Skip to main content

Balancing Risk in CIA Triad Availability

Copado DevSecOps - Blog Series

Originally published by New Context.

The CIA triad’s availability component breaks down to risk management. Organizations need to review their data and consider the risk they’re willing to accept in exchange for the convenience of making it available. When those two fall out of balance, breaches occur, or clients can’t access the information they need.

In tandem with confidentiality and integrity, the availability component of the CIA triad sets the baseline for keeping this balance, though it focuses heavily on uptime and system backups. Additional strategies like traffic light protocols and the principle of least privilege can be introduced to help manage access effectively. Finally, leveraging distributed systems allows organizations to allocate risk based on specific levels. These combined ideas ensure consistent security while fostering the free exchange of information.

Standard Methods of Managing CIA Triad Availability

At the most basic level, CIA triad availability focuses on adequately maintaining hardware to ensure consistent systems access. Both reliability and system uptime are vital factors in ensuring that access is available as required. Some common methods of availability maintenance include:

  1. Backups: Both internal and offsite backup files and programs ensure data is replaceable.
  2. Redundancy: Storing extra components allows for their quick replacement. Failover is often a component of this, in that redundant systems automatically kick on when primary components fail.
  3. Disaster recovery: This is a broader strategy that may include alternative facilities, generators, and other methods of offloading operations due to unavailability.
  4. Virtualization: As seen in the move to work from home strategies during the pandemic, virtualization can shift operations from a physical space to a virtual one.
  5. Monitoring: Proper monitoring allows organizations to respond to failures before they become widespread.

Many of the standard availability methods don’t fall into the information security department’s purview. Instead, they’re handled by facilities. However, one area of availability is strictly the responsibility of those in security, and that’s access. Authorization and authentication steps must be decisive but shouldn’t hinder operations.

Balancing this can be extremely challenging, especially in more traditional companies with a top-down hierarchy where access stems from seniority. A need-based data security strategy is far more flexible, though it could be more challenging to manage. There are a couple of standard philosophies in play to deliver this.

The Principle of Least Privilege and Traffic Light Protocols

The principle of least privilege (PoLP) is an InfoSec best practice. The user receives minimal access credentials to ensure they can do their jobs and nothing more. However, this can be a bit stringent and creates issues when systems, job titles, or project needs change. Without some additional measures, it can limit the availability of required data and create bottlenecks in the workflow.

Traffic light protocol (TLP) is another method that fosters information sharing by color-coding risk levels. It’s broken down into four colors:

  • White: The information carries no risk and can be distributed to all.
  • Green: The information is helpful to those in the industry but not sensitive. It’s sharable within an organization and partners to it.
  • Amber: The information is necessary to workers but could threaten the organization if disseminated outside.
  • Red: The information is entirely necessary for job functions but poses a substantial risk if shared with unauthorized individuals.

Combining TLP with PoLP helps balance access and security by categorizing data and establishing workers’ needs. Security experts can focus their attention on those high-risk categories while ensuring clear information sharing for low-risk data. Distributed systems can protect this information based on their specific requirements.


CIA Triad - Copado

Better Risk Balancing Through Distributed Systems

Distributed, immutable, and ephemeral (DIE) model security is an approach to managing the infrastructure that holds the program’s data. When considering availability, distributed is the component that requires the most focus. A distributed system leverages many different machines and options that all act as one cohesive unit.

It may utilize containers, virtual and physical servers, and computers, all working towards a common goal. They run concurrently to guarantee uptime, but they fail independently. That keeps one single damaged component from taking down an entire infrastructure.

It also provides an additional layer of protection against distributed denial of service (DDoS) attacks. These attacks use many different nodes when attacking a network and can prevent legitimate users from accessing systems. A distributed system stands up to these attacks because there’s no single target for bad actors to focus on. It essentially spreads the system defense.

Aside from these benefits, a distributed system also offers scalability and enhanced performance. It’s easy to add new nodes and functions without reconfiguring an entire network. Meanwhile, workloads are broken down to individual machines, ensuring better operation overall.

A distributed system supports CIA triad availability on multiple fronts. Users enjoy a more efficient security system while administrators avoid common attacks stemming from numerous networks. It’s a modern solution that supports the traditional needs of an enterprise.