CommunityDevOps ExchangePartners
Articles
7/22/2021
10 minutes

Reimagining the CIA Triad Confidentiality Standards for Greater Security

Written by
Copado Team
Table of contents

Today, speed to market is a vital factor for organizations. Many have chosen to adopt DevOps principles because the process accelerates product development. However, this acceleration is a culture shift. When it’s not treated as such, there is a risk that rapid, unregulated change will result in inadvertently shipping bugs of all kinds, including security vulnerabilities. The only solution is equally rapid, robust security planning routed in both traditional methods and intelligent updates.

A return to the principles from the CIA Triad—confidentiality, integrity, and access—is necessary. This model treats security as a holistic part of the process. Confidentiality is built in from the very beginning. Some modernization through the distributed, immutable, and ephemeral (DIE) model improves this process even more. When focusing on the CIA triad’s confidentiality component, an approach routed in DevSecOps principles that incorporates end-to-end security through proven methods is best.

 

CIA Triad Confidentiality Standards - Copado

Reviewing the CIA Triad’s Confidentiality Standards

The CIA Triad is an established model that focuses on “pets” in a system. These pets are supported by a carefully managed infrastructure. They’re given unique names, and treated when damaged. They’re the opposite of cattle—the systems that don’t require special treatment and are disposed of when damaged or unnecessary.

The CIA Triad’s confidential portion centers on protecting sensitive resources from unauthorized views. It’s comprised of two subclasses: authentication and authorization:

AUTHENTICATION

AUTHORIZATION

The program verifies the user’s identity through some method, typically a password or security token. The system ensures the user is authorized to access the specific type of information. Ideally, authorization is based on the principle of least privilege.

 

Under this segment, methods used run the gamut from old school passwords to complex biometric identification programs. The more sensitive the information, the higher the authentication and authorization level.

Here, an enterprise ensures their state’s security by focusing on uptime and backups. However, in a CIA-only approach, the maintenance cost of the systems managing that state is so high that they require constant vigilance. The DIE approach significantly lowers that maintenance burden by loosening the coupling between said systems and their state so that the systems are easily replaced at will.. Traditional methods of protecting state under the CIA model include:

  • Encryption: Converting data to code both as it travels (encryption in transit) or as it sits in storage (encryption at rest) provides a layer of protection even if bad actors make it past access control and other protocols. Even if they capture the data, they can’t use it.
  • Identity access management (IAM): IAM isn’t a single tool. It’s a suite of them that manage both who can access the system and why they can. It incorporates password applications, monitoring programs, provisioning software, and reporting protocol systems, among others.
  • Multifactor authentication (MFA): MFA takes password management a step further by increasing authentication steps. Users may provide an initial password and then be prompted to also verify something by possession (aka something they have, like an email), inherence (something they are, like a fingerprint), or knowledge (like the answer to a security question only they could know).

The CIA model is still relevant for security, but modern needs have changed it a bit. In many instances, organizations deal with different programs and platforms, making authentication and authorization a more significant challenge. However, the distributed, immutable, and ephemeral model can help close these gaps.

Expanding on the CIA’s Model with DIE

The DIE model won’t replace the CIA triad. Instead, it’s a layer that works on top of it. While the CIA triad addresses the pets in a system, the DIE model handles the cattle. Specifically, it centers on the infrastructure and applications. The two do the same thing—loosen the coupling between the systems processing data, and the data itself.

The infrastructure of a program is possibly the most disposable because using the right processes, it can be recreated using a repeatable script or code, aka infrastructure as code. In the event of a breach, administrators can dump the code and rebuild everything from scratch. This may seem like it doesn’t fit with the CIA’s confidentiality component because, after all, the very things that must be confidential are pets. They are not disposable. However, the “ephemeral” part of DIE is a central component of ensuring confidentiality.

It’s best explained by the mapping completed by cybersecurity expert Sounil Yu, who connects the ephemeral of infrastructure to data confidentiality. In his strategy, he advises firms to “drive the value of assets closer to zero.”

In practical application, that means when an enterprise starts or uses any system, it will have internal state, whether it be databases, hardcoded data, or something else. That state must be offloaded to ensure the infrastructure that holds that data remains ephemeral. Administrators must remove the data and send it to a safer place, whether it be another database, secrets management, or all-inclusive programs like Vault by HashiCorp. Regardless of storage, it’s necessary to pull the state out of a system and send it to a safer place. It may feed the applications or programs, but it’s never a static part of them.

When it’s really broken down, InfoSec is risk management. When speed to market comes at the expense of confidentiality, enterprises stand to lose a lot more than they gain. Administrators must select a method of storage that requires deep authorization and authentication while keeping it separate from infrastructures that should be ephemeral.

Partnering with a Security Consultant to Tighten Your Confidentiality Standards

The key to controlling the CIA Triad’s confidentiality aspect is to maintain flexibility in a secure environment. Laying the DIE model on top of the CIA’s framework allows enterprises to separate their pets from cattle and focus their attention on invaluable systems. Such a strategy establishes a fundamental security level capable of supporting any DevSecOps program.

 

 

Book a demo

About The Author

#1 DevOps Platform for Salesforce

We Build Unstoppable Teams By Equipping DevOps Professionals With The Platform, Tools And Training They Need To Make Release Days Obsolete. Work Smarter, Not Longer.

