Triads and Trust

Confidentiality, Integrity, and Accountability

Triads and Trust
A woman stares into the void, unsure of where she is or where she is going. All she knows for sure is that this is last damn time Becky picks the vacation spot. Photo by Scott Kirwan / Unsplash

Confidentiality, Integrity, and Accountability


The Triad.

The Terrible Three.

Three Blind Mice.

Tres Hombres Malolientes.

This is how I assume people reference the CIA triad in casual conversations. I'm not really sure; we typically stick to a complicated system of guttural sounds and punches in the Marine Corps. The CIA triad is the "fundamental guiding principle of cybersecurity." Security professionals work diligently to address each facet within their organizations. So, whether that’s proprietary data, customer PII, or my Amazon wishlist, these principles should guide how we implement security controls, address risk, and support business strategies. Here’s a quick rundown of each leg of the trio using my Amazon wishlist as an example:

  • C = Confidentiality
    • Do you know what’s on my wishlist? Probably not, and that’s okay. The contents of my wishlist are known only to me and a select few individuals. Preferably those willing to shell out cash for silly stuff. If it were public knowledge, I could face judgment from the masses for my intense interest in U.S. coins circa 1899-1905. Why old coins? I have my reasons, and you don't need to know them.
  • I = Integrity
    • Has anyone else changed my wishlist? Imagine the sheer disappointment if, on Christmas morning, I opened my presents and discovered my wife bought me Pokémon Blue instead of Pokémon Red. That’s grounds for divorce. So, to prevent the untimely end of my marriage, I have to ensure that items on my wishlist have not been tampered with, removed, or added without my express authorization.
Randy Smith, a modern paramore of 'tegrity.
  • A = Accessibility
    • What if I suddenly get the desire to own a Kitchenaid Stand Mixer while I'm watching Bobby Flay work his magic? I need to update my wishlist quickly. Time is of the essence; if it takes me longer than a few seconds to enter a username and password, type an SMS code, answer a question about my childhood friend's favorite relative, and then provide two animal noises known only to me, I'm probably going to forget why I wanted to see my wishlist in the first place. Something about Bobby Flay? Maybe hair gel? See? I already forgot.

We must balance our approach to ensure the confidentially, integrity, and accessibility of data without overburdening the user or the organization. Do you want the most secure option for storing data? Place your data on an external SSD in a watertight safe, and then place said safe at the bottom of the Marianas Trench. You now have maximum confidentiality and integrity; however, good luck accessing it ever again. Inversely, we could forego implementing specific security protocols for easier access, such as disabling multi-factor authentication or using simple password policies; however, that makes accessing the data almost as easy for an adversary as for authorized users. Finding that balance is no easy task; each organization is different, and sometimes external constraints, such as legal requirements, will also play a substantial role. Appeasing each of the Tres Hombres Malolientes requires understanding the organization's operations, strategic goals, critical assets, and risk tolerance.

Please do not kill half of your employees for the sake of a 'balanced' cybersecurity posture.