.svg){kind=small}
.svg)
%20Data%20to%20Me_BLOG_1080x600.avif)
.avif)
.avif)
.avif)
.avif)
Security & Governance
Language
Articles
7/22/2021
10 minutes
Reimagining the CIA Triad Confidentiality Standards for Greater Security
.svg)
.svg)
Today, speed to market is a vital factor for organizations. Many have chosen to adopt DevOps principles because the process accelerates product development. However, this acceleration is a culture shift. When it鈥檚 not treated as such, there is a risk that rapid, unregulated change will result in inadvertently shipping bugs of all kinds, including security vulnerabilities. The only solution is equally rapid, robust security planning routed in both traditional methods and intelligent updates.
鈥
A return to the principles from the CIA Triad鈥confidentiality, integrity, and access鈥攊s necessary. This model treats security as a holistic part of the process. Confidentiality is built in from the very beginning. Some modernization through the distributed, immutable, and ephemeral (DIE) model improves this process even more. When focusing on the CIA triad鈥檚 confidentiality component, an approach routed in principles that incorporates end-to-end security through proven methods is best.
听
鈥
鈥
The CIA Triad is an established in a system. These pets are supported by a carefully managed infrastructure. They鈥檙e given unique names, and treated when damaged. They鈥檙e the opposite of cattle鈥攖he systems that don鈥檛 require special treatment and are disposed of when damaged or unnecessary.
鈥
The CIA Triad鈥檚 confidential portion centers on protecting sensitive resources from unauthorized views. It鈥檚 comprised of two subclasses: authentication and authorization:
The program verifies the user鈥檚 identity through some method, typically a password or security token. The system ensures the user is authorized to access the specific type of information. Ideally, authorization is based on the principle of least privilege.
听
Under this segment, methods used run the gamut from old school passwords to complex biometric identification programs. The more sensitive the information, the higher the authentication and authorization level.
鈥
Here, an enterprise ensures their state鈥檚 security by focusing on uptime and backups. However, in a CIA-only approach, the maintenance cost of the systems managing that state is so high that they require constant vigilance. The DIE approach significantly lowers that maintenance burden by loosening the coupling between said systems and their state so that the systems are easily replaced at will.. Traditional methods of protecting state under the CIA model include:
鈥
鈥
The CIA model is still relevant for security, but modern needs have changed it a bit. In many instances, organizations deal with different programs and platforms, making authentication and authorization a more significant challenge. However, the distributed, immutable, and ephemeral model can help close these gaps.
鈥
鈥
The DIE model won鈥檛 replace the CIA triad. Instead, it鈥檚 a layer that works on top of it. While the CIA triad addresses the pets in a system, the DIE model handles the cattle. Specifically, it centers on the infrastructure and applications. The two do the same thing鈥攍oosen the coupling between the systems processing data, and the data itself.
鈥
The infrastructure of a program is possibly the most disposable because using the right processes, it can be recreated using a repeatable script or code, aka infrastructure as code. In the event of a breach, administrators can dump the code and rebuild everything from scratch. This may seem like it doesn鈥檛 fit with the CIA鈥檚 confidentiality component because, after all, the very things that must be confidential are pets. They are not disposable. However, the 鈥渆phemeral鈥 part of DIE is a central component of ensuring confidentiality.
鈥
It鈥檚 best explained by the mapping completed by who connects the ephemeral of infrastructure to data confidentiality. In his strategy, he advises firms to 鈥渄rive the value of assets closer to zero.鈥
鈥
In practical application, that means when an enterprise starts or uses any system, it will have internal state, whether it be databases, hardcoded data, or something else. That state must be offloaded to ensure the infrastructure that holds that data remains ephemeral. Administrators must remove the data and send it to a safer place, whether it be another database, , or all-inclusive programs like Vault by HashiCorp. Regardless of storage, it鈥檚 necessary to pull the state out of a system and send it to a safer place. It may feed the applications or programs, but it鈥檚 never a static part of them.
鈥
When it鈥檚 really broken down, InfoSec is risk management. When speed to market comes at the expense of confidentiality, enterprises stand to lose a lot more than they gain. Administrators must select a method of storage that requires deep authorization and authentication while keeping it separate from infrastructures that should be ephemeral.
鈥
鈥
The key to controlling the CIA Triad鈥檚 confidentiality aspect is to maintain flexibility in a secure environment. Laying the DIE model on top of the CIA鈥檚 framework allows enterprises to separate their pets from cattle and focus their attention on invaluable systems. Such a strategy establishes a fundamental security level capable of supporting any DevSecOps program.
听
听
Level up your Salesforce DevOps skills with our resource library.
.svg)
.svg)
.svg)