Learning Objectives
- Explain the three pillars of the CIA Triad in detail
- Apply Defense in Depth strategies
- Implement the Principle of Least Privilege
- Understand Separation of Duties and its importance
1. The CIA Triad
🔑 Foundation of Information Security
The CIA Triad—Confidentiality, Integrity, and Availability—forms the cornerstone of all information security programs. Every security control, policy, and decision should support at least one of these principles.
Confidentiality
Confidentiality ensures that information is accessible only to authorized individuals, entities, or processes.
💡 Real-World Analogy
Think of a medical clinic. Patient records are confidential—only the treating doctor, authorized nurses, and the patient should access them. A receptionist shouldn't browse patient diagnoses, and a visiting technician shouldn't access any medical records.
Controls for Confidentiality:
- Encryption: Data unreadable without decryption keys
- Access Controls: Role-based permissions (RBAC)
- Authentication: Verifying user identity (MFA)
- Data Classification: Labeling data by sensitivity level
- Physical Security: Locked server rooms, clean desk policy
⚖️ DPDPA 2023 Connection
Under the Digital Personal Data Protection Act 2023, Data Fiduciaries must implement "reasonable security safeguards" to prevent personal data breaches. Confidentiality controls directly support this legal requirement. Penalties for breaches can reach ₹250 crore.
Integrity
Integrity ensures that information remains accurate, consistent, and trustworthy throughout its lifecycle.
💡 Real-World Analogy
Consider a bank transaction. When you transfer ₹10,000, integrity ensures that exactly ₹10,000 leaves your account and exactly ₹10,000 arrives at the destination—not ₹9,999 or ₹10,001. No one should be able to modify this transaction during transit.
Controls for Integrity:
- Hashing: Cryptographic checksums to detect changes
- Digital Signatures: Verify authenticity and integrity
- Version Control: Track all changes to data
- Input Validation: Prevent injection attacks
- Audit Trails: Log all modifications
Availability
Availability ensures that systems and data are accessible to authorized users when needed.
💡 Real-World Analogy
An ATM must be available 24/7. Even if the bank's main office is closed, customers expect to withdraw money. A DDoS attack or system failure that takes ATMs offline violates availability.
Controls for Availability:
- Redundancy: Multiple systems, failover capabilities
- Load Balancing: Distribute traffic across servers
- Backups: Regular, tested backup and recovery
- DDoS Protection: Filtering and mitigation services
- Disaster Recovery: Plans for major outages
| Principle | Threat Example | Impact |
|---|---|---|
| Confidentiality | Data breach exposing customer records | Privacy violation, legal penalties, reputation damage |
| Integrity | SQL injection modifying database records | Incorrect data, fraud, loss of trust |
| Availability | Ransomware encrypting critical systems | Business disruption, revenue loss |
2. Defense in Depth
🔑 Definition
Defense in Depth is a security strategy that employs multiple layers of controls throughout an IT system. If one layer fails, subsequent layers continue to provide protection.
💡 The Castle Analogy
Medieval castles used multiple defensive layers: a moat, outer walls, inner walls, towers, and finally the keep. Attackers who crossed the moat still faced walls; those who breached walls faced more defenses. Modern cybersecurity follows the same principle.
Security Layers
- Physical Security: Guards, badges, locked doors, CCTV
- Perimeter Security: Firewalls, IPS, DMZ
- Network Security: Segmentation, VLANs, monitoring
- Endpoint Security: Antivirus, EDR, host firewall
- Application Security: WAF, input validation, secure coding
- Data Security: Encryption, DLP, classification
- User Security: Training, MFA, access controls
⚠️ Common Mistake
Many organizations invest heavily in perimeter security (firewalls) while neglecting internal controls. Once an attacker breaches the perimeter—through phishing, for example—they find minimal resistance. Defense in Depth ensures protection at every layer.
3. Principle of Least Privilege
🔑 Definition
Least Privilege means users, programs, and processes should have only the minimum access rights necessary to perform their functions—nothing more.
💡 Example
A customer service representative needs access to view customer accounts but doesn't need administrator access to modify system configurations or access financial records outside their department.
Implementation Guidelines
- Role-Based Access Control (RBAC): Define permissions by job function
- Just-In-Time Access: Grant elevated access only when needed
- Regular Access Reviews: Quarterly certification of user access
- Privilege Creep Prevention: Remove access when changing roles
- Service Accounts: Limited, specific permissions for automated processes
⚖️ Legal Relevance
Under IT Act 2000 Section 43, unauthorized access—even by employees accessing data beyond their authorization—can result in compensation claims. Implementing least privilege demonstrates due diligence and limits liability.
4. Separation of Duties
🔑 Definition
Separation of Duties (SoD) divides critical tasks among multiple people to prevent fraud, errors, and abuse. No single person should have complete control over any critical process.
💡 Classic Example
In financial transactions: one person creates a payment request, a different person approves it, and a third person processes the payment. If one person could do all three, they could create fraudulent payments and cover their tracks.
IT Security Applications
| Process | Without SoD (Risky) | With SoD (Secure) |
|---|---|---|
| Code Deployment | Developer writes and deploys code | Developer writes; QA tests; Ops deploys |
| User Account Creation | Admin creates accounts and grants access | Manager requests; Admin creates; Security reviews |
| Security Monitoring | Same team monitors and investigates | SOC monitors; IR team investigates |
Summary
- CIA Triad: Confidentiality, Integrity, and Availability form the foundation of security
- Defense in Depth: Multiple layers ensure no single point of failure
- Least Privilege: Minimum necessary access reduces attack surface
- Separation of Duties: Divided responsibilities prevent abuse