The CIA Triad and Life Science Manufacturing
Posted on January 8, 2016 by
Matt O’ Luasaigh, Systems Analyst
What is the CIA triad? And what does it mean for Life Science Manufacturing?
CIA is an acronym for the following:
- Confidentiality – Confidentiality of the information at hand
- Integrity – Integrity of the information at hand
- Availability – Availability of the information at hand
Almost all security measures are designed to protect one or more aspects of the CIA triad.
What is confidentiality? When describing confidentiality, we describe protecting the information from disclosure to unauthorized parties.
Information has lots of value to the right person, especially in today’s world. Within the life science industry manufacturing ingredients, sales performance, employee details and clinical trial results is all confidential information. All companies have information they wish to keep a secret. Protecting this information is a major part of information security. The disclosure of such information can keep Information Security experts awake at night.
A major fight to keeping information confidential is encryption. Encryption ensures that only the right employees (employees who know or have the key) can access/read the information. Encryption is widespread in today’s world when communicating with one another over the internet. An easy example that most people will have heard is SSL(Secure Sockets Layer)/TLS (Transport Layer Security), this is a security protocol for communications over the internet i.e. an application that is hosted by an external company but is accessed by another computer over the internet e.g. Internet Banking. Other ways to ensure information remains confidential is to enforce file permissions and access control list to restrict access to sensitive information. However, designing file permissions and access control lists should be kept as simple as possible for ease of maintenance. The more complicated the folder layers the more complicated the file permissions become if each folder layer requires a different set of permissions. This can lead to breaches in confidentiality due misunderstandings when assigning folder file permissions. Maintaining a group list as opposed to assigning individuals to a folder lowers to level of maintenance required and ensure all users within that group have the same level of access.
When implementing a Custom off the Shelf application or designing a new in house application within the Life Science industry encrypting the information as it flows from one point to next point is a necessity rather than a nice feature to prevent the information from falling into the wrong hands. However, we also remember to encrypt the information that resides on file shares so that only employees with the appropriate access can access the information.
What is Integrity? Integrity refers to protecting information so that it cannot be modified by unauthorized personnel. Information is only as valuable as it is accurate. Information that has been tampered with could prove costly. For example, if retrieving the ingredients used on a particular batch, and the information has been tampered to alter the amount of ingredient used to produce the product; this will prove very costly for the company resulting in public recalls of the product and a PR disaster for the company.
Similar to data confidentiality, encryption plays a very major role in maintaining data integrity. Whether sending data to another employee within a company, externally to a third party supplier or generating an automated system report containing sensitive information all data should be encrypted to prevent the “man in the middle” from accessing sensitive company information and altering records or utilising the data for financial gain.
For data that is stored on file shares enabling encryption can prevent the data from being altered by malicious intent or being accessed by individuals who do not have access.
When accessing data integrity for within the Life Science industry and designing security needs it is necessary to ensure the level of encryption is sufficient to protect the integrity of the data, the more sensitive the data the higher the level of encryption that needs to be enabled.
What is Availability? Availability of information is best described as ensuring that authorized employees are able to access the information they need when needed.
Information is only valuable to the right people who can access the information. Denying access to information is a very common attack today. Almost every month we hear in the news about another high profile company website being taken down by DoS (Denial of Service) attacks. The primary reason of a DoS attack is to deny users of that website access to the resources of the website e.g. denying users access to their Bank Account details. This downtime can be very costly for a company. Other factors that could lead to lack of availability to important information are accidents such as power outages or natural disasters such as floods.
To ensure data availability having a recent Backup is necessary to restoring access to the information required. Regularly completing off-site backups can limit the damage caused by damage to hard drives. For information services this is highly critical, redundancy might be more appropriate, however this can be very expensive. Having an off-site location ready to restore services in case anything happens to your primary data centres will dramatically reduce the downtime. However, companies will need to compares the expenses to the overall cost a downtime would incur.
When determining the level of availably it is important to factor how often the information is accessed when accessing solutions such as backup technologies or redundancy as unnecessary costs can be incurred but more often than not to ensure the correct solution to maintain information availability has been implemented.
The CIA triad is a very fundamental concept of security. Often, ensuring that the three points of the CIA triad is protected is an important first step in designing a secure system and is one of the first models whose requirements should be meet when designing information security requirements. However, some arguments state that this does not go far enough in protecting data but discussing other models is a blog for another day.