CIA Triad – The Mother of Data Security

With the proliferation of Cloud technologies, protecting data is more important than it has ever been. The CIA Framework has grown in stature, as it provides a robust framework to use in the modern workplace era for data protection and sanctity.

CIA Triad has been used for quite a long time in the cyber security space. CIA – stands for Confidentiality, Integrity and Availability.

CONFIDENTIALITY

It is important to make sure your company has the right level of secrecy across your data so you might want to be protecting things like financial and  personal information or your company’s IP, and you do not want unauthorised access to this data. It is important to make sure the data is protected in all sorts of ways whether it is at rest, in transit or at its final destination. There are multiple ways you can start thinking about putting security around this confidentialy, from making sure you have encryption in place, to classifying your data and applying labels. These labels determine whether data is highly confidential, how much protection is around the file and what it means for the data inside. For public facing files you have less confidentiality around this information, however it is still important to make sure your users are correctly trained on what to think about when it comes to data confidentiality, data protection policies and procedures within your organisation. This is important because attackers are going to try and break your encryption and use social engineering to get access. You must consider your security systems with respect to how your data secrecy plays in when we think about confidentiality.

Microsoft offers a range of different controls in this space such as Microsoft Information Protection (MIP) and Microsoft Information Governance (MIG). Microsoft’s XDR solution – M365 Defender, further strengthens the security posture around endpoints, servers, email and the Hybrid Azure AD (Active Directory) environment. Microsoft Intune (MEM) also provides confidentiality to data with features such as Intune App Protection along with Windows Information Protection. Another offering by Microsoft to help you keep your data confidential is Azure Key Vault which supplies a secure way to store keys, passwords and certificates in Microsoft’s data centres, safe guarded by industry-standard algorithms, key lengths and even hardware security modules.

My colleague Edmund talks more about the need for tighter password control in this blog.

INTEGRITY

Our next principle is Integrity and here it is important to have the confidence our data has not been tampered with, or altered in any way. For example, if we put data into a database which is encrypted, we would then go ahead and decrypt the same data as well and we want our data to be the same once it has been decrypted with no alterations. This is the confidence we should be looking for when we start thinking about the integrity of our data.

Microsoft 365 has a plethora of encryption mechanisms such as Office Message Encryption (OME) for email, Bitlocker encryption with Intune, service encryption around Exchange Online, SharePoint Online, OneDrive for Business (ODfB) and Teams, with customer key and Microsoft managed keys.

Azure Storage Service Encryption helps to protect data at rest by automatically encrypting before pushing it to Azure-managed disks, Azure Blob Storage, Azure Files, or Azure Queue Storage, and it decrypts the data before retrieval. Azure Disk Encryption helps you encrypt Windows and Linux IaaS virtual machine disks. Azure Disk Encryption uses the industry-standard BitLocker feature of Windows and the dm-crypt feature in Linux to provide volume encryption for the OS and data disks. Transparent Data Encryption (TDE) helps protect Azure SQL Database and Azure Data Warehouse against the threat of malicious activity by performing real-time encryption and decryption of the database, associated backups and transaction log files at rest without requiring changes to the application.

AVAILABILITY

to keep your environment available, consideringthings like disaster recovery in case anything happens to the environment in its production state.

All of your data in M365 has multiple copies for redundancy purposes via Availability sets and Availability zones, although this depends on your data residency requirements. The internal DNS server and Azure DNS play a significant role in ensuring your data is available round the clock with minimum interruption. Finally, it would be a crime not to mention Microsoft’s relentless work in the background 24/7 to protect customers against DDoS attacks by using a rich threat intelligence network which includes Microsoft partners and the wider internet security community.

 If this blog gave you an acronym ice cream headache, my colleague Lee Foster wrote a great blog on just this.

Join the Insentra Community with the Insentragram Newsletter

Hungry for more?

Secure Jump Box in Azure

The announcement, Login to Windows virtual machine in Azure using Azure Active Directory authentication, has opened up some very interesting use cases for secure management

Read More »