No, we’re not talking about the Central Intelligence Agency.
We mean the Confidentiality Integrity Availability triad, and it’s all about information.
The CIA triad is a security model developed to help people think about important aspects of cyber security and strengthen security awareness.
- You gotta keep your PII from falling into the wrong hands!
- Set up appropriate levels of access to the information, separate types of information and organize it by who should have access to it.
- Some common ways of managing confidientiality on individual systems include traditional Unix file permissions, access control lists, and both file and volume encryption.
- Keep the integrity of your data by protecting it from tinkering or deletion by unauthorized people.
- Some data, like user account controls, should be locked to prevent them from being inappropriately being changed, because it can quickly lead to major service interruptions and confidentiality breaches.
- Other data, like user files, should be open to change, but also reversible (in case you screw something up)
- Version control systems and more traditional backups are common ways to ensure data integrity.
- Traditional Unix file permissions, and even more limited file permissions systems can also be an important factor in single system measures for protecting data integrity.
- Your data must be available. Systems, access channels, and authentication mechanisms must all be functioning properly for the information they provide and protect to be available when needed.
- High Availability (HA) systems are computing resources specifically designed to improve availability. They might target power outages, upgrades and hardware failures to improve availability
- Some methods to improve availability are HA clusters, failover redundancy systems, and rapid disaster recovery capabilities.
The CIA triad is often used to plan a good security policy, so it helps to know its principles. However, you should also understand its limitations: it is only a starting point. It is helpful as a beginning when developing a security policy, but do not treat it as the end.