Building a Scalable Governance Framework for Sustainable Value
Copado Launches Copado Explorer to Simplify and Streamline Testing on Salesforce
Exploring Top Cloud Automation Testing Tools
Master Salesforce DevOps with Copado Robotic Testing
Exploratory Testing vs. Automated Testing: Finding the Right Balance
A Guide to Salesforce Source Control
A Guide to DevOps Branching Strategies
Family Time vs. Mobile App Release Days: Can Test Automation Help Us Have Both?
How to Resolve Salesforce Merge Conflicts: A Guide
Copado Expands Beta Access to CopadoGPT for All Customers, Revolutionizing SaaS DevOps with AI
Is Mobile Test Automation Unnecessarily Hard? A Guide to Simplify Mobile Test Automation
From Silos to Streamlined Development: Tarun’s Tale of DevOps Success
Simplified Scaling: 10 Ways to Grow Your Salesforce Development Practice
What is Salesforce Incident Management?
What Is Automated Salesforce Testing? Choosing the Right Automation Tool for Salesforce
Copado Appoints Seasoned Sales Executive Bob Grewal to Chief Revenue Officer
Business Benefits of DevOps: A Guide
Copado Brings Generative AI to Its DevOps Platform to Improve Software Development for Enterprise SaaS
Celebrating 10 Years of Copado: A Decade of DevOps Evolution and Growth
Copado Celebrates 10 Years of DevOps for Enterprise SaaS Solutions
5 Reasons Why Copado = Less Divorces for Developers
What is DevOps? Build a Successful DevOps Ecosystem with Copado’s Best Practices
Scaling App Development While Meeting Security Standards
5 Data Deploy Features You Don’t Want to Miss
Top 5 Reasons I Choose Copado for Salesforce Development
How to Elevate Customer Experiences with Automated Testing
Getting Started With Value Stream Maps
Copado and nCino Partner to Provide Proven DevOps Tools for Financial Institutions
Unlocking Success with Copado: Mission-Critical Tools for Developers
How Automated Testing Enables DevOps Efficiency
How to Keep Salesforce Sandboxes in Sync
How to Switch from Manual to Automated Testing with Robotic Testing
Best Practices to Prevent Merge Conflicts with Copado 1 Platform
Software Bugs: The Three Causes of Programming Errors
How Does Copado Solve Release Readiness Roadblocks?
Why I Choose Copado Robotic Testing for my Test Automation
How to schedule a Function and Job Template in DevOps: A Step-by-Step Guide
Delivering Quality nCino Experiences with Automated Deployments and Testing
Best Practices Matter for Accelerated Salesforce Release Management
Maximize Your Code Quality, Security and performance with Copado Salesforce Code Analyzer
Upgrade Your Test Automation Game: The Benefits of Switching from Selenium to a More Advanced Platform
Three Takeaways From Copa Community Day
Cloud Native Applications: 5 Characteristics to Look for in the Right Tools
Using Salesforce nCino Architecture for Best Testing Results
How To Develop A Salesforce Testing Strategy For Your Enterprise
What Is Multi Cloud: Key Use Cases and Benefits for Enterprise Settings
5 Steps to Building a Salesforce Center of Excellence for Government Agencies
Salesforce UI testing: Benefits to Staying on Top of Updates
Benefits of UI Test Automation and Why You Should Care
Types of Salesforce Testing and When To Use Them
Copado + DataColada: Enabling CI/CD for Developers Across APAC
What is Salesforce API Testing and It Why Should Be Automated
Machine Learning Models: Adapting Data Patterns With Copado For AI Test Automation
Automated Testing Benefits: The Case For As Little Manual Testing As Possible
Beyond Selenium: Low Code Testing To Maximize Speed and Quality
UI Testing Best Practices: From Implementation to Automation
How Agile Test Automation Helps You Develop Better and Faster
Salesforce Test Cases: Knowing When to Test
DevOps Quality Assurance: Major Pitfalls and Challenges
11 Characteristics of Advanced Persistent Threats (APTs) That Set Them Apart
7 Key Compliance Regulations Relating to Data Storage
7 Ways Digital Transformation Consulting Revolutionizes Your Business
6 Top Cloud Security Trends
API Management Best Practices
Applying a Zero Trust Infrastructure in Kubernetes
Building a Data Pipeline Architecture Based on Best Practices Brings the Biggest Rewards
CI/CD Methodology vs. CI/CD Mentality: How to Meet Your Workflow Goals
DevOps to DevSecOps: How to Build Security into the Development Lifecycle
DevSecOps vs Agile: It’s Not Either/Or
How to Create a Digital Transformation Roadmap to Success
Infrastructure As Code: Overcome the Barriers to Effective Network Automation
Leveraging Compliance Automation Tools to Mitigate Risk
Moving Forward with These CI/CD Best Practices
Top 3 Data Compliance Challenges of Tomorrow and the Solutions You Need Today
Top 6 Cloud Security Management Policies and Procedures to Protect Your Business
What are the Benefits of Principle of Least Privilege (POLP) for My Organization?
You Can’t Measure What You Can’t See: Getting to know the 4 Metrics of Software Delivery Performance
How the Public Sector Can Continue to Accelerate Modernization
Building an Automated Test Framework to Streamline Deployments
How To Implement a Compliance Testing Methodology To Exceed Your Objectives
Cloud Security: Advantages and Disadvantages to Accessibility
Copado Collaborates with IBM to Accelerate Digital Transformation Projects on the Salesforce Platform
Continuous Quality: The missing link to DevOps maturity