However this concept is usually familiar to those who spent a great deal of their day working strictly with IT security. For the small IT department the jargon associated with any subset of the industry may not be a part of everyday speech.
CIA, for those unfamiliar with the acronym, stands for:
Confidentiality – preventing the disclosure of private information to unauthorized people or computers.
Integrity – making sure that information is accurate and has not been modified in any way.
Availability – making sure that people have access when they need it.
Do these concepts apply to email security?
When it comes to data and trade secrets, the CIA triad is blatantly relevant. However it is often not at the forefront of an email security plan. People often think of email security in an entirely different light. But when you think about it, email is really nothing more than data that needs to be protected in everyway mentioned above. Not sure, consider the following:
An email sent to specific executives contains the strategy for a new product line that will move your company ahead of your competitors. This instance is a great example of how the maintaining the confidentiality of your email systems is important. From the end user to the mail server, and all the data transport mediums in between, need to be secured in order to protect against threats designed to steal data and information from the use of email.
An example of how the maintaining the integrity of your email messages can also be used to highlight the need to understand these security attributes. Take, for instance, a situation where your organization is required to produce email records under subpoena. An inside, or outside, threat may be able to alter the dates, times or even content of specific emails for any number of reasons. Should this revealed it would certainly hurt your organization’s chances to prevail in court; it would also do serious damage to your organization’s reputation when the media finds out about the lax security as well.
Finally we come to availability. When speaking in regards to network security we often address availability as the one facet of security meant as a check and balance. We want systems to be secure, but at the same time we want people to be able to access what they need to get their job done. We want resources to be available.
Making things available is a two-pronged approach. We need to first ensure that our systems, including our email systems, are protected against outside threats that can take them offline; like a denial of service attack or a malware outbreak that renders our mail servers or clients inoperable. However, in addition to outside threats we need to make sure that the security we have in place does not prevent our users from accessing the tools and resources they need for their daily jobs. The recent turmoil that Howard Jordan, chief of police in Oakland, CA, is a prime example of what can happen if your security is so tight that you can’t access emails. In his case, he filtered emails related to the Occupy movement. Emails related to a court case he was involved with where an Occupy protestor was injured went unanswered putting him at risk of losing his job as a result.
Like any security solution, email security needs to have a plan in place; and that plan should have the goal of making sure that everything associated with your organization’s email system protects its confidentiality and integrity and ensures that it is always available.
Using the CIA triad as the foundation of your email security solution isn’t comparing apples to oranges or using something that is completely unrelated as a basis, applying these principles actually just makes good sense.