Sign up to save your podcasts
Or
Share The Holy Trinity & the CIA Triad
Share to email
Share to Facebook
Share to X
Share to email
Share to Facebook
Share to X
Or
The Holy Trinity & the CIA Triad
Jesse Trucks is the Minister of Magic at Splunk, where he consults on security and compliance program designs and develops Splunk architectures for security use cases, among other things. He brings more than 20 years of experience in tech to this role, having previously worked as director of security and compliance at Peak Hosting, a staff member at freenode, a cybersecurity engineer at Oak Ridge National Laboratory, and a systems engineer at D.E. Shaw Research, among several other positions. Of course, Jesse is also the host of Meanwhile in Security, the podcast about better cloud security you’re about to listen to.
Links:
- EI-ISAC Cybersecurity Spotlight – CIA Triad: https://www.cisecurity.org/spotlight/ei-isac-cybersecurity-spotlight-cia-triad/
- What is the CIA Triad?: https://www.f5.com/labs/articles/education/what-is-the-cia-triad
- The CIA triad: Definition, components and examples: https://www.csoonline.com/article/3519908/the-cia-triad-definition-components-and-examples.html
Transcript
Jesse: Welcome to Meanwhile in Security where I, your host Jesse Trucks, guides you to better security in the cloud.
Announcer: If you have several PostgreSQL databases running behind NAT, check out Teleport, an open-source identity-aware access proxy. Teleport provides secure access to anything running behind NAT, such as SSH servers or Kubernetes clusters and—new in this release—PostgreSQL instances, including AWS RDS. Teleport gives users superpowers like authenticating via SSO with multi-factor, listing and seeing all database instances, getting instant access to them using popular CLI tools or web UIs. Teleport ensures best security practices like role-based access, preventing data exfiltration, providing visibility, and ensuring compliance. Download Teleport at goteleport.com. That’s goteleport.com.
Jesse: This is the t of a trilogy of threes that covers this core foundations of good security practices and good security programs. In the first issue of Meanwhile in Security, I explained how security is a mindset, not a tool, and the importance of understanding the why or the purpose for building a security program. This drives everything you do in your organization for securing your critical assets. The why is the core reason for having a security program.
Next, I laid the foundation for the how or the principles that guide the work of your security program by exploring the people, process, and technology paradigm upon which all successful security programs are based. Using PPT, you will build a longer-lasting, more dynamic, and highly successful security program.
Following Simon Sinek’s Golden Circle model, the outer ring is the what or services offered by an organization group or individual. In implementing and maintaining a security program, the how focuses on the confidentiality, integrity, and availability of all data and services offered within the scope of your security program. This is often called the holy trinity of security, or the CIA Triad. All actions performed and tools implemented in support of the security program stem from one of these fundamental precepts of security. Let’s dig into the parts of the Triad.
Confidentiality. The first part of the Triad is confidentiality, which is about controlling data in services’ access. In their article titled “EI-ISAC Cybersecurity Spotlight–CIA Triad,” the Center for Internet Security, or CIS, defines confidentiality as quote, “Data should not be accessed or read without authorization. It ensures that only authorized parties have access.” End quote.
I expand on this definition to include services not just data. Every organization and person has data to protect. The traditional approach to confidentiality assumes that any service that touches the data falls within the scope of confidentiality, as a means to protect against disclosure of the data that services accesses. This can lead to a focus on robust and complete data access controls without similar attention paid to services that don’t directly touch data with those controls in place. However, I consider access to and use of services within the scope of confidentiality because protecting use of resources is often as important or in some cases more important than the data access.
This is often the case with cloud-native applications using microservices. Many modern services can take action without accessing specific data sources, especially when the data source is defined as part of the microservices invocation. For example, consider an attacker who has pilfered a file or files from your services or systems or from some other source and wants to perform analysis or some type of processing of the file or files. If you run services useful to the attacker in this scenario, the attacker may not touch your data, but they may attempt to use your services without authorization. To apply confidentiality to your security program, determine and document what data in services are sensitive and require access protection. To do this you may need to track down data and service owners. This process is closely related to the why of your security program which ultimately exists to protect your data or services.
Announcer: If your mean time to WTF for a security alert is more than a minute, it’s time to look at Lacework. Lacework will help you get your security act together for everything from compliance service configurations to container app relationships, all without the need for PhDs in AWS to write the rules. If you’re building a secure business on AWS with compliance requirements, you don’t really have time to choose between antivirus or firewall companies to help you secure your stack. That’s why Lacework is built from the ground up for the Cloud: low effort, high visibility, and detection. To learn more, visit lacework.com. That’s lacework.com.
Integrity. The second part of the Holy Trinity is integrity, which refers to keeping data intact and services functioning as expected. Anyone accessing data or a service should only have the ability to alter or remove any data or alter or repurpose a service when they are authorized for such actions. In Debbie Walkowski’s post for the F5 Labs site on July 9, 2019, “What is the CIA Triad?” she defines that integrity is about ensuring data quote, “Is correct, authentic and reliable.” End quote.
Any authorized changes or removal of data or to services violates integrity, and are generally classified as alteration or modification attacks. Changes to some of your data can immediately call into question other data protected by the same security program and security monitoring or control tools. A type of integrity attack on software is a supply chain attack. This is an attack on any part of the process of creating, testing, and distributing software. This attack could be an...
