Continuing with our cybersecurity fundamental series, we’ll explore one essential concept in cybersecurity – the CIA Triad. While the acronym might evoke thoughts of a certain intelligence agency, these three letters mean confidentiality, integrity and availability.
These are the main words that shape modern security thinking. Actual building blocks for further concepts and the way we design both our data and or software.
In complete opposition, we can mention DAD. And while the acronym again evokes other thoughts, the letters mean: disclosure, alteration, destruction.
Confidentiality: Keeping Secrets
As defined by NIST, confidentiality means “preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information.”
So, in practical terms, data should remain protected throughout its lifecycle:
- In transit across networks
- At rest in storage media
- In use by applications
Recent cybersecurity headlines reveal that maintaining confidentiality is a challenging battle. Healthcare data breaches and communication companies finding their data on the dark web are just a few examples of the prevalence of this issue in the news.
Another example is banking. When we log into our banking app, our data can travel to multiple networks. It gets processed by various systems, and eventually lands on your screen.
Challenges
The challenge is ease of use and ease of implementation, deciding which data to encrypt and how, and determining what exactly is visible during interception at any point in the flow: an infected server, an infected device, or an infected client device. Not to mention how to store the actual data in the database.
The ease of implementation means simply putting all the relevant data in a specific database table. It can be encrypted or not, hashed or not. Software developers often choose the fast route for ease of implementation. And I can have a say, because I am one of them.
Consider your banking app. When you check your balance on the go, that data travels across multiple networks, gets processed by various systems, and eventually lands on your screen. Confidentiality means protecting that information at every step – during transit, storage, and processing.
How to Achieve Confidentiality?
The Real Challenge
Achieving confidentiality sounds straightforward on paper:
- encryption: data at rest encryption, transport layer encryption, end-to-end encryption;
- access controls: identity and access management, principle of least privilege;
- proper authentication: federated control, biometric controls, multi-factor authentication.
This is just scratching the surface, however the encryption, access control and proper authentication are the main principles behind ensuring confidentiality. The complexity comes with how to implement various solutions, either at scale, either with time constraints.
Theory is sound, but in the real world, encrypting everything can become really fast a performance issue, encryption does not solve the circumvention, so attackers may intercept data before encryptions, or get a hold of the credentials using social engineering.
Confidentiality is often challenging due to various reasons. These include complex implementation, inadequate security testing, and breaches that can occur despite having security measures in place. Breaches can happen when individuals gain unauthorized access to credentials through methods, such as phishing.
Common Confidentiality Compromises
Understanding how confidentiality gets compromised, here is just a small list:
- Capturing unencrypted data in transit
- Physical observation of screens or keyboards, or using keyloggers
- Manipulating people to reveal information, usually with phishing techniques
- Unauthorized system access
- Impersonating legitimate users
- Trojans and spyware that steal data
- Unencrypted sensitive information
- Authorized users misusing their access
Solutions
- Multiple layers of defense
- Always encrypt sensitive data, both in transit and at rest
- Segmented data approach
- Zero trust architecture
- Fail procedures
- Backups
These are easy to say then done, but some solutions are easier to implement than others: security monitoring, firewalls, backups are usually easier to implement because they live outside the project environment or really close.
Regarding to core changes in the actual project, like implementing segmented data or zero trust, unfortunately the easiest way is to design the app this way, or accept that implementing them will come at a cost.
Photo by Roman Synkevych on Unsplash.
Comments are closed.