We live in a world where everything seems to revolve around high-speed communication and the technology platforms that provide it. The business world is no different, in fact the very nature of conducting business these days is dependent upon how fast something can be implemented and how quickly can stake-holders access important data.
It is with this in mind that I pose a very relevant (and often forgotten) question: Which is most important in our world of technology and communication confidentiality, integrity, or availability? Don’t rush to answer just yet, after all, as an IT Leader your opinion probably doesn’t matter to your organization anyway (insert sarcastic smile).
Several years ago when my colleagues and I decided to start Praetorian Secure I remember thinking we would be able to change the world with our innovative approach to many compliance verticals and overall IT security strategies. However, something that somehow escaped my naivety was the fact that key business decision makers are often not concerned with security, and more so are focused on the mighty dollar. Now, as a business leader myself I understand why focusing on the budget and personnel is important – but I am also very cautious to never let the privacy, reliability, or timeliness of something be negatively impacted in the process. Perhaps our key leaders just require a refresher course on what the “CIA Triad” is all about?
Confidentiality refers to limiting information access and disclosure to authorized users — “the right people” — and preventing access by or disclosure to unauthorized ones — “the wrong people.” Confidentiality is related to the broader concept of data privacy — limiting access to individuals’ personal information. This is covered in several U.S. federal & state laws and quite extensively in various compliance mandates such as HIPAA, FISMA, and FERPA.
Integrity refers to the trustworthiness of information and resources. It includes the concept of “data integrity” — namely, that data has not been changed inappropriately, whether by accident or deliberately malign activity. It also includes “origin” or “source integrity” — that is, that the data actually came from the person or entity you think it did, rather than an imposter.
On a more restrictive view, however, integrity of an information system includes only preservation without corruption of whatever was transmitted or entered into the system, right or wrong.
Availability refers, unsurprisingly, to the availability of information resources. An information system that is not available when you need it is at least as bad as none at all. It may be much worse, given the reliance most organizations have based on a functioning computer and communications infrastructure. Many could literally not operate without them.
Availability, like other aspects of security, may be affected by purely technical issues (e.g., a malfunctioning part of a computer or communications device), natural phenomena (e.g., wind or water), or human causes (accidental or deliberate).
Let’s Find a Balance
Security efforts to assure confidentiality, integrity and availability can be divided into those oriented to prevention and those focused on detection. The latter aims to rapidly discover and correct for lapses that could not be — or at least were not — prevented. The balance between prevention and detection depends on the circumstances, and the available security technologies. For example, while locked doors and windows have proven over the years to be easily compromised, if we only relied on an alarm to protect our loved ones and belongings we would have only implemented an effective detection method against home invasion.
It is critical to remember that “appropriate” or “adequate” levels of confidentiality, integrity and availability depend on the context, just as does the appropriate balance between prevention and detection. The nature of the efforts that the information systems support; the natural, technical and human risks to those endeavors; governing legal, professional and compliance standards — all of these need to be considered and will condition how you, not only answer my question above, but also how the CIA standards are effectively implemented throughout the enterprise.