It’s not news that websites are getting hacked all the time. The reasoning may wary from an attack to an attack. It may be to steal personal information from your customers, to use your server to send out spam emails, to transfer some illegal data, to route information, and etc. The reasoning is that there are numerous reasons and we need to stay protected in order to keep the integrity of the website safe.
CIA (not the one you thought of) means Confidentiality, integrity, and availability (CIA triad) are bedrocks of data security. These three elements are considered the three most crucial components of data security.
What happens if all of the personal messages from Facebook were to be leaked somewhere on the internet? What happens if all of the voter data gets released? What if payment information gets stolen from amazon servers? This creates the issue of confidentiality.
Almost every single company that has at least some kind of possession of customer information utilizes the CIA triad which is very closely monitored by government bodies. The most unfortunate thing about this is that very rarely are physical venues affected by this requirement as the framework is designed mostly for digital information.
One of the most profound cases where the CIA triad was called upon even with offline venues was the gambling industry in Canada around 2017-18. Questions were starting to raise whether offline venues were simply ignoring the guidelines while live casino online real money players were having their data plastered all over the databases of digital platforms. This was not the first but the most impactful observation in the offline Canadian business sector which pretty much introduced the CIA triad to the business world.
But what exactly does the CIA triad stand for? What does each of its components address? Let’s find out.
Deconstructing the CIA triad
Confidentiality is roughly equivalent to privacy. It is a set of rules, which limit access to information for non authorized personnel. These measures are designed to keep the wrong people from accessing confidential information while not interrupting authorized personnel from viewing it. This is achieved via encryption of information, setting up routing numbers or account numbers when banking online, using user IDs and passwords as well as two-factor authentication involving personalized questions, phone number, tokens, electronic cards, biometric verification, etc. Extra security involves setting up storage devices that are separated from every other source.
Man-in-the-middle (MITM) is an attack where the attacker relays and alters information between two parties who are believed to be in direct communication between each other. Even if there is no one attacking, due to a multitude of reasons like hardware failures part of the data may be lost. This creates the issue of integrity.
Integrity means making sure that data does not change at any point in time once it’s sent the delivery of unaltered data is crucial. Integrity effectively involves the maintenance of accuracy, consistency, and trust. Good examples of safeguards are user access controls, file permissions, etc. In addition to this, there should be safeguards implemented to make sure that the data has not been tampered with. An electromagnetic pulse (EMP) or server crash may be the cause of the change of data. Verification usually happens via cryptographic checksums, checksums, verification of integrity, and regular backups.
What if security systems just go offline? What if the security guard cannot see the camera feeds anymore? What if metal detectors don’t show results all of a sudden at the airport? This creates the problem of availability.
Availability means that the information should be accessible all the time. This is ensured via maintaining hardware so that the functioning is never interrupted, making sure that there are no software conflicts and that system updates happen timely, providing adequate bandwidth so that there are no bottlenecks anywhere in the system. Safeguards in place must include not only targeted attacks but natural events such as fire, flooding, earthquake, etc.
Just imagine how much damage can be done if the central control systems become unavailable on the International Space Station (ISS). These types of situations can be very damaging everywhere from nuclear reactors to hydroelectric dams.
These things may seem quite simple but taking into account the sheer amount of data that some parties need to process things get complicated quite fast. First of all, the data that we are talking about is collected from multiple sources and can be required to be transferred from all around the world, which means that it has to be routed through lots of ISPs to your server. Secondly, it takes a lot of time and resources to process this data. This means that you have a large number of players interacting with the data. This may be some systems that are sorting through data, employees doing their business, and processing the data or even malicious users who are trying to tinker with the said data. Due to the size of the data the necessary oversight is more than usually lacking. A very good example would be the infamous whistleblower Edward Snowden who brought the information to the public when NSA was collecting massive amounts of personal information about the citizens of the United States of America.
The development process of the application or service is an essential part of the future of the very same service. There are three important key subjects to be kept in mind during development. Making sure that confidentiality, Integrity, and Availability (CIA Triad) is covered will ensure the safety and success of the service that is to be provided.