware and other cyberattacks, data confidentiality, integrity, and availability are still critical qualities to consider in data protection.
Indeed, as the Institute of Electrical and Electronics Engineers put it, "Confidentiality, integrity and availability (CIA) are the very foundation of data protection and privacy." 3
Below, we’ll go into depth about the three components of the CIA triad and explain why they’re relevant to cybersecurity in 2022 — and why they might be vulnerable to failure.
This first pillar of the CIA triad governs who data can be disclosed to and under what conditions. It keeps information private from viewing, sharing, use, and modification to prevent identity theft, legal problems, and other consequences.
Some common examples of highly confidential data include:
- Social Security numbers
- Driver’s license and other ID numbers
- Credit card numbers
- Medical records
- Financial records
Luckily, laws and regulations exist to help protect confidential information. In the United States, the Healthcare Insurance Portability and Accountability Act (HIPAA) was passed in 1996 to prevent the disclosure of medical data.
Similarly, the Gramm-Leach-Bliley Act (GLBA) was passed in 1999 to remove certain legal barriers for financial companies — but it incidentally contains provisions that financial institutions must safeguard customer data and provide consumers with data privacy notices.
Unfortunately, these regulations aren’t always enough to protect confidential data against compromise. Both malicious and accidental exposures of highly sensitive data have repeatedly made the news.
For instance, attackers in 2013 exposed the account information from a shocking 3 billion Yahoo user accounts. A year earlier, 165 million LinkedIn user email addresses and passwords were sold by an attacker for only five bitcoins.4 And in 2017, information on more than 120 million US households was exposed after an Amazon Web Services (AWS) S3 storage bucket was misconfigured.
Sadly, even organizations that have experienced a major confidential data breach aren’t always able to protect their data more effectively moving forward. For instance, LinkedIn saw data associated with 700 million user accounts posted for sale in on the dark web in 2021.
How can data confidentiality be strengthened?
Physical measures like air gaps, locked doors, and secure company laptops are an important start. It’s also important to use a secure internet connection and devices with appropriate firewalls, anti-malware systems, and other security measures.
But data confidentiality doesn’t stop there. Data encryption — which uses a key to convert data into secret code — and encrypted communication channels are often used to protect highly sensitive data.
Even encryption, though, can sometimes fall short. With enough time and computational power, determined attackers can decrypt full data sets. Encryption also involves significant key management issues and can be unwieldy for some organizations’ needs.
An alternate way to strengthen data confidentiality is microsharding. Often used in place of or in tandem with encryption, microsharding breaks data files into four-byte microshards without compromising performance.
ShardSecure’s patent-pending Microshard™ technology uses microsharding to eliminate the possibility of sensitive data and contextual metadata existing together in the same storage container. The resulting four-byte microshards cannot be reassembled by unauthorized users, ensuring data confidentiality.
Microshard data is also not subject to a single point of failure like encryption, since it does not involve any concept of a key and therefore cannot be compromised by key corruption or loss. It can be used in addition to encryption.
Data integrity ensures that data remains accurate, consistent, and complete through every stage of its lifecycle. Whether it is being stored, retrieved, or modified by authorized users, data should remain consistent, correct, and whole.
The second component of the CIA triad, data integrity is particularly important as the volume of data gathered and stored by businesses continues to grow. It’s also a key component of compliance with data protection and privacy regulations like GDPR, HIPAA, the Sarbanes-Oxley Act, the Gramm-Leach-Bliley Act, and more.5
Some key threats to data integrity include:
- Human error and misconfigurations
- Semantic attacks
- Formatting and syntax errors
- Natural disasters and power outages
Data integrity processes prevent the loss and corruption of sensitive information. They also play an important role in business continuity — particularly in the cases of ransomware and disaster recovery.
Data integrity encompasses physical integrity measures, which seek to protect data from problems like power outages and hardware failures.6 It also includes logical integrity measures, which ensure that data remains accessible, unchanged, and error-free.
How can data integrity be ensured?
Organizations can maintain data integrity by implementing constraints and processes to ensure that data — whether it be data-in-use, data-in-transit, or data-at-rest — remains valid and unchanged by any unauthorized user. These constraints govern actions like data entry, deletion, transfer, and updates.
Here are a few key ways to strengthen this second component of the CIA triad:
- Data must be backed up regularly.
