What does “Confidentiality” mean?
The first component of the CIA triad is Confidentiality. While it might seem easily defined with the dictionary definition, for cybersecurity there is more to it. With cybersecurity, we have to ensure we understand the full meaning of confidentiality and make sure we address it fully in the planning and implementation of our policies and procedures.
When we think about confidentiality in our personal world, we might think about how we would tell a friend a personal item that we don’t want them to share with anyone else. Or with only a limited number of other people. More than likely, we assume that at some point that information is going to end up out in the wild simply because people talk, right?
Well, in our cybersecurity realm, that is something that just can’t happen if we can possibly avoid it. When we give someone access to the data, we expect the people whom we have trusted to take more care and be responsible with how they work with and communicate it.
So, confidentiality for us in the field is more about ensuring that only the right people, with the right permissions, have access to the data. It is imperative that we consider all of the avenues by which someone can access or pass on information, and work to limit them as much as possible.
What does “Integrity” mean?
The next item is Integrity. Again, in the context of our personal lives, integrity usually means the way others treat us or someone else, perhaps looking to see whether they are “good” people when they deal with another person’s money, or home, or services they provide them.
Integrity for cybersecurity is about the information itself. We are more interested in making sure that the data we gather, store, or transmit is the same from one end to the other and that it is correct and true.
Remember that game called “Telephone?” Or sometimes “Whisper?” The game is played with a group of people. One person whispers a phrase to the next person in line, who passes that phrase on to the next, and so on. When you get to the end of the line, you check to see what, if anything, has changed from the original message. It can be really fun, and is almost exactly what we mean by integrity in cybersecurity. The message we start with should be exactly the same at the end as the beginning.
What does “Availability” mean?
Closing up the triad here is the topic of Availability. Availability, for us, means can you and those others that are authorized and need access to the data actually get to it? Can it be used without (too much) hassle? Is it appropriate to what they need to do their jobs?
Let’s put it this way: if John in your Human Resources department can’t access the information needed to ensure that a potential new hire has the qualifications and isn’t a completely wrong fit for the job they have applied for, then he isn’t able to do his job. However, if he does have access to that information, and Julia in the manufacturing department (no need to access it) also has the ability to view it, then Availability has failed. John needed the access, but Julia didn’t.
All Together Now
Now we want to put all of this together in an easily understandable way.
Let’s say you are the cybersecurity guru at your printing company. You provide printing services to individuals that walk in, as well as to local companies that need various jobs done in volume. You sell via your brick-and-mortar storefront, but also have an online presence that allows your customers to place orders via the Internet.
You have James working the front desk of the store, Ralph is your Internet sales representative, Linda does the printing and design, and Louis is the administrative person that deals with all the billing, hiring, etc.
A new corporate account has been created online and the customer is looking to print a job to be used only internally at their company, pay for it via the Internet, and needs help designing the documents to be printed. Let’s see how the CIA triad affects the whole process.
Confidentiality – because this is an internal only document set, you want to make sure that the job isn’t sent out to the wrong person. There is a possibility that this customer has rivals that would love to know what the new customer is doing, so protecting the information they give you is important. This is confidentiality.
Integrity – When Linda goes to design the documents and inserts the information, she needs to ensure that she doesn’t change anything without prior approval. What she has received from the customer should be exactly the same as what they get back when the job is finished. This is integrity.
Availability – Because James and Louis don’t have a direct part to play in the production, they don’t need to see the contents or the final documents that are printed. James likely won’t touch any part of the contract, and so doesn’t need any information at all about it. Louis will have to bill the customer and make sure the accounting is done correctly, but other than that he doesn’t need to know the specifics. Linda needs to see the information going into the documents, be able to edit where necessary, and then create the documents as requested, but she doesn’t need to know anything whatsoever about how much the job costs or how it is being paid for. Ralph is the person that likely received the order and details, but other than passing that information on to the correct person(s), he has nothing to do with the rest of it.
As you can see, in each part of the triad there are different requirements, responsibilities, and people involved. It is very likely that no one person needs to be a part of every situation or job, or have access to all of the information your organization ingests and uses on a daily basis.
How will this Affect You
Your ability to understand and facilitate the three components of the CIA triad is integral and important for your cybersecurity efforts. While this post is not the end all be all as far as all that truly is involved, it is a good place to start in that understanding.
What should you do
Work with your employees, management, and cybersecurity team or providers to ensure that you know what is necessary to provide the confidentiality, integrity, and Availability within your organizational data realm. It is likely to save you time and money from the beginning, and will certainly ease some of the pain involved in securing your environments.
Northstarr Recommendations
We are a team that deals with cybersecurity each and every day, from the most low-level, to the highest of all complexities. Take advantage of our expertise and decades of combined experience to ensure you are making the best decisions possible.
To find out more about how we can help, visit our website or give us a call at (888) 767-2210 to set up an appointment. We look forward to meeting with you!
