December 7, 2018 By Sue Poremba 4 min read

Most security systems today are built with data confidentiality in mind. This is a crucial exercise, but confidentiality only makes up for one dimension of data privacy. As security expert Bruce Schneier told the audience at SpiceWorld 2018, the time has come to reconsider our understanding of data privacy and how we strategize for it.

Because of the ways data is used today, we need to distribute more of that focus onto protecting the integrity and availability of data.

Learn the CIA Triad

More security professionals have begun to follow the CIA triad: confidentiality, integrity and availability. Together, these represent the most important aspects of data security.

Confidentiality — the current emphasis of data privacy — is about regulating the amount of access individuals and third-party organizations have to personal data as defined by thoroughly structured classification guidelines, according to Infosec Institute.

Integrity, meanwhile, “makes sure that the information is not tampered whenever it travels from source to destination or even stored at rest,” while the “availability concept is to make sure that the services of an organization are available.”

Examples of availability threats are denial-of-service (DoS) attacks and ransomware, both of which prevent users from accessing files or websites. An example of an integrity attack is a threat actor accessing an account to manipulate information, such as changing the numbers in a bank account — even if nothing is stolen, the information is no longer accurate.

Because the Internet of Things (IoT) now connects humans and machines in ways never seen before, integrity and availability threats are much worse than confidentiality threats, Schneier told the SpiceWorld attendees.

“The effects are greater because they affect life and property,” he said. “I’m concerned that someone could go in and steal my hospital records, but I’m more concerned that they don’t change my blood type.”

Shift the Way You Think of Data Privacy

The biggest security incidents of the past few years have revolved around data confidentiality issues. Cybercriminals have been able to steal credit card information, names, birth dates, Social Security numbers and even biometric data such as fingerprints that are part of a government worker’s security clearance files.

It’s no wonder in our present milieu that consumers are upset when their data confidentiality is compromised. Privacy regulations such as the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) are primarily designed to keep information confidential while giving control of that information to its rightful owner: the consumer.

However, GDPR also requires companies to make data readily available to consumers if there is a security incident. Schneier pointed out that data privacy has moved beyond consumer data, the information that surrounds an individual’s identity. We now have to consider the data generated by cars, home thermostats, drones, smart cities, medical devices, critical infrastructure and military systems — anything that is connected and generates data.

“We are starting to see DDoS attacks against critical systems,” Schneier said. “We are starting to see ransomware attacks on cars.”

We have to recognize the practical implications of attacks that target each element of the CIA triad. There is a fundamental difference between a spreadsheet crash leading to a loss of patient data and an IoT-connected pacemaker crash leading to a loss of life, so prioritize your security strategies accordingly. When integrity and availability of the data is given greater emphasis, we can design security systems to address potential vulnerabilities and attack vectors.

Protect Data Integrity With Backups and Audits

Addressing data integrity will involve aspects of data confidentiality, because files that are difficult to access are even more difficult to manipulate. A critical aspect of data integrity is ensuring that the information is accurate and unchanged. Backup systems are vital to protect data integrity as a way to check what is currently on file with what was on file before a suspected cybersecurity incident.

Regular audits of data managed by your organization will also provide a snapshot of what the files should look like over time. Is the information changing when it should be constant? Have the ebbs and flows been regular, or have they taken an unusual turn?

The better you know your data, the better you can ensure its integrity. Also, the fewer people touching the data, the better. Too many employees accessing or editing the data increases the chances of someone making an error that goes undetected until it is too late.

Data Availability Can Be the Difference Between Life and Death

Data availability ensures that relevant information is quickly accessible after a breach. Again, this is bolstered by having a solid backup or data loss recovery system in place.

Think about situations where availability could be an issue in your organization. Is there potential for a ransomware attack? A distributed denial-of-service (DDoS) attack? Infrastructure that is old and unprepared for a natural disaster or breach attempt?

Having a secondary source can protect against data availability risks. A data center in a different part of the country or world, cloud services that can restore a website’s accessibility in minutes, and tools and awareness training to lower the risk of ransomware attacks are all ways to decrease potential data loss and downtime.

Due to the increasing connectedness of the cyber world, confidentiality can no longer be handled as the sole aspect of data privacy. Improving the confidentiality, integrity and availability of data is critical not only for privacy issues, but as the potential difference between life and death.

More from Data Protection

Data security tools make data loss prevention more efficient

3 min read - As businesses navigate the complexities of modern-day cybersecurity initiatives, data loss prevention (DLP) software is the frontline defense against potential data breaches and exfiltration. DLP solutions allow organizations to detect, react to and prevent data leakage or misuse of sensitive information that can lead to catastrophic consequences. However, while DLP solutions play a critical role in cybersecurity, their effectiveness significantly improves when integrated with the right tools and infrastructure. Key limitations of DLP solutions (and how to overcome them) DLP…

Defense in depth: Layering your security coverage

2 min read - The more valuable a possession, the more steps you take to protect it. A home, for example, is protected by the lock systems on doors and windows, but the valuable or sensitive items that a criminal might steal are stored with even more security — in a locked filing cabinet or a safe. This provides layers of protection for the things you really don’t want a thief to get their hands on. You tailor each item’s protection accordingly, depending on…

What is data security posture management?

3 min read - Do you know where all your organization’s data resides across your hybrid cloud environment? Is it appropriately protected? How sure are you? 30%? 50%? It may not be enough. The Cost of a Data Breach Report 2023 revealed that 82% of breaches involved data in the cloud, and 39% of breached data was stored across multiple types of environments. If you have any doubt, your enterprise should consider acquiring a data security posture management (DSPM) solution. With the global average…

Cost of a data breach: The evolving role of law enforcement

4 min read - If someone broke into your company’s office to steal your valuable assets, your first step would be to contact law enforcement. But would your reaction be the same if someone broke into your company’s network and accessed your most valuable assets through a data breach? A decade ago, when smartphones were still relatively new and most people were still coming to understand the value of data both corporate-wide and personally, there was little incentive to report cyber crime. It was…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today