CommunityDevOps ExchangePartners
Articles
6/28/2021
10 minutes

CIA Triad: Security Priority Principles

Written by
Copado Team
Table of contents

Originally published by New Context.

The CIA triad of security principles is an oft-cited example of safe information infrastructure. It establishes the most important aspects of protecting sensitive data while maintaining productivity. At the same time, it’s broad enough to allow organizations to develop their own interpretation. However, that is a double-edged sword. While companies need flexibility in their programs, the CIA triad’s abstract nature might be a little bit too malleable.

On top of that, it’s outdated for most modern purposes. After all, its development started in the 1980s, well before the wide use of the internet, decentralized data storage, and sophisticated cybersecurity attacks. While the CIA triad of security establishes some reasonably good ideals, it’s not enough to guide an organization. For that, many experts turn to a new model: distributed, immutable, and ephemeral, otherwise known as DIE.

CIA triad of security - Copado

The Traditional CIA Triad of Security

The CIA created an abstract model of security in the late 1980s that was so broad it could apply to any type of information. The triad establishes a standard for infosec, but it doesn’t provide a roadmap to get there. Specifically, it breaks down as follows:

Confidentiality

This component centers on protecting information from unauthorized viewing, whether those observations come from individuals, organizations, or machines. Access control is the key to confidentiality, whether through sophisticated computer programs or old-fashioned locks and keys.

Integrity

Data should not undergo any unauthorized changes throughout its lifecycle. Modifications require monitoring to ensure proper treatment and preservation of information. Access control also preserves integrity, but there is a component of logging involved.

Availability

The whole reason for having information is to run an organization. It’s a necessity. As such, security cannot be so stringent that it prevents needed retrieval and management. Availability also covers the logistics of managing information, like securing proper power to maintain electronic data storage, ensuring backups in the event of system failure, and providing adequate space to store all needed items.

While these are good data security fundamentals to have, relying entirely on the CIA triad is problematic for a couple of reasons. First, it provides no real actionable information. It just tells security professionals how their program should work. It doesn’t offer details on how to make it more secure. Second, it’s contradictory, especially when it comes to availability and confidentiality. Keeping something confidential means it’s not available. Meanwhile, when something is available, it’s not confidential. For these reasons, many agree a change to the CIA triad of security is necessary.

Data Breach Report - Copado

The DIE Model of InfoSec: Distributed, Immutable and Ephemeral

Most experts agree it’s time to upgrade to a new model of security. The DIE model is best for today’s needs because it provides objective solutions. Specifically, it centers on distributed systems, immutable change logging, and ephemeral strategies.

Distributed

A single target is far easier to attack than multiple ones. In the modern age of DDoS attacks, where bad actors take advantage of brute force and thousands of bots to disrupt a single entry point, companies must avoid putting all their (security) eggs in one basket.

A distributed system limits the impact of any attack by confining it to a single space. It also has built-in redundancies, so if one system is compromised, it’s recoverable. There’s never a single point of weakness to exploit.

Immutable

The first hint that there’s a problem in security is an anomaly. The program doesn’t behave as it should. So, the first thing bad actors do is eliminate evidence of the abnormality. This strategy works. As of 2019, the average time it took organizations to discover a breach was 209 days. A lot of damage can occur in that timeframe.

Immutable logs make it impossible to cover up the anomalies. A change in a transparent system is quickly discovered, traced, and contained. This strategy is also good when security holes occur without malice, as the action that created this risk is traceable to a single action.

Remedial measures are possible before exploitation.

Ephemeral

Administrators must break data and systems down to “pets and cattle.” Pets are long-term necessities and cattle are dispensable. The more cattle, the better. A flexible network infrastructure made of cattle is also immutable. This means an ephemeral computing/logic layer on top of a persistent, secure data layer. It’s safe to change and retire legacy programs because they’re no longer necessary.

As legacy programs are among the most vulnerable to attack—because bad actors have had time to learn their weaknesses—it’s best to eliminate them. An ephemeral infrastructure meets new challenges without the need to maintain old processes to protect indispensable assets.

The CIA triad of security is not a bad philosophy to have. It just needs a supplementary approach. If a program is distributable, immutable, and ephemeral, it has confidentiality, integrity, and availability. The CIA triad is the goal. The DIE model is the path to get there.

 

 

 

Book a demo

About The Author

#1 DevOps Platform for Salesforce

We Build Unstoppable Teams By Equipping DevOps Professionals With The Platform, Tools And Training They Need To Make Release Days Obsolete. Work Smarter, Not Longer.