View all episodes
By Jesse Trucks
3.7
33 ratings
Jesse Trucks is the Minister of Magic at Splunk, where he consults on security and compliance program designs and develops Splunk architectures for security use cases, among other things. He brings more than 20 years of experience in tech to this role, having previously worked as director of security and compliance at Peak Hosting, a staff member at freenode, a cybersecurity engineer at Oak Ridge National Laboratory, and a systems engineer at D.E. Shaw Research, among several other positions. Of course, Jesse is also the host of Meanwhile in Security, the podcast about better cloud security you’re about to listen to.
Links:
- EI-ISAC Cybersecurity Spotlight – CIA Triad: https://www.cisecurity.org/spotlight/ei-isac-cybersecurity-spotlight-cia-triad/
- What is the CIA Triad?: https://www.f5.com/labs/articles/education/what-is-the-cia-triad
- The CIA triad: Definition, components and examples: https://www.csoonline.com/article/3519908/the-cia-triad-definition-components-and-examples.html
Transcript
Jesse: Welcome to Meanwhile in Security where I, your host Jesse Trucks, guides you to better security in the cloud.
Announcer: If you have several PostgreSQL databases running behind NAT, check out Teleport, an open-source identity-aware access proxy. Teleport provides secure access to anything running behind NAT, such as SSH servers or Kubernetes clusters and—new in this release—PostgreSQL instances, including AWS RDS. Teleport gives users superpowers like authenticating via SSO with multi-factor, listing and seeing all database instances, getting instant access to them using popular CLI tools or web UIs. Teleport ensures best security practices like role-based access, preventing data exfiltration, providing visibility, and ensuring compliance. Download Teleport at goteleport.com. That’s goteleport.com.
Jesse: This is the t of a trilogy of threes that covers this core foundations of good security practices and good security programs. In the first issue of Meanwhile in Security, I explained how security is a mindset, not a tool, and the importance of understanding the why or the purpose for building a security program. This drives everything you do in your organization for securing your critical assets. The why is the core reason for having a security program.
Next, I laid the foundation for the how or the principles that guide the work of your security program by exploring the people, process, and technology paradigm upon which all successful security programs are based. Using PPT, you will build a longer-lasting, more dynamic, and highly successful security program.
Following Simon Sinek’s Golden Circle model, the outer ring is the what or services offered by an organization group or individual. In implementing and maintaining a security program, the how focuses on the confidentiality, integrity, and availability of all data and services offered within the scope of your security program. This is often called the holy trinity of security, or the CIA Triad. All actions performed and tools implemented in support of the security program stem from one of these fundamental precepts of security. Let’s dig into the parts of the Triad.
Confidentiality. The first part of the Triad is confidentiality, which is about controlling data in services’ access. In their article titled “EI-ISAC Cybersecurity Spotlight–CIA Triad,” the Center for Internet Security, or CIS, defines confidentiality as quote, “Data should not be accessed or read without authorization. It ensures that only authorized parties have access.” End quote.
I expand on this definition to include services not just data. Every organization and person has data to protect. The traditional approach to confidentiality assumes that any service that touches the data falls within the scope of confidentiality, as a means to protect against disclosure of the data that services accesses. This can lead to a focus on robust and complete data access controls without similar attention paid to services that don’t directly touch data with those controls in place. However, I consider access to and use of services within the scope of confidentiality because protecting use of resources is often as important or in some cases more important than the data access.
This is often the case with cloud-native applications using microservices. Many modern services can take action without accessing specific data sources, especially when the data source is defined as part of the microservices invocation. For example, consider an attacker who has pilfered a file or files from your services or systems or from some other source and wants to perform analysis or some type of processing of the file or files. If you run services useful to the attacker in this scenario, the attacker may not touch your data, but they may attempt to use your services without authorization. To apply confidentiality to your security program, determine and document what data in services are sensitive and require access protection. To do this you may need to track down data and service owners. This process is closely related to the why of your security program which ultimately exists to protect your data or services.
Announcer: If your mean time to WTF for a security alert is more than a minute, it’s time to look at Lacework. Lacework will help you get your security act together for everything from compliance service configurations to container app relationships, all without the need for PhDs in AWS to write the rules. If you’re building a secure business on AWS with compliance requirements, you don’t really have time to choose between antivirus or firewall companies to help you secure your stack. That’s why Lacework is built from the ground up for the Cloud: low effort, high visibility, and detection. To learn more, visit lacework.com. That’s lacework.com.
Integrity. The second part of the Holy Trinity is integrity, which refers to keeping data intact and services functioning as expected. Anyone accessing data or a service should only have the ability to alter or remove any data or alter or repurpose a service when they are authorized for such actions. In Debbie Walkowski’s post for the F5 Labs site on July 9, 2019, “What is the CIA Triad?” she defines that integrity is about ensuring data quote, “Is correct, authentic and reliable.” End quote.
Any authorized changes or removal of data or to services violates integrity, and are generally classified as alteration or modification attacks. Changes to some of your data can immediately call into question other data protected by the same security program and security monitoring or control tools. A type of integrity attack on software is a supply chain attack. This is an attack on any part of the process of creating, testing, and distributing software. This attack could be an...