BlueAllyBlueAlly
Blog

CIA Triad: Part 1 - Confidentiality

Security

In Managing Security in the Age of Zero Trust, BlueAlly introduces Zero Trust as a data-centric approach to security. This involves identifying the data assets and adjusting or creating an Enterprise Information Security Policy (EISP) that protects data and takes a risk-based approach to security.  

So, what is a “risk-based” approach from a technological perspective? 

Risk-Based Technology 

From a security management standpoint, there is a risk-based methodology called the “CIA Triad”: Confidentiality, Integrity, and Availability (CIA). Confidentiality means that only authorized users and processes should be able to access or modify data. Integrity describes thatdata should be maintained correctly, and nobody should be able to modify it, either accidentally or maliciously. Finally, Availability describes that an authorized user should be able to access data wherever and whenever needed.   

Confidentiality Defined 

Confidentiality is often simplified to mean encryption. But there are three separate technology areas involved with the encryption process: encryption at rest, encryption in transit, and emerging technologies applying encryption during processing (aka Confidential Computing). This oversimplification is an artifact of pre-Zero-Trust siloed thinking.  

In this older technological paradigm, encryption was deployed piecemeal on the infrastructure: 

  • Encryption of Data at Rest: Storage Engineers using the encryption technologies supported by the various vendor choices 
  • Encryption of Data in Transit: Network Engineers using such technologies as MACsec or WAN tunnels with IPSec, iWAN, DMVPN, or other SD-WAN technologies 
  • Encryption of Data in Use: An emerging technology called Confidential Computing that closes gaps in data security while data is in use 

However, Confidentiality has always involved privileged access – verifying that the user accessing the data has the right to see or modify it. So, the older operational approach separated out the infrastructure work and user access technology as independent issues. 

As a result, to maintain data confidentiality, an enterprise requires multiple independent groups to fire on all cylinders to function correctly. 

The Zero-Trust approach with Confidentiality integrates the approach across all these silos. This means implementing least privileged access technologies such as role-based access controls (RBAC) and attribute-based access control (ABAC). This emerging technology standard can apply context to the permissions. 

Confidentiality Examples 

Loss of Confidentiality is defined as “data being seen by unauthorized users.”  As a result, most cyber incidents in the press are examples of confidentiality breaches.   

To fight this, we need Authentication, Authorization, and Encryption. 

Authentication includes many technologies and techniques, but it can be satisfied with Multi-Factor Authentication.   

This can consist of a combination of at least two of the following: 

  • Something the user knows (e.g., Password, PIN or Account number) 
  • Something the user has (e.g., key or security token) 
  • Something the user is (e.g., biometrics) 
  • Somewhere the user is (e.g., location validated by GPS) 

Authorization involves ‘need to know’ mechanisms, and sometimes, this is as simple as having separate user IDs for Admin access. However, authorization can be more complex, and this is where the NIST standard on ABAC was developed. This permits policies that differentiate not just on ‘read and write’ access or specific data sets. Still, they can accommodate dynamic rulesets based on location or a risk score that looks at two or more risk-based attributes. 

Encryption seems straightforward, but it can be a complex issue. Consider that many current Data Centers use overlay technologies that do not support encryption. While this may be viewed as a problem, it can normally be worked around using hardware technologies such as MACsec (802.1AE). The trick is to step back and look at the problem holistically.  

However, encryption requires the management of a lot of keys. As a result, you need to think through the process and ensure your plans involve a comprehensive view of key management. 

However, confidentiality technology alone cannot solve all issues. BlueAlly does a lot of work in healthcare and the infrastructure we develop often supports Electronic Medical Records (EMR) systems. Many of these are old and cannot differentiate access to patient data as required by HIPAA (Healthcare Insurance Portability and Accountability) regulations. As a result, if you can see and modify records for one patient, the only thing preventing you from looking up data on someone you are not treating (and therefore not authorized to view) is an HR policy.  

In these cases, the policy might be enforced by examining log files. While after the fact, the presence of a forensic trail would be a powerful incentive to prevent snooping. 

No single company has a complete product or even product set for Confidentiality, let alone Zero-Trust, but perfection is the enemy of progress. As a result, we should be looking for solutions that improve the current situation and move us forward. 

Vendor Choices 

In our work, we are big fans of MFA (Multi-Factor Authentication) and, for our systems, we use Microsoft, but we also support DUO, OKTA, and other vendor solutions. For identity-based secure access and segmentation, we are partnered with several firms, including Cisco, Fortinet, Palo Alto, and Zscaler. 

Ongoing Call to Action 

EISPs and the downstream technological policies need to be living systems and kept up to date as the business evolves and changes.  As a result, a governance process needs to be established to tie the senior management team with the technology teams tasked with protecting and managing the firm’s data assets. 

For a practical view on including the CIA Triad within your Security Practice, you can read our blog on this subject: Architecting an information security program for the Enterprise. 

BlueAlly consultants are always here to assist and guide your journey to a more secure future. To learn more, contact us about the assessments we can perform to address any concerns and improve your infrastructure. 

Contact BlueAlly

Connect with BlueAlly today to learn more.