Originally published by New Context.
The CIA triad’s “integrity” portion was often overlooked in the past. Confidentiality and access gained more attention because data integrity followed, with both equally balanced. However, as new threats emerged with bad actors targeting data not to steal it but to change it, a balance disruption occurred.
Integrity in data security is about ensuring the data does not undergo any unauthorized changes. Ransomware is an excellent example of this integrity threat. Bad actors don’t target the data to take it. All they need to do is encrypt it and demand exorbitant ransom payments to unlock it. Another example comes from the inside of an organization, where someone with access to a human resources program might change their salary or increase their vacation days to enrich themselves at the expense of their company. Organizations that don’t have detection and response methods could easily find themselves on the receiving end of one of these integrity-based attacks.
The CIA triad is a model that is excellent for highlighting the the pets in the pets vs. cattle philosophy. Pets are those items that can’t be retired or terminated if damaged. They require careful control and handling. For example, under the “confidentiality” portion of the CIA triad, an organization would minimize data access and encrypt it to prevent breaches. Data would never be part of the infrastructure itself but instead, be fed into it as needed. This strategy allows organizations to maintain an ephemeral infrastructure treated like cattle while protecting valuable pets.
When it comes to data integrity, not much changes. Data is still a pet, which is why in 2019, 57% of organizations opted to pay ransoms for its release. When it comes to maintaining data integrity using the CIA’s traditional model, organizations have to ask three key questions:
These are the primary components of CIA triad integrity. However, the philosophy only covers what data should be. It doesn’t delve into how to get there. For that, organizations should consider layering in the DIE model on top of their CIA triad-based plan.
The distributed, immutable, and ephemeral model (DIE) applies to the infrastructure that holds your data. The DIE model essentially treats the infrastructure as cattle; the CIA model treats the data as a pet. In the CIA triad’s confidentiality portion, the DIE model added a security layer by encouraging organizations to remove data from their infrastructure. In the event of a breach, the infrastructure is terminated, and the data reuploaded from a separate, secure location.
InfoSec expert Sounil Yu explains this through mapping the components. By connecting each element of the CIA triad to its DIE model counterpart, he creates a comprehensive method of protecting both the data and the organization’s infrastructure. When mapping CIA triad integrity, he recommends an immutable approach because decoupling infrastructure and applications from the data (state) they process makes it easier to secure and rebuild said infrastructure and applications, then restore data from backups. This strategy reduces downtime and increases resiliency.
Immutability in data integrity works on two fronts:
When it comes to data security management, some programs will allow administrators to configure it as immutable for a set retention period, whether that be days, months, or years. Of course, this presents some challenges, as a situation may occur where the data must change—but then the administrator has no option for an update without a lot of legwork. Instead, an alternative is to make systems immutable and configure them to log to a centralized location using options like Splunk, Elastic, Gradar or other SIEM softwares. These programs aggregate observability, as opposed to requiring the management of many servers, each with their own logs.
In addition, logging systems should be configured with the appropriate retention period, backups, and redundancies as they are valuable data used by incident response teams during forensic investigations. Those logs should be as authoritative as possible, with access restricted and monitored to prevent unauthorized use and modification.
Data access in transit and at rest requires observation. However, bad actors may attempt to change or erase logs to eliminate their footprints in a system. Immutable logs get around this by creating a clear record of changes that occur. They track both internal and external use so that administrators can find intentional acts and mistakes made by workers. They can also revert these changes quickly to minimize the damage they cause.
Redundancy is necessary here. Monitoring programs need to run on independent systems of those under observation. The immutable logs are held in a safe space and cannot be compromised by bad actors. Ideally, with highly unusual behavior, administrators receive an alert that allows them to take immediate remedial action.
One thing gaining prevalence in network/infrastructure anomaly detection is artificial intelligence powered by machine learning. The program learns the baseline of a system to establish its normal operation. Then, activity is compared to that baseline, with alerts triggering in the event of abnormal behavior. Programs may be built into platforms to allow more seamless, integrated threat detection and management.
Together, CIA triad integrity principles and DIE model immutability create a holistic monitoring method that manages the entire system. As more and more bad actors target data integrity over outright theft, it’s vital to have a strategy customized for these specific threats. Combining traditional data management with immutable, decentralized logging provides protection and control even in a fast-paced, dynamic environment.