Unlock document.
This document is partially blurred.
Unlock all pages and 1 million more documents.
Get Access
9/3/2020 The CIA Triad and How to Implement It in the Real World
https://blog.netwrix.com/2019/03/26/the-cia-triad-and-its-real-world-application/ 1/28
Go Up
Netwrix is recognized in 2020 Gartner Peer Insights “Voice of the Customer”: File Analysis Software
×
Search
Security & Compliance
IT Operations
Information Governance
Game Zone
Cyber Chief Magazine
SysAdmin Magazine
eBooks
Best Practices
How-to guides
Webinars
Free tools
Subscribe
Contact us
Netwrix Blog
9/3/2020 The CIA Triad and How to Implement It in the Real World
https://blog.netwrix.com/2019/03/26/the-cia-triad-and-its-real-world-application/ 2/28
Blog
The CIA Triad and Its Real-World Application
Ryan Brooks
Product Evangelist
Updated: June 23, 2020
Blog /Security & Compliance /The CIA Triad and Its Real-World Application
What is the CIA triad?
Information security revolves around the three key principles: confidentiality, integrity and
availability (CIA). Depending upon the environment, application, context or use case, one of these
principles might be more important than the others. For example, for a financial agency,
confidentiality of information is paramount, so it would likely encrypt any classified document
being electronically transferred in order to prevent unauthorized people from reading its
9/3/2020 The CIA Triad and How to Implement It in the Real World
https://blog.netwrix.com/2019/03/26/the-cia-triad-and-its-real-world-application/ 4/28
Cryptography
Encryption helps organization meet the need to secure information from both accidental
disclosure and internal and external attack attempts. The effectiveness of a cryptographic system
in preventing unauthorized decryption is referred to as its strength. A strong cryptographic
system is difficult to crack. Strength is also be expressed as work factor, which is an estimate of
the amount of time and effort that would be necessary to break a system.
A system is considered weak if it allows weak keys, has defects in its design or is easily decrypted.
Many systems available today are more than adequate for business and personal use, but they
are inadequate for sensitive military or governmental applications. Cryptography has symmetric
and asymmetric algorithms.
Symmetric Algorithms
Symmetric algorithms require both the sender and receiver of an encrypted message to have the
same key and processing algorithms. Symmetric algorithms generate a symmetric key
(sometimes called a secret key or private key) that must be protected; if the key is lost or stolen,
the security of system is compromised. Here are some of the common standards for symmetric
algorithms:
Data Encryption Standard (DES). DES has been used since the mid-1970s. For years, it was
the primary standard used in government and industry, but it is now considered insecure
because of its small key size — it generates a 64-bit key, but eight of those bits are just for
error correction and only 56 bits are the actual key. Now AES is the primary standard.
Triple-DES (3DES). 3DES is a technological upgrade of DES. 3DES is still used, even though
AES is the preferred choice for government applications. 3DES is considerably harder to
break than many other systems, and it’s more secure than DES. It increases the key length
to 168 bits (using three 56-bit DES keys).
Advanced Encryption Standard (AES). AES has replaced DES as the standard used by U.S.
governmental agencies. It uses the Rijndael algorithm, named for its developers, Joan
Daemen and Vincent Rijmen. AES supports key sizes of 128, 192 and 256 bits, with 128 bits
being the default.
Ron’s Cipher or Ron’s Code (RC). RC is an encryption family produced by RSA laboratories
and named for its author, Ron Rivest. The current levels are RC4, RC5 and RC6. RC5 uses a
key size of up to 2,048 bits; it’s considered to be a strong system. RC4 is popular with
wireless and WEP/WPA encryption. It is a streaming cipher that works with key sizes
between 40 and 2,048 bits, and it is used in SSL and TLS. It is also popular with utilities; they
use it for downloading torrent files Many providers limit the download of those files but
9/3/2020 The CIA Triad and How to Implement It in the Real World
https://blog.netwrix.com/2019/03/26/the-cia-triad-and-its-real-world-application/ 5/28
use it for downloading torrent files. Many providers limit the download of those files, but
using RC4 to obfuscate the header and the stream makes it more difficult for the service
provider to realize that it’s torrent files that are being moved about.
Blowfish and Twofish. Blowfish is an encryption system invented by a team led by Bruce
Schneier that performs a 64-bit block cipher at very fast speeds. It is a symmetric block
cipher that can use variable-length keys (from 32 bits to 448 bits). Twofish is quite similar
but it works on 128-bit blocks. Its distinctive feature is that it has a complex key schedule.
International Data Encryption Algorithm (IDEA). IDEA was developed by a Swiss
consortium and uses a 128-bit key. This product is similar in speed and capability to DES,
but it’s more secure. IDEA is used in Pretty Good Privacy (PGP), a public domain encryption
system many people use for email.
One-time pads. One-time pads are the only truly completely secure cryptographic
implementations. They are so secure for two reasons. First, they use a key that is as long as
a plain-text message. This means that there is no pattern in the key application for an
attacker to use. Second, one-time pad keys are used only once and then discarded. So even
if you could break a one-time pad cipher, that same key would never be used again, so
knowledge of the key would be useless.