Copado and Wipro Team Up to Transform Salesforce DevOps
DevOps Needs for Operations in China: Salesforce on Alibaba Cloud
What is Salesforce Deployment Automation? How to Use Salesforce Automation Tools
Maximizing Copado's Cooperation with Essential Salesforce Instruments
Future Trends in Salesforce DevOps: What Architects Need to Know
From Chaos to Clarity: Managing Salesforce Environment Merges and Consolidations
Enhancing Customer Service with CopadoGPT Technology
What is Efficient Low Code Deployment?
Copado Launches Test Copilot to Deliver AI-powered Rapid Test Creation
Cloud-Native Testing Automation: A Comprehensive Guide
A Guide to Effective Change Management in Salesforce for DevOps Teams
Building a Scalable Governance Framework for Sustainable Value
Copado Launches Copado Explorer to Simplify and Streamline Testing on Salesforce
Exploring Top Cloud Automation Testing Tools
Master Salesforce DevOps with Copado Robotic Testing
Exploratory Testing vs. Automated Testing: Finding the Right Balance
A Guide to Salesforce Source Control
A Guide to DevOps Branching Strategies
Family Time vs. Mobile App Release Days: Can Test Automation Help Us Have Both?
How to Resolve Salesforce Merge Conflicts: A Guide
Copado Expands Beta Access to CopadoGPT for All Customers, Revolutionizing SaaS DevOps with AI
Is Mobile Test Automation Unnecessarily Hard? A Guide to Simplify Mobile Test Automation
From Silos to Streamlined Development: Tarun’s Tale of DevOps Success
Simplified Scaling: 10 Ways to Grow Your Salesforce Development Practice
What is Salesforce Incident Management?
What Is Automated Salesforce Testing? Choosing the Right Automation Tool for Salesforce
Copado Appoints Seasoned Sales Executive Bob Grewal to Chief Revenue Officer
Business Benefits of DevOps: A Guide
Copado Brings Generative AI to Its DevOps Platform to Improve Software Development for Enterprise SaaS
Celebrating 10 Years of Copado: A Decade of DevOps Evolution and Growth
Copado Celebrates 10 Years of DevOps for Enterprise SaaS Solutions
5 Reasons Why Copado = Less Divorces for Developers
What is DevOps? Build a Successful DevOps Ecosystem with Copado’s Best Practices
Scaling App Development While Meeting Security Standards
5 Data Deploy Features You Don’t Want to Miss
Top 5 Reasons I Choose Copado for Salesforce Development
How to Elevate Customer Experiences with Automated Testing
Getting Started With Value Stream Maps
Copado and nCino Partner to Provide Proven DevOps Tools for Financial Institutions
Unlocking Success with Copado: Mission-Critical Tools for Developers
How Automated Testing Enables DevOps Efficiency
How to Keep Salesforce Sandboxes in Sync
How to Switch from Manual to Automated Testing with Robotic Testing
Best Practices to Prevent Merge Conflicts with Copado 1 Platform
Software Bugs: The Three Causes of Programming Errors
How Does Copado Solve Release Readiness Roadblocks?
Why I Choose Copado Robotic Testing for my Test Automation
How to schedule a Function and Job Template in DevOps: A Step-by-Step Guide
Delivering Quality nCino Experiences with Automated Deployments and Testing
Best Practices Matter for Accelerated Salesforce Release Management
Maximize Your Code Quality, Security and performance with Copado Salesforce Code Analyzer
Upgrade Your Test Automation Game: The Benefits of Switching from Selenium to a More Advanced Platform
Three Takeaways From Copa Community Day
Cloud Native Applications: 5 Characteristics to Look for in the Right Tools
Using Salesforce nCino Architecture for Best Testing Results
How To Develop A Salesforce Testing Strategy For Your Enterprise
What Is Multi Cloud: Key Use Cases and Benefits for Enterprise Settings
5 Steps to Building a Salesforce Center of Excellence for Government Agencies
Salesforce UI testing: Benefits to Staying on Top of Updates
Benefits of UI Test Automation and Why You Should Care
Types of Salesforce Testing and When To Use Them
Copado + DataColada: Enabling CI/CD for Developers Across APAC
What is Salesforce API Testing and It Why Should Be Automated
Machine Learning Models: Adapting Data Patterns With Copado For AI Test Automation
Automated Testing Benefits: The Case For As Little Manual Testing As Possible
Beyond Selenium: Low Code Testing To Maximize Speed and Quality
UI Testing Best Practices: From Implementation to Automation
How Agile Test Automation Helps You Develop Better and Faster
Salesforce Test Cases: Knowing When to Test
DevOps Quality Assurance: Major Pitfalls and Challenges
11 Characteristics of Advanced Persistent Threats (APTs) That Set Them Apart
7 Key Compliance Regulations Relating to Data Storage
7 Ways Digital Transformation Consulting Revolutionizes Your Business
6 Top Cloud Security Trends
API Management Best Practices
Applying a Zero Trust Infrastructure in Kubernetes
Building a Data Pipeline Architecture Based on Best Practices Brings the Biggest Rewards
CI/CD Methodology vs. CI/CD Mentality: How to Meet Your Workflow Goals
DevOps to DevSecOps: How to Build Security into the Development Lifecycle
DevSecOps vs Agile: It’s Not Either/Or
How to Create a Digital Transformation Roadmap to Success
Infrastructure As Code: Overcome the Barriers to Effective Network Automation
Leveraging Compliance Automation Tools to Mitigate Risk
Moving Forward with These CI/CD Best Practices
Top 3 Data Compliance Challenges of Tomorrow and the Solutions You Need Today