- Data access controls must be implemented following the principle of least privilege.
- Data inputs and data transmission must be verified to detect errors.
- Data audit trails must be kept.
ShardSecure helps secure data backups. Microshard technology integrates with your existing backup solution to microshard and secure your backup data in the cloud storage locations of your choosing, including in multi-cloud and hybrid cloud environments. This helps provide an extra layer of security for your most sensitive data backups.
Microshard technology also performs multiple data integrity checks to help ensure that critical data at rest stays secure and available. In the event of unauthorized data modification, ShardSecure immediately alerts your organization and restores data to its last unaltered state.
The third principle of the CIA triad, data availability, refers to the reliability, accessibility, and timeliness of data. If you’re an authorized user, data availability ensures that you’ll be able to access what you need, at a normal level of performance, whenever you want it.
Unless they put policies in place to ensure data availability, organizations may well experience interruptions to business continuity whenever there is a hardware outage, server failure, or other downtime issue.
Some major data availability risks and challenges include:
- Storage failures. If a physical storage device fails, data will no longer be accessible. This may be of concern to organizations who use cold storage.
- Host server and network crashes. When a server or network fails, any data accessed through it will become temporarily unavailable.
- Slow data transfers. The speed of data transfer can depend on where the data is stored and where it is used.
- Data compatibility. Data may not be accessible if the environments where it’s being stored and accessed are not compatible with each other.
- Ransomware. Attacks by malicious actors can drastically interfere with data availability for organizations.
- Losing access to cloud storage. In addition to being vulnerable to ransomware, data stored in the cloud can become inaccessible in myriad ways. Lost passwords, accidental deletions, user errors, account suspensions, and even storage provider bankruptcies can all render data unavailable.
How can data availability be improved?
First, data backups should be made so information can be restored quickly in the event of an outage or loss. These backups should also be tested from time to time to make sure the data remains available and that the backup and restore process works.
Second, data loss prevention tools may be helpful. These tools, which often come in the form of SaaS platforms that monitor and control access to data, can help mitigate risks to this pillar of the CIA triad.
Third, data should be inventoried.7 This ensures that your organization knows the different types and amounts of data you have, and it helps inform better data management practices.
Lastly, data should be securely disposed of once it’s no longer needed. Sensitive data sets in particular should be destroyed or securely erased to ensure that their contents cannot be accessed.
The National Institute of Standards and Technology (NIST) offers three main actions for sanitizing data8 in its Special Publication 800-88:
- Clear. This process applies logical techniques to sanitize data for protection against simple non-invasive data recovery techniques.
- Purge. This process applies physical or logical techniques to render target data recovery infeasible.
- Destroy. This process also renders target data recovery infeasible, and it also renders the media unusable for data storage in the future.
How can Microshard technology help?
Microshard technology inherently upholds the CIA triad.
Our self-healing data and our RAID-5-like ability to reconstruct affected data means that we can rebuild Microshard data whenever they’re tampered with, deleted, or compromised — thereby supporting data integrity and availability.
We also strengthen confidentiality through our innovative Microshard technology, which desensitizes sensitive data for use in multi-cloud and hybrid-cloud environments with a three-step microsharding process.
- Shred: Microshard technology begins by shredding data into four-byte microshards that are too small to contain a complete birthdate, social security number, or any other piece of sensitive data.
- Mix: Next, poison data is added and the microshards are mixed into multiple logical Microshard containers. Identifying information like file extensions, file names, and other metadata is also removed.
- Distribute: After being mixed, the Microshard containers are distributed across multiple customer-owned storage repositories. These storage repositories can comprise multi-cloud or hybrid-cloud configurations.
Interested in learning more about how ShardSecure can help your organization uphold the CIA triad? Contact us today to schedule a demo and learn more about Microshard technology.
- Timeline of the History of Information Security | Saylor
- Toward a Better Understanding of “Cybersecurity” | Association for Computing Machinery
- Security Maturity in NoSQL Databases — Are They Secure Enough To Haul the Modern IT Applications? | IEEE
- The 15 Biggest Data Breaches of the 21st Century | CSO Online
- Data Integrity Information Security | ISACA Journal
- What is Data Integrity in Databases? | Techopedia
- Managing Data Availability | University of Delaware
- NIST Special Publication 800-88 | National Institute of Standards and Technology