Asymmetric Algorithms
Asymmetric algorithms use two keys: a public key and a private key. The sender uses the public
key to encrypt a message, and the receiver uses the private key to decrypt it. The public key can
be truly public or it can be a secret between the two parties. The private key, however, is kept
private; only the owner (receiver) knows it. If someone wants to send you an encrypted message,
they can use your public key to encrypt the message and then send you the message. You can use
your private key to decrypt the message. If both keys become available to a third party, the
encryption system won’t protect the privacy of the message. The real “magic” of these systems is
that the public key cannot be used to decrypt a message. If Bob sends Alice a message encrypted
with Alice’s public key, it does not matter if everyone else on Earth has Alice’s public key, since
that key cannot decrypt the message. Here are some of the common standards for asymmetric
algorithms:
RSA. RSA is named after its inventors, Ron Rivest, Adi Shamir and Leonard Adleman. The
RSA algorithm is an early public key encryption system that uses large integers as the basis
for the process. It’s widely implemented, and it has become a de facto standard. RSA works
with both encryption and digital signatures. RSA is used in many environments, including
Secure Sockets Layer (SSL), and it can be used for key exchange.
Diffie-Hellman. Whitfield Diffie and Martin Hellman are considered the founders of the
public/private key concept. Their Diffie-Hellman algorithm is used primarily to generate a
shared secret key across public networks. The process isn’t used to encrypt or decrypt
i d l f h i f i k b i
9/3/2020 The CIA Triad and How to Implement It in the Real World
https://blog.netwrix.com/2019/03/26/the-cia-triad-and-its-real-world-application/ 3/28
contents. On the other hand, organizations like internet marketplaces would be severely
damaged if their network were out of commission for an extended period, so they might focus on
strategies for ensuring high availability over concerns about encrypted data.
Confidentiality
Confidentiality is concerned with preventing unauthorized access to sensitive information. The
access could be intentional, such as an intruder breaking into the network and reading the
information, or it could be unintentional, due to the carelessness or incompetence of individuals
handling the information. The two main ways to ensure confidentiality are cryptography and
access control.
What Is the CIA Triad?What Is the CIA Triad?
Handpicked related content:
Data Security Best Practices
9/3/2020 The CIA Triad and How to Implement It in the Real World
https://blog.netwrix.com/2019/03/26/the-cia-triad-and-its-real-world-application/ 6/28
messages; it’s used merely for the creation of a symmetric key between two parties.
Elliptic Curve Cryptography (EEC). ECC provides functionality similar to RSA but uses
smaller key sizes to obtain the same level of security. ECC encryption systems are based on
the idea of using points on a curve combined with a point at infinity and the difficulty of
solving discrete logarithm problems.
Access Control
Encryption is one way to ensure confidentiality; a second method is access control. There are
several approaches to access control that help with confidentiality, each with its own strengths
and weaknesses:
Mandatory access control (MAC). In a MAC environment, all access capabilities are
predefined. Users can’t share information unless their rights to share it are established by
administrators. Consequently, administrators must make any changes that need to be
made to such rights. This process enforces a rigid model of security. However, it is also
considered the most secure cybersecurity model.
Discretionary Access Control (DAC). In a DAC model, users can share information
dynamically with other users. The method allows for a more exible environment, but it
increases the risk of unauthorized disclosure of information. Administrators have a more
difficult time ensuring that only appropriate users can access data.
Role-Based Access Control (RBAC). Role-based access control implements access control
based on job function or responsibility. Each employee has one or more roles that allow
access to specific information. If a person moves from one role to another, the access for
the previous role will no longer be available. RBAC models provide more exibility than the
MAC model and less exibility than the DAC model. They do, however, have the advantage
of being strictly based on job function as opposed to individual needs.
Rule-Based Access Control (RBAC). Rule-based access control uses the settings in
preconfigured security policies to make decisions about access. These rules can be set up
to:
Deny all but those who specifically appear in a list (an allow access list)
Deny only those who specifically appear in the list (a true deny access list)
Entries in the list can be usernames, IP addresses, hostnames or even domains. Rule-based
models are often used in conjunction with role-based models to achieve the best combination of
security and exibility.
Attribute-based access control (ABAC). ABAC is a relatively new method for access
control defined in NIST 800-162, Attribute Based Control Definition and Considerations. It is
a logical access control methodology where authorization to perform a set of operations is
determined by evaluating attributes associated with the subject, object, requested
i d i i l di i i i li l
9/3/2020 The CIA Triad and How to Implement It in the Real World
operations, and, in some cases, environmental conditions against security policy, rules or
relationships that describe the allowable operations for a given set of attributes.
Smartcards are generally used for access control and security purposes. The card itself
usually contains a small amount of memory that can be used to store permissions and
access information.
A security token was originally a hardware device required to gain access, such as a wireless
keycard or a key fob. There are now also software implementations of tokens. Tokens often
contain a digital certificate that is used to authenticate the user.
Integrity
Integrity has three goals that help to achieve data security:
Preventing the modification of information by unauthorized users
Preventing the unauthorized or unintentional modification of information by authorized
users
Handpicked related content:
Data Access Governance Best Practices
