1.0 Introduction
Information security is about protecting information and information systems from unauthorized access, use, inspection, disruption,etc. In the era of digital 2.0, information security becomes more and more critical for all companies and organizations. Electronic information such as customer’s data should be well protected. Customer’s buying behaviors and brand preferences, for instance, are all important data. Unauthorized organizations or personnel may trade the data for economic profits without contents. In order to protect confidential electronic data, many companies have launched Information Security Management Systems (ISMS) to manage information and protect information security(Broderick, 2006). One widely-applicable information security model is the famous C-I-A triad or Triangle framework(Cherdantseva&Hilton, 2013). CIA stands for confidentiality, integrity and availability. The three above-mentioned principles or tenants should be guaranteed in any kinds of ISMS. All the principles are critical for the whole security system from access to users’ internet history to the encrypted data across the internet. If any of the three principles is breached, the ISMS of respective companies will face very dangerous threat or consequence. In the essay, all the three principles will first be defined. Moreover, how each tenant contributes to the information security system will be elaborated. Last, why CIA triangle can guarantee information security for a company or an organization will be explained in details.
2.0 Definition of CIA Triangle
C-I-A triangle is important and essential in cybersecurity as it will help avoiding compliance issues, facilitating business continuity and prevents potential damages in the information network of a company or an organization(Cherdantseva&Hilton, 2013). As shown in figure 1 below, C-I-A model is comprised of three principles, namely confidentiality, integrity and availability. By definition, confidentiality is referring to the ability to hide information and prevent authorized people to view them. Confidentiality perhaps is the most obvious tenant in the CIA triad(Olivier, 2002). Therefore, the confidentiality tenant is often attacked most often. Integrity, on the other hand, is referring to the ability which makes sure that data is an accurate and unchanged representation of the original secured information. The information security of a company may be attacked when some important data are purposely changed before sending to he intended receiver. In the process, the integrity of information will be adversely affected. Last, Availability means that information security system should keep information available and accessible to authorized personnel. Some types of cyber security attack may attempt to deny access of information to appropriate users (Olivier, 2002). For instance, the information network of a company might be attacked through corrupting or breaking the website. When its users’ access to the information are denied, rival firms may take advantage in the market competition.
Fig 1: CIA Model
3.0 Contribution of Confidentiality, Integrity and Availability
3.1 Confidentiality
Information is kept confidential or secret from unauthorized or irrelevant users. For instance, in a credit card transaction via the internet, the credit card number is encrypted by restricting the access to the credit card number and users information(Kurtz, 2003). Confidentiality ensures the privacy to highly sensitive information. One of the important contribution of confidentiality is to prevent sensitive data from leaking to unauthorized personnel. Malicious actors are barred from interpreting or intercepting the data for nefarious purposes.
So far, cryptography is the best solution in protecting confidentiality in the information security management system of a company(Arockiam&Monikandan, 2014).. This approach is able to convert plain-text into cipher-text, which are not readable for human beings. Cryptography allows cipher-text only to be readable for authorized entities in the deciphering process. Besides, strong passwords, two-way authentication and steganography are some other methods in ensuring confidentiality in the information transmission.
3.2 Integrity
Integrity means that the data stored in the information system are correct. Nobody should be able to alter he data in anyway. In other words, data should be protected from modification and detection by unauthorized users. Integrity is highly essential for data protection in spite of being in transit or in storage. For instance, in e-Commerce, the data integrity may be compromised by a Man-In-The-Middle attack (MITM)(Nayak&Samaddar, 2010). Unauthorized personnel or hackers may penetrate into the web server of a company and introduce malicious codes to destroy the database. When the data cannot effectively reflect customer’s buying behaviors, preferences, loyalty, etc, it will be extremely difficult for a company to make accurate and precious decisions in business operations and activities. It may result very severe profit loss through making wrong decisions.
Therefore, hashing algorithms such as MD5 are often used by information security management technicians to check the integrity of data(Jarvinen, Tommiska&Skytta, 2005). MD5 can be used as a digital signature mechanism. It takes as inputting a message of arbitrary length and produces as an output of 128-bit message digest of the input data. It is computationally impossible to produce two messages with the same message digest or “fingerprint”. As such, the integrity of the data can effectively protected.
3.3 Availability
Furthermore, the information transited or stored by a company or an organization must be available to authorized users or entities. It is very meaningful to make sure that data are accessible and well taken care of. Things should be maintained as redundancy, backups and recovery features. The above-mentioned can make sure that high quality of cyber services are rendered to a large number of customers with consistency and reliability. Backups and updates of sensitive data in external drivers can potentially help to reduce data loss.
Data backups patching, redundancy system, etc, are all possible approaches in enhancing the availability of data in the information network of a company. Redundancy system, for instance, can provide fault tolerance(Wylie et al., 2000). . In other words, when a primary information system fails to operate or provide data to target users, the secondary machine and system will continue to function without interruption. Information system management technicians can direct the workload and transit of data to a backup system in the external drives. It prevents potential business loss and disastrous consequences from occurring.
4.0 CIA Principles in guaranteeing information security
CIA triad will guarantee the information security of a company. Through taking an equal combination of all the three tenants, namely confidentiality, integrity and availability, it is feasible for the respective company to have a properly running infrastructure of information security management. At present, many companies in the world are suffering from security breaches, data thefts and other cyber security problems. Facebook, for example, is criticized for the recent data breach scandal(Isaak&Hanna, 2018). The private data of millions of Facebook’s users are attacked and leaked to unauthorized personnel. In India, Cambridge Analytica, an information company, is able to get an access to private data of over 50 million Indian Facebook users without permission. After this incident, India’s government warns that Facebook should implement concrete measures to prevent data breach from taking place in the future.
It should be noticed that the three principles are addressing different issues in the information security management. Confidentiality reduces the risks of loss of privacy, unauthorized access to information and identity theft. Through ensuring confidentiality, it is possible for a company to have high level of information security. Integrity, on the other hand, can reduce the risk that information is no longer reliable or accurate. In other words, it facilitates operational controls on information quality. Last, availability reduces the risks of business disruption, loss of customer confidence and loyalty, and loss of revenue. Through back-up storage, redundancy systems and sufficient capacity, it is possible for a respective company to have good business continuity and planning.
5.0 Conclusion
In conclusion, it is disputable that confidentiality, integrity and availability in the CIA triad model are highly important for information security management. Like the above-mentioned, the three tenants help a company to enhance information security, provide effective operational controls of data and protects business continuity. It will potentially reduce the risk of data breach and theft cases. In other words, the data breach and user account leakage problems of companies like Facebook will be remarkably addressed. However, it should also point out that the CIA model is only concerned with information. Thus, it may only provide a limited view of information security in the whole management process. For instance, it is true that availability can make sure that users will not lose access to resources but it does not prevent or guarantee that someone may make unauthorized use of the hardware resources of a company. In other words, information security professionals alone cannot guarantee the information security. In fact, all stakeholders including other employees should jointly protect confidential information and data in order to safeguard the CIA principles.
Reference
Arockiam, L., & Monikandan, S. (2014). Efficient cloud storage confidentiality to ensure data security. In 2014 International Conference on Computer Communication and Informatics (pp. 1-5). IEEE.
Broderick, J. S. (2006). ISMS, security standards and security regulations. information security technical report, 11(1), 26-31.
Cherdantseva, Y., & Hilton, J. (2013). A reference model of information assurance & security. In 2013 International Conference on Availability, Reliability and Security (pp. 546-555). IEEE.
Nayak, G. N., & Samaddar, S. G. (2010). Different flavours of man-in-the-middle attack, consequences and feasible solutions. In 2010 3rd International Conference on Computer Science and Information Technology (Vol. 5, pp. 491-495). IEEE.
Jarvinen, K., Tommiska, M., & Skytta, J. (2005, January). Hardware implementation analysis of the MD5 hash algorithm. In Proceedings of the 38th annual Hawaii international conference on system sciences (pp. 298a-298a). IEEE.
Kurtz, G. (2003). EMR confidentiality and information security.Journal of healthcare information management: JHIM, 17(3), 41-48.
Isaak, J., & Hanna, M. J. (2018). User data privacy: Facebook, Cambridge Analytica, and privacy protection.Computer, 51(8), 56-59.
Olivier, M. S. (2002). Database privacy: balancing confidentiality, integrity and availability. ACM SIGKDD Explorations Newsletter, 4(2), 20-27.
Wylie, J. J., Bigrigg, M. W., Strunk, J. D., Ganger, G. R., Kiliccote, H., & Khosla, P. K. (2000). Survivable information storage systems. Computer, 33(8), 61-68.